Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:4501
HistoryMay 09, 2003 - 12:00 a.m.

why i love xs4all + mediaplayer thingie

2003-05-0900:00:00
vulners.com
28
JSON

Why i love xs4all rant (you'll probably wanna skip this but i need to get
this out of my system):

a few weeks back i was unpleasantly suprised by the fact that my

internet wasn't working
the support desk employee after making me reset my modem a dozen times
and tripple checking
my settings finaly found out that i had an abuse ticket.
I supposedly portscanned (a harmless process) :S some poor guy who felt
the need to complain about it. They wouldn't tell me who
it was when it happened or anything. being the second warning (over a 2
year!! period) they descided they
had no other alternative then to shut me down. I am not aware of
anything i have done wrong, but i am not
given any option to defend myself against the allergations, I dont just
randomly portscan people.

In essense you are conficted without even hearing the evidence or being

apointed a lawyer.
This is a really scary thought because in essence any of the following
situations will lead to cancelation of
your account

You activly seek out flaws in a website, you report them to a website

owner, he doesn't like this and rather than
fix the problem notifies your ISP xs4all to complain about it. resulting
in cancelation of your account.
You wont even know who complained because and explain the whole thing
because xs4all grants the complaining
party anonimity

You get hacked and someone uses your machine to do something nasty

An online chatbuddy asks you to nmap his machine to see if the firewall

he set up is working properly
after a while the friendship goes sour and just to piss you off he
reports the scanning.

someone sends you an email containing all sorts of
<img src="http://www.mysite.com/login.asp?username=a'or 1=1;--">
kinda stuff, look xs4all!! he hacked my site , just look at my logs and

xs4all's connection logs
will show the connections where made from your ip matching the
timestamps in the log

probably a dozen other ways are possible, and there's no way to find out

what has been going on
this shielding of the sources is ridiculous, what will i do tell the
world i nmapped him?
well whoopdiedoo call out the witness protection program

Particularly cute is the other day i see an interview with cor bosman

telling how xs4all
founders where titled the hacker thread from holland etc
I have a 4 letter acronym for him, you figure it out

Description :

Windows Media Player allows you to play audio and video files
locally stored and streamed from the Internet.
It includes a visualizer, a jukebox, a media guide,
an Internet radio tuner, and support for
countless media formats and various external devices.
There is is a flaw in Windows media player 7 and 8 that allows
execution of arbitrary code
Vulnerable versions are shipped by default with
all recent windows distributions including 98 and 2000 and xp

Details :

Windows media player skin (.WMZ) files are automaticly opened by

internet explorer
As a security precaution they are placed in a folder with a random name
similar to this :

C:\Program Files\Windows Media Player\Skins\004B1813

However this can be trivially defeated by setting the following http

headers.

Content-Disposition: filename=%2e%2e%5cjelmer.wmz
Content-Type: application/download

<content follows>

%2e%2e%5cjelmer.wmz is the url encoded path ..\jelmer.wmz , windows

media player urldecodes this and the
path becomes :

C:\Program Files\Windows Media Player\Skins\004B1813\..\jelmer.wmz

witch is equivilent to

C:\Program Files\Windows Media Player\Skins\jelmer.wmz

witch is a known location on the filesystem, witch is a "very bad thing"

(tm)
to make matters worse we could append an urlencoded null byte to the
file name and "spoof" the extention
like this

"%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cDocuments%20and%20Settings%5CAll%20User
s%5CStart%20Menu%5CPrograms%5CStartup%5csomefile.exe%00.wmz

witch drops an executable in the windows startup folder (on an english

xp system)

Systems affected :

Both media player 7.1 and 8 are affected by the flaw, 9 proofed

unaffected

Example :

I should have attached a sample exploit

Vendor status :

Microsoft was notified 23-03-2003 and has issued a fix the details are

available at

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-017.asp
Credit was shared because apperently Jouko reported the same issue at
aproximatly the same time

Solution :

Update to the latest version of media player
JSON