Re: security notice: Backdooring Windows Media Files

To: "Memisyazici, Aras" <arasm@xxxxxx>
Subject: Re: security notice: Backdooring Windows Media Files
From: "pdp (architect)" <pdp.gnucitizen@xxxxxxxxxxxxxx>
Date: Tue, 18 Sep 2007 20:00:29 +0100
Cc: bugtraq@xxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=m7Np9kAHRJEVFbjqHiJLvThsIKSuwRfY5TyIEFyky6Y=; b=FV9z2B8DkCPxw5ZZpQ1njZs7IMPQuHQWEzyDIcL7aWAKM2LgfW2yOcGLZ1shWMFyL7Qf1P/uAWLzNMLKL4YqjPhyAFFuPxzgbsoMED19Jx6nta7sWgyujPEAT1QHGqDfsvjvURJMZep6Nj6s8zsI2/iz9zTFBDzKyJfyiUF2wsE=
Domainkey-signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=joqNFOJi4yTRLtLvc4Qyc+aw49zB6Eox63siQuA/G2aNrE7n652zngTfFJPLGDlLjTxPyq2sM1VJ12yli859UOW5HQDJB7fWVteDXSSLErUlaUsi1auYBVjrKeWltJaF9lDAKmEfVaePvWY6XASWIjHYr3Rh0SUySgaYu7gT5Ks=
In-reply-to: <B4F529047A581D48A7D52F9C451CE4A9031F7F9A@xxxxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <6905b1570709180857q35d77119vbf6c9d432de74376@xxxxxxxxxxxxxx> <B4F529047A581D48A7D52F9C451CE4A9031F7F9A@xxxxxxxxxxxxxxxxxxx>

yes, of course :) but u are running Windows Media Player 11 which is
not the default one for Windows XP SP2. Moreover, this Media Player
edition is not slipped through any software update either. Therefore,
if you are not a Media Player fan, you will never get this version on
a fully patched XP SP2 machine. I tend to use iTunes on XP SP2, so yes
I am vulnerable.

On 9/18/07, Memisyazici, Aras <arasm@xxxxxx> wrote:
> Hi pdp!
>
> Great admirer of your work :) I just wanted to inform you that I have
> tested your claim, on a fully patched/updated Win XP SP2 system with an
> admin account logged in, and was warned sufficiently(asked whether I
> wanted to play asx files, then asked if I was sure by Media Player, then
> pop-up was blocked by IE), while the page you tried to produce was
> blocked via IE's pop-up blocker.
>
> You can see/confirm this by viewing these screenshots:
>
> http://preview.tinyurl.com/34xpcz
> (http://i189.photobucket.com/albums/z159/vtknightmare/noworkie1.png )
>
> and
>
> http://preview.tinyurl.com/34jx5v
> (http://i189.photobucket.com/albums/z159/vtknightmare/noworkie2.png )
>
> This was tested on a plain/manila/vanilla version of XP SP2. All I did
> was update/upgrade to latest available from M$ Update.
>
> Sincerely,
> Aras Memisyazici
> IT/Security/Dev. Specialist
>
> Outreach Information Services
> Virginia Tech
>
> -----Original Message-----
> From: pdp (architect) [mailto:pdp.gnucitizen@xxxxxxxxxxxxxx]
> Sent: Tuesday, September 18, 2007 11:58 AM
> To: bugtraq@xxxxxxxxxxxxxxxxx; full-disclosure@xxxxxxxxxxxxxxxxx
> Subject: security notice: Backdooring Windows Media Files
>
> http://www.gnucitizen.org/blog/backdooring-windows-media-files
>
> It is very easy to put some HTML inside files supported by Window
> Media Player. The interesting thing is that these HTML pages run in
> less restrictive IE environment. I found that a fully patched windows
> XP SP2 with IE6 or IE7 and Windows Media Player 9 (default) will open
> any page of your choice in IE even if your default browser is Firefox,
> Opera or anything else you have in place. It means that even if you
> are running Firefox and you think that you are secure, by simply
> opening a media file, you expose yourself to all IE vulnerabilities
> there might be. Plus, attackers can perform very very interesting
> phishing attacks. I prepared a simple POC which spawns a browser
> window in full screen mode... Think about how easy it is going to be
> to fake the windows logout - login sequence and phish unaware users'
> credentials
>
> http://www.gnucitizen.org/projects/backdooring-windows-media-files/poc02
> .asx
>
> On the other hand Media Player 11 (Vista by default) is not exposed to
> these attacks.
>
> --
> pdp (architect) | petko d. petkov
> http://www.gnucitizen.org
>


-- 
pdp (architect) | petko d. petkov
http://www.gnucitizen.org

Follow-Ups:
- RE: security notice: Backdooring Windows Media Files
  - From: Memisyazici, Aras

References:
- security notice: Backdooring Windows Media Files
  - From: pdp (architect)
- RE: security notice: Backdooring Windows Media Files
  - From: Memisyazici, Aras

Prev by Date: RE: security notice: Backdooring Windows Media Files
Next by Date: Uninformed Journal Release Announcement: Volume 8
Previous by thread: RE: security notice: Backdooring Windows Media Files
Next by thread: RE: security notice: Backdooring Windows Media Files
Index(es):
- Date
- Thread