Backdooring Windows Media Files
I am planning to keep this post short and sweet. So, here is the deal. Meta Files are dangerous. Today I am going to cover some of my security findings that concern files with extensions .wax, .wvx, .asx and .wmx.
Before we continue with the fun stuff, you must understand the purpose of the file formats listed above. First of all, they are meta files just like Apple’s QTL. Second, they are standard for the Windows operating system and supported by default. Finally, the meta files are often used to stack together various media content into playlists.
if you start researching the Media Player meta files (this is a good resource to start), you will see that they all have the same structure, which is XML. The XML document (starting with root node <ASX>) provides the basic characteristics of how the media streams need to be played, what sequence they follow and how the user can interact with them. Digging deeper into the XML, I found several tags which can be abused for malicious purposes. I am going to cover only one of them since the post has to be short as I said earlier. So, here is the tag:
<param name="HTMLView" value="[url here]"/>From the documentation, the HTMLView value specifies:
a URL that displays in the Now Playing pane of the full mode Player for the duration of the playlist or the current entry depending on whether the parent element is the ASX element or an ENTRY element. HTMLView is not supported for the Windows Media Player control.
In simple words, HTMLView will display a page of our choice within the standalone Windows Media Player. I repeat, the page will be opened within the Media Player surroundings, not a standalone browser. This in particular is very interesting behavior, which I experimented with for a bit. I found that a fully patched windows XP SP2 with IE6 or IE7 and Windows Media Player 9 (default) will open any page of your choice in less restrictive Internet Explorer environment even if your default browser is Firefox, Opera or anything else you have in place. Let me translate this for you. It means that even if you are running Firefox and you think that you are secure, by simply opening a media file, you expose yourself to all IE vulnerabilities there might be.
Like always, I prepared some POCs you can try running, which are there just to demonstrate the issue without harming your system too much. Those of your who have Media Player 11 are sort of protected. Upon execution you will see a confirmation box. This is a good news for Vista users. However, given the fact that Media Player is not the most popular choice of the masses and Vista is still not widely adopted, attackers are in very good position to abuse the technology for their own good.
comments
I believe there’s options within almost every version of Windows Media Player to at least ask for confirmation when attempting to load web content. The first thing I do when installing any media application is to set the privacy and security settings to deny access to the player ID and any script commands. I did allow it to connect for your demonstration, which was pretty cool.
Another thing I noticed is that you could probably do this without most users really understanding what is taking place, because upon viewing the proof of concept I was able to navigate back to the other blogs on your site within Windows Media Player, and then clicked the link to my own website. My own website has MP3s embedded within it, and upon viewing the page the MP3 immediately transferred itself to Windows Media Player’s “Now Playing” list. So essentially this could be more even more dangerous if you were to place an embedded media file such as a blank WAV or MP3 to immediately mask any suspicious activity.
I’ve been playing around with it for a few moments, and I see that certain scripting elements are disabled within Windows Media Player. A regular alert box will not execute when the content loads, but so far I see it supports other statements and properties such as location.href, window.open, and document.write. You’re doing awesome work, PDP. Keep it up.
Awesome AnDrEw, the docs mention that both alert and confirm are disabled. I’ve tried to access the external object but with no luck. For the actual testing, I use a inbrowser JavaScript console. Hmmmm, let me create one POC for you guys to mess around. I will be back in a sec.
I tried in WMP10 and I still get a confirmation dialog, so seems WMP10 is about as secure as WMP11 in that respect.
However, I agree with you on the dangers of meta files. Generally it is a good idea to avoid them.
Nice work as always pdp. I’ve tested PoC on Windows Media Player 10 and 11. On both versions confirmation dialog pops-up. I suppose that only WMP9 (default on XP) is affected.
Hi pdp, i’ve played a bit on these topics some months ago and I already noticed the wmp behaviour you depicted in the post. After some tests I gave up as in order to run javascript you need to play files in HTMLView mode, so no “hidden attack” can be performed (afaik)
I turned to investigate on possible exploitation of wmp in embedded html page. In this scenario, many DOM objects often used in scripts (document, parent, so on) are accessible from a JS script running from the the movie environment.
As reported in the official documentation, it is possible to edit wmp files in order to embed scripts and marker. Scripts can be of 2 types: URL (allow to launch URL in the browser window embedding the wmp) and TEXT. Text scripts are generally used for caption purposes but…if you use javascript syntax…it will be executed in the
embedding window. The only limit to this is that you must define in the tag the HTML node (a DIV for example) where the TEXT script shoud be showed.
I’ve tried to embed a wmp in sites that allow video uploading (spaces.live.com, myspace.com) but the embed code always is sanitized so I had no succes in exploiting this functionality.
I’ve been reading your RSS feed for the past week or two, and let me tell you, you’ve scared me shitless! Keep up the good work ;)
Another excellent post about meta files danger.
good job man, this is pretty crazy
This example illustrates the lack of good security within MS products.
Althoug i think this wil be patched soon, simply change the default behaviour of WMP.
If your default player for WMP files isn’t WMP (like VLC) your not vulnerable.
Guys, no one ever thought that windows itself and microsoft as a company are free from bugs and security holes… In general, microsoft is sucks by itself, no less no more. Everybosy, let us say: “Bill, we do not want your sloppy company anymore!”
There are lot of other applications which use IE as default rendering engine and can used to exploit IE’s bugs. But via different vectors.
Examples:
http://seclists.org/bugtraq/2005/Jul/0427.html
http://www.securitylab.ru/contest/212127.php (Russian)
http://www.securityfocus.com/bid/17913/references
No problem: try lite version WinXP SP2 Vista edition (175 Mb.) _WITHOUT WINDOWS MEDIA PLAYER_
:))
I read and code your exploit but I’m missing something: the jscript you launch in wmp works well in an html file opened directly with ie. I mean: no need to use this wmp trick.
The advantage of your exploit is that you use the less restrictive security rules of wmp than ie for executing jscript. Correct?
May you put an example with such a jscript?
thx
Hello, everyone just want to say thanx for this info really appreciate the insight! I’m honestly fed up with MS(I call em MicroSh1t)! i’m just about ready to switch over to linux! u know ubuntu, just as soon as i can figure out how to get my internet connection up and running with it! just need a little help with the drivers i need and how to install them on ubuntu’s linux os! i am using a Motorola SURFboard SB5120 USB Cable Modem and my isp is cox high speed internet! any help any1 could give me is much appreciated.
as i’m kinda new to the linux os!