Backdooring Windows Media Files (once again...)

aka...."Attacking Intranets from outside using Windows Media Player"

After almost two years since the omonimous PDP post, Windows Media Player bugs have awakened.  And this time they are crawling into Intranets and among your local media files. 

Since the attached whitepaper is self-explanatory, in this post I'm just going to point out some of the major issues found:
  • Hijacking iframes in webpages where a WMP object is embedded Poc
  • Local media file enumeration: this can be (ab)used by an attacker to know if some copyrighted media files (e.g. mp3) are on the victim's pc PoC
  • Intranet scanning: while the victim watches his favourite clip-of-the-day, Windows Media Player stealthly performs IP scanning of the victim 
        intranet network and sends the collected informations to the attacker PoC
  • Retrieving detailed informations about victim's operative system version, language and CPU type
  • Triggering stealth FTP connections to an arbitrary site

Enjoy your reading!

June 12nd, 2009

Rosario Valotta,
Jun 11, 2009, 2:44 PM