SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#384932

Microsoft Windows Media Player fails to properly evaluate URLs when downloading skin files

Overview

Microsoft Media Player contains a vulnerability in the parsing of "Skin Files" that may permit a remote attacker to download arbitrary files to a known location on the local system.

I. Description

Microsoft Media Player is an application that plays various types of media files. The user can customize the appearance of Microsoft's Media Player through the use of skin files. Skin files can be created and downloaded from the Internet. Microsoft's Media Player uses XML to determine the location of these files.

A directory traversal vulnerability exists in Microsoft Media Player 7.1 (for Windows 98, 98SE, ME, 2000) and 8.0 (Windows XP) when parsing of an XML file specifying the location of a skin file. The XML parser fails to recognize hex encoded characters that can permit an attacker to exit the temporary directory, and place files in a known location on the system.

Exploitation of this vulnerability may permit a remote attacker to download a malicious file to a known location on the local system or any mounted network drives that the current user has access to. These files may be programs, configuration files, or various other types of files. The attacker must trick the user into visiting the malicious website in order to exploit this vulnerability.

For more details, please see Microsoft's Advisory MS03-017.

II. Impact

A remote attacker may be able to download arbitrary files to the system in a known location. If the file is placed in the "Start Up" folder, or used in conjunction with other vulnerabilities (such as VU#626395, VU#25249 or VU#489721), the attacker may then be able to execute arbitrary code on the system.

III. Solution

Microsoft has released patches for versions 7.1 and 8.0 in MS03-017 to address this issue.

Microsoft Media Player 9 is not affected by this vulnerability.

Systems Affected

VendorStatusDate NotifiedDate Updated
Microsoft CorporationVulnerable7-May-2003

References

http://www.microsoft.com/technet/security/bulletin/MS03-017.asp
http://www.microsoft.com/security/security_bulletins/ms03-017.asp
http://www.securityfocus.com/archive/1/320811/2003-05-05/2003-05-11/0
http://www.securityfocus.com/archive/1/320714/2003-05-05/2003-05-11/0
http://www.iss.net/security_center/static/11953.php

Credit

Thanks to Jouko Pynnonen for reporting this vulnerability and Microsoft for addressing this issue.

This document was written by Jason A Rafail.

Other Information

Date Public:2003-05-07
Date First Published:2003-05-07
Date Last Updated:2003-05-15
CERT Advisory: 
CVE-ID(s):CAN-2003-0228
NVD-ID(s):CAN-2003-0228
US-CERT Technical Alerts: 
Metric:18.98
Document Revision:21

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2003 Carnegie Mellon University
Disclaimers and copyright information
Get a PDF Reader