NT: Embedded URLs in spoofed MM files

Discussion in 'other security issues & news' started by Paul Wilders, Mar 5, 2002.

Thread Status:
Not open for further replies.
  1. Paul Wilders

    Paul Wilders Administrator

    Jul 1, 2001
    The Netherlands

    Embedded URLs in spoofed multimedia files (such as .MP3 and .WAV) can be used to "hijack" users to malicious web sites. Web sites can be automatically opened when users click on MP3 or WAV files. A hacker can use file extension spoofing in order to trick users to open these files; for example, an .MP3 file may really be another file type, such as a .AFX file, which may contain a URL. Internet applications (browser, e-mail client, etc.) may even open such files without asking the user what to do (if the user made a decision in the past to automatically open the specific file extension). Some multimedia applications open the files despite the difference between the file type (e.g., AFX) and the spoofed file extension (e.g., WAV). The spoofed file extension is an extension that is considered "safe". For example, a "real" WAV file cannot be used for embedding URLs. Some pornographic web sites are already using this technique.
    There is also a privacy aspect to this exploit. Users that play illegal multimedia files, such as .MP3 and MPEGs, can be tracked by web sites that log their IP Address or even much more personal details. For example, an ActiveX Control embedded on a web site can pull out your e-mail address.
    Finjan Software's Research Center has discovered that even .WAV files can be used to "hijack" users to a web site containing a powerful ActiveX Control. The URL can even include a direct link to an executable, or to a web site that automatically downloads and executes an executable. This technique is powerful and has already been used in the wild.


    Vulnerable systems:
    * Microsoft Media Player 7.0 and above.
    * RealNetworks RealOne Player

    Finjan has built a .WAV demonstration at:


    to test your vulnerability to this attack. Upon opening this audio file with vulnerable software, a sound will be played and you will be "hijacked" directly to Finjan Software's ActiveX demo. This ActiveX demo creates a new folder on your Windows Desktop directory named "You Have Been Hacked!" and copies several of your personal files into it. It also turns on your PC's microphone (if it has one), records ten seconds of audio and plays it back automatically. You may delete the "You Have Been Hacked" folder and the files in it (they are copies only and the original files have not been moved).

    ActiveX Controls are actually small programs that are downloaded from web pages and run locally on your PC. ActiveX is capable of performing any action including stealing and deleting files. ActiveX controls can run automatically in the background. Please allow several seconds for the demo to start; performance will vary upon connection speed.

    source: www.securiteam.com
Thread Status:
Not open for further replies.