Signature Detail

HTTP: Microsoft Windows Media Player Skin Decompression Code Execution

This signature detects attempts to exploit a known code execution vulnerability in Microsoft Windows Media Player. It is caused due to a boundary error when decompressing the encoded data from WMZ and WMD files. A remote attacker can exploit this by enticing the target user to open crafted WMZ and WMD files, potentially causing arbitrary code to be injected and executed in the security context of the currently logged in user. In a simple attack case, the affected Windows Media Player can terminate when the malicious page is opened. In a sophisticated attack, where the malicious user is successful in injecting and executing supplied code, the behavior of the system is dependent on the nature of the injected code. Any code injected into the vulnerable component can execute in the security context of the currently logged in user.

Extended Description

Microsoft Windows Media Player is prone to a remote code-execution vulnerability when handling specially crafted compressed skin files. Attackers exploit this issue by coercing unsuspecting users to download and open Windows Media Player skin files (WMZ or WMD files). Successful exploits allow attackers to execute arbitrary code in the context of the vulnerable application. This facilitates the remote compromise of affected computers.

Affected Products

• Avaya customer_interaction_express_(cie)_server 1.0
• Avaya customer_interaction_express_(cie)_user_interface 1.0
• Avaya customer_interaction_express_(cie)_user_interface 1.0.2
• Microsoft windows_media_player 10.0
• Microsoft windows_media_player 11
• Microsoft windows_media_player 7.1
• Microsoft windows_media_player 9.0

References

• BugTraq: 25307
• CVE: CVE-2007-3035