Microsoft Windows Media Player fails to properly evaluate URLs when downloading skin files

Overview

Microsoft Media Player contains a vulnerability in the parsing of “Skin Files” that may permit a remote attacker to download arbitrary files to a known location on the local system.

Description

Microsoft Media Player is an application that plays various types of media files. The user can customize the appearance of Microsoft’s Media Player through the use of skin files. Skin files can be created and downloaded from the Internet. Microsoft’s Media Player uses XML to determine the location of these files.

A directory traversal vulnerability exists in Microsoft Media Player 7.1 (for Windows 98, 98SE, ME, 2000) and 8.0 (Windows XP) when parsing of an XML file specifying the location of a skin file. The XML parser fails to recognize hex encoded characters that can permit an attacker to exit the temporary directory, and place files in a known location on the system.

Exploitation of this vulnerability may permit a remote attacker to download a malicious file to a known location on the local system or any mounted network drives that the current user has access to. These files may be programs, configuration files, or various other types of files. The attacker must trick the user into visiting the malicious website in order to exploit this vulnerability.

For more details, please see Microsoft’s Advisory MS03-017.

---

Impact

A remote attacker may be able to download arbitrary files to the system in a known location. If the file is placed in the “Start Up” folder, or used in conjunction with other vulnerabilities (such as VU#626395, VU#25249 or VU#489721), the attacker may then be able to execute arbitrary code on the system.

---

Solution

Microsoft has released patches for versions 7.1 and 8.0 in MS03-017 to address this issue.

---

Microsoft Media Player 9 is not affected by this vulnerability.

---

Vendor Information

384932

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Microsoft Corporation __ Affected

Updated: May 07, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

For more details, please see Microsoft’s Advisory MS03-017.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23384932 Feedback>).

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://www.microsoft.com/technet/security/bulletin/MS03-017.asp&gt;
• <http://www.microsoft.com/security/security_bulletins/ms03-017.asp&gt;
• <http://www.securityfocus.com/archive/1/320811/2003-05-05/2003-05-11/0&gt;
• <http://www.securityfocus.com/archive/1/320714/2003-05-05/2003-05-11/0&gt;
• <http://www.iss.net/security_center/static/11953.php&gt;

Acknowledgements

Thanks to Jouko Pynnonen for reporting this vulnerability and Microsoft for addressing this issue.

This document was written by Jason A Rafail.

Other Information

CVE IDs:	CVE-2003-0228
Severity Metric:	18.98 Date Public: