[Owasp-delhi] Security Testing of .wmv files

Samrat Chatterji Samrat_Chatterji at infosys.com
Tue Aug 3 03:54:21 EDT 2010


Hi Megha,
The .WMV file format or Windows Media Video format is a MS version of the popular ASF file format which are used to store video data in compressed format.
Now scenarios may exist on how this is put on the victim system etc etc. some virus varients using WMV files etc are as below

http://vil.nai.com/vil/content/v_99587.htm  (The .WMV file exploits a vulnerability that allows the Windows Media Player to open the MI2.HTM file automatically. The .HTM file gives control to MI2.CHM, which then runs the MI2.EXE file)

http://www.bitdefender.com/NW1288-world--Top-Ten-E-Threats---December-2009.html  (Trojan.Wimad.Gen.1, ranking fifth with 4.57 percent of the global infections, mostly exploits the capability of ASF files to automatically download the appropriate codec from a remote location in order to deploy infected binary files on the host system. The ASF format will store data in either WMA (Windows Media Audio) or WMV (Windows Media Video) formats, which are mostly to be found on Torrent websites. When played locally, the specially-crafted WMV file would allegedly attempt to download a "special codec", which is in fact a malicious binary hosted on a third-party website.)

A GOOD Read http://boards.straightdope.com/sdmb/showthread.php?t=342246
Another http://msmvps.com/blogs/donna/archive/2005/01/13/31831.aspx

An Eye Opener!!!!!!!!!
http://msdn.microsoft.com/en-us/library/dd757562.aspx
excerpt:
An ASF file can contain multiple independent or dependent streams, including multiple audio streams for multichannel audio, or multiple bit rate video streams suitable for transmission over different bandwidths. In addition to the standard audio and video media stream types, an ASF file can also contain text streams, Web pages and script commands, and any other arbitrary data type.

An ASF file is organized into sections called "objects." There are three top-level objects, a Header object and a Data object (both required), plus an optional Index object. The Header object contains general information about the file, such as file size, number of streams, error correction methods, and codecs used. Metadata is also stored here. The Header object is the only top level object that can contain other objects. The Data object contains the stream data, organized in packets. The Simple Index object contains a list of associated index/key-frame pairs that enables applications to seek through a file efficiently. The index associated with each key frame can be a presentation time, a video frame number, or a reference time stamp.

Each top-level or lower-level object begins with a globally unique identifier (GUID) and a size value. These numbers allow the file reader to parse the information at appropriate places into identifiable objects. Because of these GUIDs, lower-level objects can be sent in any order and still be recognized. The ASF format is designed to overcome inaccurate data reception. A partially downloaded ASF file can still be read, as long as it contains the Header object and at least one Data object.

And Finally a good tool to help in editing /decoding (as far as the marketing page says!!!)

http://www.radioactivepages.com/english/asfbin.html

also you can use the windows ASF file format edit SDK (don't have any idea , but worth a try)



Hope this helps

Regards

Samrat


From: owasp-delhi-bounces at lists.owasp.org [mailto:owasp-delhi-bounces at lists.owasp.org] On Behalf Of megha anand
Sent: Monday, August 02, 2010 9:31 PM
To: chintan dave
Cc: owasp-delhi at lists.owasp.org
Subject: Re: [Owasp-delhi] Security Testing of .wmv files

Yup, Chintan I'm talking about vulnerabilities which are caused while processing WMV files. Even malicious input is not dangerous until its processed. Hope it helps.

Thanks,
Megha
On Mon, Aug 2, 2010 at 6:09 PM, chintan dave <davechintan at gmail.com<mailto:davechintan at gmail.com>> wrote:
Hi Megha,

I did not understand the intent of this question completely.

To my knowledge WMV files are data files. Why would you like to do a security assessment of a data file?

The program that executes this data file (also commonly referred to as "loader") is subject to security assessment.

WMV files are different from Flash content. Flash files (swf format) contains code as well, that's the reason they are subject to VA.

To give an analogy, If there are multiple pdf files on a site, why would someone do a security assessment of *.pdf file?

There could be vulnerabilities in Adobe's pdf reader software. Ideally you should assess the loader and not the data file itself.

I am still clueless as to what could be achieved by fuzzing the wmv file or loading it in a hex editor.

On Mon, Aug 2, 2010 at 12:50 PM, megha anand <itsmeghaanand at gmail.com<mailto:itsmeghaanand at gmail.com>> wrote:
Thanks everyone,

Anyone having idea about .WMV memory corruption. How to check it?

Thanks,
Megha



On Mon, Aug 2, 2010 at 9:35 AM, Gunwant Singh <gunwant.s at gmail.com<mailto:gunwant.s at gmail.com>> wrote:
Besides what you have been told, you can use hex editors to open the .wmv files. This may help you in verifying if there is any hardcoded sensitive information lying anywhere in the binary. Be wary of any manipulation that you may cause. "Winhex" is an interesting tool.


-Gunwant
On Fri, Jul 30, 2010 at 11:57 PM, Praveen Darshanam <praveen_recker at yahoo.com<mailto:praveen_recker at yahoo.com>> wrote:
hi megha,

do u have idea about WMV file format...if u have good idea of WMV file headers etc. u can fuzz it.......
there are different file format fuzzing tools!!

best regards,
praveen darshanam

--- On Fri, 7/30/10, megha anand <itsmeghaanand at gmail.com<mailto:itsmeghaanand at gmail.com>> wrote:

From: megha anand <itsmeghaanand at gmail.com<mailto:itsmeghaanand at gmail.com>>
Subject: [Owasp-delhi] Security Testing of .wmv files
To: owasp-delhi at lists.owasp.org<mailto:owasp-delhi at lists.owasp.org>
Date: Friday, July 30, 2010, 1:41 PM


Hi All,



Does anyone have an idea about how one should go ahead in testing .wmv files.

Also, let me know about tools, checklist if

 any.





Thanks,

Megha

-----Inline Attachment Follows-----
_______________________________________________
Owasp-delhi mailing list
Owasp-delhi at lists.owasp.org<http://mc/[email protected]>
https://lists.owasp.org/mailman/listinfo/owasp-delhi



_______________________________________________
Owasp-delhi mailing list
Owasp-delhi at lists.owasp.org<mailto:Owasp-delhi at lists.owasp.org>
https://lists.owasp.org/mailman/listinfo/owasp-delhi


--
Gunwant Singh


_______________________________________________
Owasp-delhi mailing list
Owasp-delhi at lists.owasp.org<mailto:Owasp-delhi at lists.owasp.org>
https://lists.owasp.org/mailman/listinfo/owasp-delhi


--
Regards,
Chintan Dave,

LinkedIn: http://in.linkedin.com/in/chintandave
Blog:http://www.chintandave.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-delhi/attachments/20100803/46ec8cac/attachment-0001.html 


More information about the Owasp-delhi mailing list