In this part, we would like to talk more about CVE-2008-3010: ISATAP vulnerability in Windows Media components. As described in the bulletin MS08-076, Windows Media components (Windows Media Player, Windows Media Format Runtime, and Windows Media Services) treat an ISATAP server address as an intranet zone address, and thus may leak NTLM credentials.


There are two different scenarios: the client side and the server side.


The client side scenario is simple. It relates to Windows Media Player (WMP) or any client applications that build upon the Windows Media Foundation SDK or Windows Media Format SDK. For example, when a user uses WMP to open ISATAP URLs addresses, WMP might leak NTLM credentials to internet. Please note here the term client side scenario does not mean that the OS needs to be a client OS. For example, a user could still use WMP in Windows Server 2008 and hit this issue.


It should be noted that there is a workaround for the client side scenario: modifying the Access Control List (ACL) for WMNetMgr.dll. This was not listed in the bulletin as it only applies to the client side scenario and not the server side scenario. The details are as follow:

For Windows XP, run the following command from an administrator command prompt:


for /F "tokens=*" %G IN ('dir /b /s %windir%\WMNetMgr.dll') DO cacls %G /E /R everyone


For Windows Vista and Windows Server 2008, run the following commands from an elevated administrator command prompt:


for /F "tokens=*" %G IN ('dir /b /s %windir%\WMNetMgr.dll') DO takeown /F %G && icacls %G /deny everyone:(F)


WMNetMgr.dll handles network connections. Thus the impact of this workaround is that WMP or other client applications may not be able to connect to any servers. Local media playback would still be fine.


The server side scenario is more complex and it relates to Windows Media Services (WMS). Even though servers don't typically send out NTLM credentials, there are scenarios where a Windows Media server is vulnerable. For example, suppose a user buys a streaming service and has an ISP’s WMS pull contents from his/her WMS for distribution on the content distribution network.  In this situation, the ISP's server can perform an NTLM authentication to the user's server.  To see how this works, consider the following diagram:




In the above diagram, the “edge” server acts as a client to the “origin” server. Therefore, the “edge” server’s credential may be leaked by WMS to the “origin” server, which could be controlled by an attacker. While the above setup may not be the common scenario, a possibility exists for this to occur thus we fixed WMS to make sure it classifies ISATAP address in the right zone.


Chengyun, SVRD Blogger


*Postings are provided "AS IS" with no warranties, and confers no rights.*