Are WAV files dangerous?

Discussion in 'Computer Security' started by Franky, Aug 15, 2004.

  1. Franky

    Alan Guest

    Well...strictly speaking you are correct, but most of us have never
    actually opened a wav file. We merely clicked on something on our
    screens which believe represents a wav file, based on what is
    displayed on our screen. For a simple example of why that is NOT
    necessarily safe (using square brackets instead of angle brackets so
    you will see the source):

    [a href="c:\ReallyNastyTrojan.exe"]Trust_Me_This_Is_A_Wav_File.wav[/a]

    Of course there are much more complex and devious ways to deceive...
     
    Alan, Aug 17, 2004
    #21
    1. Advertisements

  2. Franky

    Robert Moir Guest

    I'd hesitate to blame everything on "bugs". This implies that all things are
    the result of a programming error, and misses the most
    insidious part of the problem.


    To take the example of Word and its macro viruses, the Word Macro
    programming language was working exactly as designed, hence it wasn't buggy
    (well not for the specific issue we're addressing here anyway).

    The design however was woefully inadequate and didn't take security into
    account. Combing the code with a debugger for a million years won't fix
    broken design.

    Rob
    MS MVP
     
    Robert Moir, Aug 18, 2004
    #22
    1. Advertisements

  3. Franky

    Robert Moir Guest

    And then we've got to consider the resource cost of scanning WAV files. As
    the size of these can be very large and the data to trigger an exploit can
    be hidden anywhere in the data stream, we've got one heck of a bottleneck
    here.

    Rob
     
    Robert Moir, Aug 18, 2004
    #23
  4. Franky

    Bill Unruh Guest

    ]kurt wismer wrote:

    ]> as such, can avg (or another product that mostly deals with viruses)
    ]> detect valid WAV files that still manage to play havoc with some audio
    ]> player somewhere? i would guess probably not... at best it might
    ]> detect a handful of specially crafted examples of WAV files that
    ]> cause problems with some players and were seen in the wild, but i
    ]> can't see adding general detection for the entire class of objects...
    ]> it's too poorly specified a class...

    ]And then we've got to consider the resource cost of scanning WAV files. As
    ]the size of these can be very large and the data to trigger an exploit can
    ]be hidden anywhere in the data stream, we've got one heck of a bottleneck
    ]here.


    Well, no. A .wav file has a very definite format. The header is a fixed
    length header and the rest is pure data. The data is simply sent to the
    sound card, and cannot do anything. The only problem could come in a
    misinterpreted header, and the .wav file header is simple enough that it is
    hard to misinterpret it.
    The problem arises if a format has a complex enough header (eg data with
    arbitrary length) then programming mistakes can occur.
     
    Bill Unruh, Aug 19, 2004
    #24
  5. Franky

    pgx Guest

    (Bill Unruh) wrote:

    |Well, no. A .wav file has a very definite format. The header is a fixed
    |length header and the rest is pure data.

    Not true. The .wav file can contain many chunks that vary in length.
    See:

    http://www.borg.com/~jglatt/tech/wave.htm

    Note that if any of the chunks is processed in a buffer that is not
    long enough, problems can result. The chunks are all defined with a
    length field, but if not properly used, an overflow could result.

    Phil
     
    pgx, Aug 25, 2004
    #25
  6. What could really happen it's that a constructed wave could make a
    buffer overflow in a wave player. This could be a possibility, but it's
    a bug in the software, not a problem in the wave file format.

    --

    Jose Maria Lopez Hernandez
    Director Tecnico de bgSEC

    bgSEC Seguridad y Consultoria de Sistemas Informaticos
    http://www.bgsec.com
    ESPAÑA

    The only people for me are the mad ones -- the ones who are mad to live,
    mad to talk, mad to be saved, desirous of everything at the same time,
    the ones who never yawn or say a commonplace thing, but burn, burn, burn
    like fabulous yellow Roman candles.
    -- Jack Kerouac, "On the Road"
     
    Jose Maria Lopez Hernandez, Aug 26, 2004
    #26
  7. Franky

    xmp Guest

    That's true of most exploits whether stack overflows, format bugs, or
    whatever. Most are simply coding errors which are inevitable. A few
    are due to features, e.g. exploits that utilize My Computer Zone.
    Others are intrinsic to the protocol, e.g. spoofing in TCP/IP. It will
    be interesting to see what happens as more stuff is compiled with stack
    and format guards.

    I wonder if iDefense would pay for a media player exploit?

    michael
     
    xmp, Aug 27, 2004
    #27
  8. Franky

    Bright Guest

    So the answer to the original poster's question is YES ... er and NO
    :)

    The format of WAV files is not so strongly restricted that it's not
    possible for a file to be crafted that exploits a particular
    impmentation of WAV play (whether this be by buffer overflow or or the
    wrong data type for a particular field).

    However, whether such a crafted WAV file can have an impact on a
    target system is entirely dependant on the type of application which
    is used upon it -
    If you receive a crafted WAV file and don't do anything more with it
    then it cannot have an impact.
    If you load a crafted WAV file into an WAV player then it may have an
    impact, particularly if the crafted vulnerability is aimed at your
    specific WAV player (although other players may crash or evidence
    other instability in the light of these non-standard WAV elements).

    In the real world, where a significant market share is owned by
    Microsoft and Windows Media Player then it seems reasonable to say
    that a crafted WAV file aimed at this application will potentially
    cause a problem, however, I'm not aware of a WAV exploit that has
    successfuly targetted Windows Media Player (there may have been an
    exploit of the 'skins' facility in this application ...but that uses a
    different file type).

    Regards
     
    Bright, Sep 2, 2004
    #28
  9. But that's true for almost every exploit you have out there. It only
    will work if it has one concrete application or version of that
    application listening to the data, so the case it's the same for WAV
    files, they could be seen (if there would be any of them) as exploits
    for some player.


    --

    Jose Maria Lopez Hernandez
    Director Tecnico de bgSEC

    bgSEC Seguridad y Consultoria de Sistemas Informaticos
    http://www.bgsec.com
    ESPAÑA

    The only people for me are the mad ones -- the ones who are mad to live,
    mad to talk, mad to be saved, desirous of everything at the same time,
    the ones who never yawn or say a commonplace thing, but burn, burn, burn
    like fabulous yellow Roman candles.
    -- Jack Kerouac, "On the Road"
     
    Jose Maria Lopez Hernandez, Sep 2, 2004
    #29
  10. Franky

    NetHelper

    Joined:
    Mar 1, 2015
    Messages:
    1
    Likes Received:
    0
    Ok, first of all, .wav file cannot be dangerous, only when they are used with exploits. Second of all, you should switch to another antivirus. AVG is a very inefficient and sometimes frustrating, and AVG is considered primitive. AVG only detects some low-threat viruses and does not offer firewall nor do they offer internet protection. The so-called experts are very sketchy and don't do their job very well. If using a PC, there is little you can do about infected files or exploited .wav or .jpeg files, since PowerPC, Java, and Adobe are the most vulnerable plugins in the world. But what you can do, well, there isn't much. You can get a BETTER antivirus than AVG and try doing regular maintenance on your PC. If you use a Mac, there is little to worry about. Either configure your XSecurity settings on System preferences, or just install a antivirus.
     
    NetHelper, Mar 1, 2015
    #30
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.