Are WAV files dangerous?

[Franky]

I am aware that some MP3s can exploit weaknesses in the player.
Eg. Winamp 2.81 http://www.securityfocus.com/archive/1/303934

But can a WAV file also be dangerous? Using Google, only a few
people say 'yes'. So is this just a myth?

If a WAV is actually dangerous then does AVG have the ability to
detect bad WAVs?

 

[David H. Lipman]

No, WAV files are not dangerous.

Dave




| I am aware that some MP3s can exploit weaknesses in the player.
| Eg. Winamp 2.81 http://www.securityfocus.com/archive/1/303934
|
| But can a WAV file also be dangerous? Using Google, only a few
| people say 'yes'. So is this just a myth?
|
| If a WAV is actually dangerous then does AVG have the ability to
| detect bad WAVs?

 

[Thor Kottelin]

No, WAV files are not dangerous.

Any file - MP3, WAV or other - can be indirectly dangerous if loaded into a
vulnerable program. As an example, Microsoft Outlook Express used to suffer
from a vulnerability known as the "x-wav exploit". This was used by
BadTrans.

Therefore it is not enough to avoid intrinsically dangerous files - broken
software must also be avoided.

Follow-ups set.

Thor

 

[John Coutts]

I am aware that some MP3s can exploit weaknesses in the player.
Eg. Winamp 2.81 http://www.securityfocus.com/archive/1/303934

But can a WAV file also be dangerous? Using Google, only a few
people say 'yes'. So is this just a myth?

If a WAV is actually dangerous then does AVG have the ability to
detect bad WAVs?

******************* REPLY SEPARATER ********************
Generally speaking, any data file (.wav, .mpe, .gif) is not dangerous. It
cannot execute commands by itself.

For example, a document file (.doc) is in itself benign. When opened with a
program such as "Wordpad", it is harmless. But when opened with a program such
as "Word", imbedded scripts can be run that may not be harmless. The question
has more to do with the executing program than with the data files themselves,
and Microsoft has a habit of adding bells & whistles that execute in the
background without your knowledge. The default disabling of displaying file
extensions, and the default association of file extensions with specific
programs, is in my opinion one of the most insecure things that Microsoft has
ever done. I personally always open the program that I want to use, and then
load the data file.

J.A. Coutts

 

[Criminal Element]

******************* REPLY SEPARATER ********************
Generally speaking, any data file (.wav, .mpe, .gif) is not dangerous. It
cannot execute commands by itself.

For example, a document file (.doc) is in itself benign. When opened with a
program such as "Wordpad", it is harmless. But when opened with a program such
as "Word", imbedded scripts can be run that may not be harmless. The question
has more to do with the executing program than with the data files themselves,
and Microsoft has a habit of adding bells & whistles that execute in the
background without your knowledge. The default disabling of displaying file
extensions, and the default association of file extensions with specific
programs, is in my opinion one of the most insecure things that Microsoft has
ever done. I personally always open the program that I want to use, and then
load the data file.

J.A. Coutts

If an MP3 was made to exploit the flaw, and renamed to .wav to avoid the scanner would
it still be handled by WinAmp as an MP3 after the OS sent it to WinAmp by extention assoc?
Would it still be a danger by you opening "from" the app?

 

[Bill Unruh]

(e-mail address removed) (John Coutts) writes:

]In article <[email protected]>, (e-mail address removed) says...
]>
]>I am aware that some MP3s can exploit weaknesses in the player.
]>Eg. Winamp 2.81 http://www.securityfocus.com/archive/1/303934
]>
]>But can a WAV file also be dangerous? Using Google, only a few
]>people say 'yes'. So is this just a myth?
]>
]>If a WAV is actually dangerous then does AVG have the ability to
]>detect bad WAVs?
]******************* REPLY SEPARATER ********************
]Generally speaking, any data file (.wav, .mpe, .gif) is not dangerous. It
]cannot execute commands by itself.

Not really true. data files can be dangerous, if they interact with bugs in
the programs which they are data for. Thus the MP3 vulnerability.

Now wav files have very well defined data fields-- fixed length with no
terminating designation, which means it is pretty hard to make a buggy
reader.

]For example, a document file (.doc) is in itself benign. When opened with a
]program such as "Wordpad", it is harmless. But when opened with a program such
]as "Word", imbedded scripts can be run that may not be harmless. The question

That makes teh .doc file dangerous-- it usually interacts with a program
that is so complex that is certainly has bugs.


]has more to do with the executing program than with the data files themselves,
]and Microsoft has a habit of adding bells & whistles that execute in the
]background without your knowledge. The default disabling of displaying file
]extensions, and the default association of file extensions with specific
]programs, is in my opinion one of the most insecure things that Microsoft has
]ever done. I personally always open the program that I want to use, and then
]load the data file.

]J.A. Coutts

 

[Anonymous]

AV is actually dangerous then does AVG have the ability to
detect bad WAVs?

Only executables can cause your computer to be infected by viruses. Non-
executable files, like images or WAV files can have viral code inserted
into them, but the viral code will never be executed, so they are not a
threat.
The main threat you may have is files with double extensions which can fool
the user into thinking the file is a WAV file, when in reality it is
executable. e.g. the file 'Nirvana - Smells like teen spirit.WAV.exe'
would look like a WAV file, but it is really an executable file in
disguise!

--
The email address used is fake. Any replies will not be read!
If you want to reply, reply to the newsgroup instead.

Visit my website!
http://storm.prohosting.com/compsecu

 

[Newman]

]For example, a document file (.doc) is in itself benign. When opened with a
]program such as "Wordpad", it is harmless. But when opened with a program such
]as "Word", imbedded scripts can be run that may not be harmless. The question

That makes teh .doc file dangerous-- it usually interacts with a program
that is so complex that is certainly has bugs.

So, who kills people?
a)people
b)guns
c)the bullet
d)organ failure/major hemmorage
e)what does it matter, just don't stand in front of it

 

[Tim H.]

I am aware that some MP3s can exploit weaknesses in the player.
Eg. Winamp 2.81 http://www.securityfocus.com/archive/1/303934

But can a WAV file also be dangerous? Using Google, only a few
people say 'yes'. So is this just a myth?

Not sure why no one else mentioned this...

If a program has unchecked data buffers, then it's susceptible to buffer
overflows. And if a jpeg, wav or mp3 contains data to exploit that overflow,
then yes, a wav file COULD be dangerous. The file itself isn't dangerous,
only when used with the program it's trying to exploit.

-Tim

 

[kurt wismer]

I am aware that some MP3s can exploit weaknesses in the player.
Eg. Winamp 2.81 http://www.securityfocus.com/archive/1/303934

But can a WAV file also be dangerous? Using Google, only a few
people say 'yes'. So is this just a myth?

If a WAV is actually dangerous then does AVG have the ability to
detect bad WAVs?

there are no bad WAVs... there are no bad MP3s either, technically...
it either meets the specifications for that format (and therefore is
that type) or doesn't meet the specifications for that format (and
therefore isn't that type)...

the fact that certain players don't handle certain combinations of
valid (as in, allowed by the specifications for the format) data very
well doesn't make the file containing that data "bad"... it just means
there's a bug in the player that needs to be fixed...

as such, can avg (or another product that mostly deals with viruses)
detect valid WAV files that still manage to play havoc with some audio
player somewhere? i would guess probably not... at best it might detect
a handful of specially crafted examples of WAV files that cause
problems with some players and were seen in the wild, but i can't see
adding general detection for the entire class of objects... it's too
poorly specified a class...

 

[David H. Lipman]

"Thor Kottelin" corrected me with the reply of the "x-wav exploit" which is a buffer
overflow vulnerability. So it has been stated.

Dave



|
| | > I am aware that some MP3s can exploit weaknesses in the player.
| > Eg. Winamp 2.81 http://www.securityfocus.com/archive/1/303934
| >
| > But can a WAV file also be dangerous? Using Google, only a few
| > people say 'yes'. So is this just a myth?
|
| Not sure why no one else mentioned this...
|
| If a program has unchecked data buffers, then it's susceptible to buffer
| overflows. And if a jpeg, wav or mp3 contains data to exploit that overflow,
| then yes, a wav file COULD be dangerous. The file itself isn't dangerous,
| only when used with the program it's trying to exploit.
|
| -Tim
|
| >
| > If a WAV is actually dangerous then does AVG have the ability to
| > detect bad WAVs?
|
|

 

[Julian Moss]

Not sure why no one else mentioned this...

If a program has unchecked data buffers, then it's susceptible to
buffer overflows. And if a jpeg, wav or mp3 contains data to exploit
that overflow, then yes, a wav file COULD be dangerous. The file
itself isn't dangerous, only when used with the program it's trying
to exploit.

-Tim

But people use many different programs to play WAV or MP3 files. A
buffer overflow exploit will only work with the program it was designed
to exploit. A case, perhaps, for never using the most popular
applications (e.g. Windows Media Player, in this example.)

 

[Criminal Element]

I don't think so. Wasn't that exploit only to trick the OS into executing an EXE cause it was
thought to be a safe MIME Type of WAV? Where was the buffer exploit there?

 

[Bill Unruh]

]Franky wrote:

]> I am aware that some MP3s can exploit weaknesses in the player.
]> Eg. Winamp 2.81 http://www.securityfocus.com/archive/1/303934
]>
]> But can a WAV file also be dangerous? Using Google, only a few
]> people say 'yes'. So is this just a myth?
]>
]> If a WAV is actually dangerous then does AVG have the ability to
]> detect bad WAVs?

]there are no bad WAVs... there are no bad MP3s either, technically...
]it either meets the specifications for that format (and therefore is
]that type) or doesn't meet the specifications for that format (and
]therefore isn't that type)...

]the fact that certain players don't handle certain combinations of
]valid (as in, allowed by the specifications for the format) data very
]well doesn't make the file containing that data "bad"... it just means
]there's a bug in the player that needs to be fixed...

]as such, can avg (or another product that mostly deals with viruses)
]detect valid WAV files that still manage to play havoc with some audio
]player somewhere? i would guess probably not... at best it might detect
] a handful of specially crafted examples of WAV files that cause
]problems with some players and were seen in the wild, but i can't see
]adding general detection for the entire class of objects... it's too
]poorly specified a class...

The question is how tightly the standards constrain the file. In the case
of wav files, the data structure size and type is tightly constrained. If
there are things like titles, etc around then they will have a freeform
data structure, which could in a badly written program cause trouble. (eg
the person writting assumes that say 512 bytes is more than enough for any
title.)
If the data structure says that the data header is exactly 100 byes long,
then it is hard to miscode that. if it is of variable length, then it gets
easier.

 

[Lassi =?iso-8859-1?Q?Hippel=E4inen?=]

The question is how tightly the standards constrain the file.

No. The question is what happens when the file doesn't conform to the
standard. A parser shouldn't crash at the first non-conformance. It
should be robust enough to either ignore the errors or reject the data.

Many exploits discovered by the PROTOS test suite (including SNMP
implementations!) were holes left by too trusting programmers.

-- Lassi

 

[Alan]

No, WAV files are not dangerous.

Dave

Well...strictly speaking you are correct, but most of us have never
actually opened a wav file. We merely clicked on something on our
screens which believe represents a wav file, based on what is
displayed on our screen. For a simple example of why that is NOT
necessarily safe (using square brackets instead of angle brackets so
you will see the source):

[a href="c:\ReallyNastyTrojan.exe"]Trust_Me_This_Is_A_Wav_File.wav[/a]

Of course there are much more complex and devious ways to deceive...

 

[Robert Moir]

]For example, a document file (.doc) is in itself benign. When opened
with a ]program such as "Wordpad", it is harmless. But when opened
with a program such ]as "Word", imbedded scripts can be run that may
not be harmless. The question

That makes teh .doc file dangerous-- it usually interacts with a
program
that is so complex that is certainly has bugs.

I'd hesitate to blame everything on "bugs". This implies that all things are
the result of a programming error, and misses the most
insidious part of the problem.


To take the example of Word and its macro viruses, the Word Macro
programming language was working exactly as designed, hence it wasn't buggy
(well not for the specific issue we're addressing here anyway).

The design however was woefully inadequate and didn't take security into
account. Combing the code with a debugger for a million years won't fix
broken design.

Rob
MS MVP

 

[Robert Moir]

as such, can avg (or another product that mostly deals with viruses)
detect valid WAV files that still manage to play havoc with some audio
player somewhere? i would guess probably not... at best it might
detect a handful of specially crafted examples of WAV files that
cause problems with some players and were seen in the wild, but i
can't see adding general detection for the entire class of objects...
it's too poorly specified a class...

And then we've got to consider the resource cost of scanning WAV files. As
the size of these can be very large and the data to trigger an exploit can
be hidden anywhere in the data stream, we've got one heck of a bottleneck
here.

Rob

 

[Bill Unruh]

]kurt wismer wrote:

]> as such, can avg (or another product that mostly deals with viruses)
]> detect valid WAV files that still manage to play havoc with some audio
]> player somewhere? i would guess probably not... at best it might
]> detect a handful of specially crafted examples of WAV files that
]> cause problems with some players and were seen in the wild, but i
]> can't see adding general detection for the entire class of objects...
]> it's too poorly specified a class...

]And then we've got to consider the resource cost of scanning WAV files. As
]the size of these can be very large and the data to trigger an exploit can
]be hidden anywhere in the data stream, we've got one heck of a bottleneck
]here.


Well, no. A .wav file has a very definite format. The header is a fixed
length header and the rest is pure data. The data is simply sent to the
sound card, and cannot do anything. The only problem could come in a
misinterpreted header, and the .wav file header is simple enough that it is
hard to misinterpret it.
The problem arises if a format has a complex enough header (eg data with
arbitrary length) then programming mistakes can occur.

 

[pgx]

(e-mail address removed) (Bill Unruh) wrote:

|Well, no. A .wav file has a very definite format. The header is a fixed
|length header and the rest is pure data.

Not true. The .wav file can contain many chunks that vary in length.
See:

http://www.borg.com/~jglatt/tech/wave.htm

Note that if any of the chunks is processed in a buffer that is not
long enough, problems can result. The chunks are all defined with a
length field, but if not properly used, an overflow could result.

Phil