[<prev] [next>] [day] [month] [year] [list]
Message-ID: <D52FCFAE57472647956CBAEDC08DA553843600@av-mail01.corp.int-eeye.com>
Date: Tue, 14 Feb 2006 14:49:09 -0800
From: "eEye Advisories" <Advisories@...e.com>
To: <bugtraq@...urityfocus.com>, <vulnwatch@...nwatch.org>,
<full-disclosure@...ts.grok.org.uk>, <ntbugtraq@...ugtraq.com>
Subject: [EEYEB-20051017] Windows Media Player BMP Heap
Overflow
EEYEB-20051017 Windows Media Player BMP Heap Overflow
Release Date:
February 14, 2006
Date Reported:
October 17, 2005
Patch Development Time (In Days):
60
Severity:
High (Remote Code Execution)
Vendor:
Microsoft
Systems Affected:
Microsoft Windows Media Player 7.1 through 10
Windows NT 4.0
Windows 98 / ME
Windows 2000 SP4
Windows XP SP1 / SP2
Windows 2003
eEye ID: EEYEB-20051017
CVE: CVE-2006-0006
Overview:
eEye Digital Security has discovered a critical vulnerability in Windows
Media Player. The vulnerability allows a remote attacker to reliably
overwrite heap memory with user-controlled data and execute arbitrary
code in the context of the user who executed the player.
Windows Media Player has a security issue within Media Player versions
7.1 through 10 on all Windows os's. This flaw is a heap overflow, and an
attacker can use multiple vectors to exploit it. Attackers can create
.asx files and open them with a URL, use activex embeded in an HTML page
or create a Media Player skin file.
Technical Description:
Windows Media Player can play bit map format files, such as a .bmp file
and use Windows Media Player (WMP) to decode the .dll process bmp file.
But it can't correctly process a bmp file which declares it's size as 0.
In this case, WMP will allocate a heap size of 0 but in fact, it will
copy to the heap with the real file length. So a special bmp file that
declares it's size as 0 will cause the overflow. When changing the size
to 0, WMP will allocate the heap of the new function, so actually it
will allocate 0x2*8(heap) sized heap. When we copy the date is will
check two conditions:
1. less than the size - the bmp head, this is 0-0xe(the bmp head
size) = 0xfffffff2
2. less than 0x1000
So if the real file size is less than 0x1000, it will copy the real date
size to the 0x2*8 heap, if the real file size is larger than 0x1000, it
will copy the first 0x1000 to the 0x2*8 heap.
Protection:
Retina Network Security Scanner has been updated to identify this
vulnerability.
Blink - Endpoint Vulnerability Prevention - preemptively protects from
this vulnerability.
Vendor Status:
Microsoft has released a patch for this vulnerability. The patch is
available at:
http://www.microsoft.com/technet/security/bulletin/ms06-005.mspx
Credit:
Fang Xing
Copyright (c) 1998-2006 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express
consent of eEye. If you wish to reprint the whole or any part of this
alert in any other medium excluding electronic medium, please email
alert@...e.com for permission.
Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are no warranties, implied or express, with regard to this information.
In no event shall the author be liable for any direct or indirect
damages whatsoever arising out of or in connection with the use or
spread of this information. Any use of this information is at the user's
own risk.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists