[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4B96BEB7.2030109@coresecurity.com>
Date: Tue, 09 Mar 2010 18:33:43 -0300
From: CORE Security Technologies Advisories <advisories@...esecurity.com>
To: Bugtraq <bugtraq@...urityfocus.com>,
full-disclosure@...ts.grok.org.uk
Subject: CORE-2009-0813: Windows Movie Maker and Microsoft
Producer IsValidWMToolsStream() Heap Overflow
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
Windows Movie Maker and Microsoft Producer IsValidWMToolsStream() Heap
Overflow
1. *Advisory Information*
Title: Windows Movie Maker and Microsoft Producer IsValidWMToolsStream()
Heap Overflow
Advisory Id: CORE-2009-0813
Advisory URL: http://www.coresecurity.com/content/movie-maker-heap-overflow
Date published: 2010-03-09
Date of last update: 2010-03-09
Vendors contacted: Microsoft
Release mode: User release
2. *Vulnerability Information*
Class: Buffer overflow [CWE-119]
Impact: Code execution
Remotely Exploitable: Yes (client-side)
Locally Exploitable: No
Bugtraq ID: N/A
CVE Name: CVE-2010-0265
3. *Vulnerability Description*
Windows Movie Maker is a video creating/editing software, which is
included by default in Windows Vista and XP. Microsoft Producer is an
add-in for PowerPoint to create rich-media presentations.
A vulnerability was found in Windows Movie Maker and Microsoft Producer,
which can be triggered by a remote attacker by sending a specially
crafted file and enticing the user to open it. This vulnerability
results in a write access violation and can lead to remote code execution.
4. *Vulnerable packages*
. Windows Movie Maker
The following Windows versions ship with a vulnerable version of
Windows Movie Maker by default:
. Windows Vista.
. Windows Vista Service Pack 1.
. Windows Vista Service Pack 2.
. Windows XP Professional x64 Edition.
. Windows XP Service Pack 2.
. Windows XP Service Pack 3.
. Microsoft Producer for PowerPoint.
5. *Non-vulnerable packages*
. Windows Live Movie Maker (downloadable component for Windows 7).
6. *Vendor Information, Solutions and Workarounds*
Microsoft has addressed the vulnerability in Movie Maker by issuing an
update located at
http://www.microsoft.com/technet/security/Bulletin/MS10-016.mspx
The security update for Microsoft Producer 2003 is unavailable at this
time.
The workarounds and mitigations are:
. Avoid opening .MSWMM Movie Maker files or .MSProducer Microsoft
Producer files from untrusted sources.
. Remove the Movie Maker .MSWMM file association and/or remove the
Microsoft Producer 2003 .MSProducer, .MSProducerZ, and .MSProducerBF
file associations.
. Replace Microsoft Producer with a new version when it comes out or
with the current Beta version.
Refer to the Microsoft Security Bulletin MS10-016 [2] for more
information.
7. *Credits*
This vulnerability was discovered and researched by Damian Frizza from
Core Security Technologies during Bugweek 2009 [1].
8. *Technical Description / Proof of Concept Code*
An exploitable vulnerability was found in Windows Movie Maker, which can
be triggered by a remote attacker by sending a specially crafted .MSWMM
file and enticing the user to open it. This vulnerability results in a
write access violation and can lead to remote code execution.
The root cause of this is the function IsValidWMToolsStream(), in which
*pbuffer is used twice with 2 different sizes. The second time, the data
is read from the MSWMM file, and pbuffer is not re-allocated before it
is re-used. If the size read from the file is bigger than the initial
internal value, this results in a buffer overrun.
The following is an excerpt of the vulnerable code:
/-----
CDocManager::IsValidWMToolsStream(bool *)+EB push dword ptr
[valueFromFile];0x8888
CDocManager::IsValidWMToolsStream(bool *)+EE call ??2@...AXI@Z ;
operator new(uint)
CDocManager::IsValidWMToolsStream(bool *)+F3 pop ecx
CDocManager::IsValidWMToolsStream(bool *)+F4 mov [pBuffer], eax
CDocManager::IsValidWMToolsStream(bool *)+F7 mov [ebp-40h], eax
CDocManager::IsValidWMToolsStream(bool *)+FA mov byte ptr [ebp-4], 2
CDocManager::IsValidWMToolsStream(bool *)+FE push dword ptr
[ebp-2Ch] ; int
CDocManager::IsValidWMToolsStream(bool *)+101 mov ecx, esi
CDocManager::IsValidWMToolsStream(bool *)+103 push ebx ; int
CDocManager::IsValidWMToolsStream(bool *)+104 push edi ;
wchar_t *
CDocManager::IsValidWMToolsStream(bool *)+105 call
?ExtractData@...cManager@@QAEJPBGPAXJ@Z ;
CDocManager::ExtractData(ushort const *,void *,long)
CDocManager::IsValidWMToolsStream(bool *)+10A mov esi, eax
CDocManager::IsValidWMToolsStream(bool *)+10C test esi, esi
CDocManager::IsValidWMToolsStream(bool *)+10E jge short loc_118158A
CDocManager::IsValidWMToolsStream(bool *)+110 mov byte ptr [ebp-4], 1
CDocManager::IsValidWMToolsStream(bool *)+114 cmp dword ptr
[pBuffer], 0
CDocManager::IsValidWMToolsStream(bool *)+118 jz short loc_1181578
CDocManager::IsValidWMToolsStream(bool *)+29E push [pBuffer] ; void *
CDocManager::IsValidWMToolsStream(bool *)+2A1 call ??3@...PAX@Z ;
operator delete(void *)
CDocManager::IsValidWMToolsStream(bool *)+2A6 pop ecx
- -----/
Note that the same Proof of Concept file used to trigger the bug in
Movie Maker can be used to trigger the bug in Microsoft Producer, by
changing its extension from ".MSWMM" to ".MSProducer".
9. *Report Timeline*
. 2009-08-14:
Core Security Technologies notifies the Microsoft team of the
vulnerability and sends a technical description and proof of concept
file. A preliminary publication date is set for November 17th, 2009.
. 2009-08-14:
The Microsoft team acknowledges receipt of the report.
. 2009-08-18:
Core resends the proof of concept file (the original contained a mistake).
. 2009-08-27:
Core requests from the Microsoft team an update on the vulnerability
status.
. 2009-08-28:
The Microsoft team confirms that the bug results in an access violation
and that they are assessing the exploitability of the bug.
. 2009-09-08:
The Microsoft team informs Core that their analysis confirms the bug is
exploitable, and that it will be addressed in a security bulletin; that
they are still working on estimating a release schedule and identifying
other software products and versions affected by the issue; that they
believe that the scheduled publication date (November 17th) cannot be
met by a security update; and requests that Core postpones publication.
. 2009-09-14:
To delay the publication until December 15th, Core requests from the
Microsoft team detailed information on the bug including: field format
details and cause of the flaw; applications and versions affected;
vendor fix schedule; and updates at least once every two weeks.
. 2009-09-16:
The Microsoft team informs Core that they are looking into what amount
of detail they can provide on their fix plans. The Microsoft team also
promises to keep in touch with more technical information to work on a
mutual arrangement.
. 2009-10-26:
Core again requests additional information about the vulnerability and
Microsoft's plan to produce a fix. In particular Core requests
information about Microsoft's other products which are able to parse the
same document format, and may be affected by the vulnerability.
. 2009-11-04:
Core again requests a response to the questions formulated in the
previous communication.
. 2009-11-05:
Microsoft promises to send an answer the following week.
. 2009-11-09:
Microsoft sends technical information about the bug, including a list of
affected versions and platforms. Its investigation indicates that the
issue can lead to Remote Code Execution and that fixes are currently
forecast to ship as an Important severity class issue in their bulletin.
Microsoft also requests that Core postpones publication until February
9th, 2010.
. 2009-11-11:
Core acknowledges receipt of the previous mail, and reschedules
publication of its advisory to February 9th, 2010.
. 2010-01-22:
Microsoft resends the technical analysis of the vulnerability.
. 2010-02-02:
Core checks whether Microsoft is still on track to release fixes on
February 9th, 2010, and requests a list of non affected versions and
vendor information to include in the advisory.
. 2010-02-03:
Microsoft informs Core that Microsoft Producer 2003 is vulnerable to the
reported vulnerability; as Producer 2003 is an out of box tool, the
support for this product will end when it is replaced with a newer
version. Microsoft states that a new version of Producer will be
released in March 2010 alongside of the Office 2010 release. Microsoft
requests that Core coordinates its advisory release with Microsoft's
bulletin and new product launch on March 9th, 2010.
. 2010-02-24:
Microsoft informs Core that they ran into some issues with this update,
and requests a conference call to discuss options.
. 2010-02-25:
Conference call between Core and MSRC. Microsoft informs Core that fixes
for Movie Maker are ready to be released, but that the release of a new
version of Producer (alongside the release of Office 2010) has been
postponed from March 9th to an unspecified date. Microsoft requests that
Core postpones the publication of its advisory to an unspecified date,
in order to coordinate the release of fixes for Movie Maker and the
launch of the new Producer version. Core says that from its point of
view, not releasing the available fixes for Movie Maker increases the
risk to affected users. Core does not agree to postpone publication of
its advisory (for the 4th time) beyond March 9th, since fixes for Movie
Maker are available, and their release would be delayed to an
undetermined date to match with the release of a new product (Office
2010). Core confirms that it will publish advisory CORE-2009-0813 on
March 9th to inform affected users of the risk created by this
vulnerability.
. 2010-02-26:
Core informs Microsoft that the Proof of Concept file used to trigger
this vulnerability in Movie Maker can be trivially modified to reveal
the bug in Microsoft Producer, by changing its extension from ".MSWMM"
to ".MSProducer". Core sends an updated version of advisory
CORE-2009-0813 as requested by Microsoft.
. 2010-03-09:
Microsoft Security Bulletin MS10-016 [2] is released, which fixes the
vulnerability in Movie Maker.
. 2010-03-09:
The advisory CORE-2009-0813 is published as user release.
10. *References*
[1] About Core Security's Bugweek
http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=project&name=Bugweek
[2] Microsoft Security Bulletin MS10-016
http://www.microsoft.com/technet/security/Bulletin/MS10-016.mspx
11. *About CoreLabs*
CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://corelabs.coresecurity.com.
12. *About Core Security Technologies*
Core Security Technologies develops strategic solutions that help
security-conscious organizations worldwide develop and maintain a
proactive process for securing their networks. The company's flagship
product, CORE IMPACT, is the most comprehensive product for performing
enterprise security assurance testing. CORE IMPACT evaluates network,
endpoint and end-user vulnerabilities and identifies what resources are
exposed. It enables organizations to determine if current security
investments are detecting and preventing attacks. Core Security
Technologies augments its leading technology solution with world-class
security consulting services, including penetration testing and software
security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core
Security Technologies can be reached at 617-399-6980 or on the Web at
http://www.coresecurity.com.
13. *Disclaimer*
The contents of this advisory are copyright (c) 2010 Core Security
Technologies and (c) 2010 CoreLabs, and may be distributed freely
provided that no fee is charged for this distribution and proper credit
is given.
14. *PGP/GPG Keys*
This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkuWvrcACgkQyNibggitWa1XQACeI3uhCN5nVjAjseSZpRh0R2Bn
0T4An2XAB94FkLyN0Pq5G3NWzOzM9Ibq
=efAg
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists