Advisories
Vulnerability in DirectShow Could Allow Remote Code Execution
Release Date:
October 11, 2005
Date Reported:
May 10, 2005
Patch Development Time (In Days):
Severity:
High (Remote Code Execution)
Vendor:
Mircosoft
Systems Affected:
Windows Media Player 9 on Windows 98, 98SE, ME
Windows Media Player 9 on windows 2000 SP1 - SP4
Windows Media Player 9 on Widnows XP SP1 - SP2
Windows Media Player 9 on Windows Server 2003 SP1
Overview:
eEye Digital Security has discovered a vulnerability in the Windows Media Player 9 AVI movie codec that allows memory at an arbitrary address to be modified when a specially crafted AVI file is played. Exploitation of this vulnerability can allow the execution of attacker-supplied code on a victim's system with the privileges of the user who attempted to open the movie file.
Technical Details:
Windows Media Player 9 uses QUARTZ.DLL to decode and play AVI movie files. Due to a lack of validation, QUARTZ can be made to store a null byte to an arbitrary memory location by creating a malformed "strn" element with a specifically chosen length field. The following vulnerable code in CAviMSROutPin::ParseHeader attempts to place a null terminator after the ASCIIZ string contained in the "strn" data:
6858A436 cmp edi, 6E727473h ; EDI = [EAX], element's "strn" tag
6858A43C jz 6858A45C
...
6858A45C cmp ecx, ebx ; EBX = 0
6858A45E jbe 6858A44C
6858A460 lea ecx, [eax+8] ; ECX -> start of element data
...
6858A469 mov edi, [eax+4] ; EDI = element length
6858A46C cmp byte ptr [ecx+edi-1], 0
6858A471 lea ecx, [ecx+edi-1]
6858A475 jz 6858A44C
6858A477 and byte ptr [ecx], 0
This vulnerability can be used to produce exploitation conditions resembling those of a heap overflow, by modifying the encompassing heap block's own header. Alength value of -(offset of "strn" element - 18h + 7) will cause the second byte of the block size field (at offset -7 within the heap header) to be zeroed, resulting in the heap management code operating on arbitrary data from offsets below 800h within the mutilated heap block.
Because the destination for the stored null terminator is relative to the address of the "strn" element -- and therefore relative to the start of the heap block -- reliable exploitation is possible, and has been demonstrated on each of the affected versions of Windows.
Protection:
Retina Network Security Scanner has been updated to identify this vulnerability.
Blink - Endpoint Vulnerability Prevention - preemptively protects from this vulnerability.
Vendor Status:
Microsoft has released a patch for this vulnerability. The patch is available at:
http://www.microsoft.com/technet/security/bulletin/MS05-050.mspx
Credit:
Discovery: Fang Xing
Related Links:
Retina Network Security Scanner - Free Trial
Blink Endpoint Vulnerability Prevention - Free Trial
Retina Network Security Scanner - Japanese Edition- http://www.sse.co.jp/eeye/index.html
Greetings:
Thanks Derek and eEye guys help me analyze and wrote the advisory, greetz xfocus and venus-tech lab's guys.
Copyright (c) 1998-2008 eEye Digital Security
Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission.
Disclaimer
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
October 11, 2005
Date Reported:
May 10, 2005
Patch Development Time (In Days):
 |
|
|
|
| 154 |
Severity:
High (Remote Code Execution)
Vendor:
Mircosoft
Systems Affected:
Windows Media Player 9 on Windows 98, 98SE, ME
Windows Media Player 9 on windows 2000 SP1 - SP4
Windows Media Player 9 on Widnows XP SP1 - SP2
Windows Media Player 9 on Windows Server 2003 SP1
Overview:
eEye Digital Security has discovered a vulnerability in the Windows Media Player 9 AVI movie codec that allows memory at an arbitrary address to be modified when a specially crafted AVI file is played. Exploitation of this vulnerability can allow the execution of attacker-supplied code on a victim's system with the privileges of the user who attempted to open the movie file.
Technical Details:
Windows Media Player 9 uses QUARTZ.DLL to decode and play AVI movie files. Due to a lack of validation, QUARTZ can be made to store a null byte to an arbitrary memory location by creating a malformed "strn" element with a specifically chosen length field. The following vulnerable code in CAviMSROutPin::ParseHeader attempts to place a null terminator after the ASCIIZ string contained in the "strn" data:
6858A436 cmp edi, 6E727473h ; EDI = [EAX], element's "strn" tag
6858A43C jz 6858A45C
...
6858A45C cmp ecx, ebx ; EBX = 0
6858A45E jbe 6858A44C
6858A460 lea ecx, [eax+8] ; ECX -> start of element data
...
6858A469 mov edi, [eax+4] ; EDI = element length
6858A46C cmp byte ptr [ecx+edi-1], 0
6858A471 lea ecx, [ecx+edi-1]
6858A475 jz 6858A44C
6858A477 and byte ptr [ecx], 0
This vulnerability can be used to produce exploitation conditions resembling those of a heap overflow, by modifying the encompassing heap block's own header. Alength value of -(offset of "strn" element - 18h + 7) will cause the second byte of the block size field (at offset -7 within the heap header) to be zeroed, resulting in the heap management code operating on arbitrary data from offsets below 800h within the mutilated heap block.
Because the destination for the stored null terminator is relative to the address of the "strn" element -- and therefore relative to the start of the heap block -- reliable exploitation is possible, and has been demonstrated on each of the affected versions of Windows.
Protection:
Retina Network Security Scanner has been updated to identify this vulnerability.
Blink - Endpoint Vulnerability Prevention - preemptively protects from this vulnerability.
Vendor Status:
Microsoft has released a patch for this vulnerability. The patch is available at:
http://www.microsoft.com/technet/security/bulletin/MS05-050.mspx
Credit:
Discovery: Fang Xing
Related Links:
Retina Network Security Scanner - Free Trial
Blink Endpoint Vulnerability Prevention - Free Trial
Retina Network Security Scanner - Japanese Edition- http://www.sse.co.jp/eeye/index.html
Greetings:
Thanks Derek and eEye guys help me analyze and wrote the advisory, greetz xfocus and venus-tech lab's guys.
Copyright (c) 1998-2008 eEye Digital Security
Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission.
Disclaimer
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
