From Advisories@eeye.com Tue Feb 14 17:47:49 2006 From: eEye Advisories To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org, full-disclosure@lists.grok.org.uk, ntbugtraq@ntbugtraq.com Date: Tue, 14 Feb 2006 14:49:09 -0800 Subject: [Full-disclosure] [EEYEB-20051017] Windows Media Player BMP Heap Overflow EEYEB-20051017 Windows Media Player BMP Heap Overflow Release Date: February 14, 2006 Date Reported: October 17, 2005 Patch Development Time (In Days): 60 Severity: High (Remote Code Execution) Vendor: Microsoft Systems Affected: Microsoft Windows Media Player 7.1 through 10 Windows NT 4.0 Windows 98 / ME Windows 2000 SP4 Windows XP SP1 / SP2 Windows 2003 eEye ID: EEYEB-20051017 CVE: CVE-2006-0006 Overview: eEye Digital Security has discovered a critical vulnerability in Windows Media Player. The vulnerability allows a remote attacker to reliably overwrite heap memory with user-controlled data and execute arbitrary code in the context of the user who executed the player. Windows Media Player has a security issue within Media Player versions 7.1 through 10 on all Windows os's. This flaw is a heap overflow, and an attacker can use multiple vectors to exploit it. Attackers can create .asx files and open them with a URL, use activex embeded in an HTML page or create a Media Player skin file. Technical Description: Windows Media Player can play bit map format files, such as a .bmp file and use Windows Media Player (WMP) to decode the .dll process bmp file. But it can't correctly process a bmp file which declares it's size as 0. In this case, WMP will allocate a heap size of 0 but in fact, it will copy to the heap with the real file length. So a special bmp file that declares it's size as 0 will cause the overflow. When changing the size to 0, WMP will allocate the heap of the new function, so actually it will allocate 0x2*8(heap) sized heap. When we copy the date is will check two conditions: 1. less than the size - the bmp head, this is 0-0xe(the bmp head size) = 0xfffffff2 2. less than 0x1000 So if the real file size is less than 0x1000, it will copy the real date size to the 0x2*8 heap, if the real file size is larger than 0x1000, it will copy the first 0x1000 to the 0x2*8 heap. Protection: Retina Network Security Scanner has been updated to identify this vulnerability. Blink - Endpoint Vulnerability Prevention - preemptively protects from this vulnerability. Vendor Status: Microsoft has released a patch for this vulnerability. The patch is available at: http://www.microsoft.com/technet/security/bulletin/ms06-005.mspx Credit: Fang Xing Copyright (c) 1998-2006 eEye Digital Security Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/