ðòïåëôù 


  áòèé÷ 


Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

  óôáôøé 


  ðåòóïîáìøîïå 


  ðòïçòáííù 



ðéûéôå
ðéóøíá














     áòèé÷ :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FW: [EEYEB-20051017] Windows Media Player BMP Heap Overflow



> -----Original Message-----
> From: eEye Advisories [mailto:Advisories@xxxxxxxx] 
> Sent: Wednesday, February 15, 2006 1:49 AM
> To: bugtraq@xxxxxxxxxxxxxxxxx; vulnwatch@xxxxxxxxxxxxx; 
> full-disclosure@xxxxxxxxxxxxxxxxx; ntbugtraq@xxxxxxxxxxxxx
> Subject: [EEYEB-20051017] Windows Media Player BMP Heap Overflow
> 
> EEYEB-20051017 Windows Media Player BMP Heap Overflow
> 
> Release Date:
> February 14, 2006
> 
> Date Reported:
> October 17, 2005
> 
> Patch Development Time (In Days):  
> 60   
> 
> Severity:
> High (Remote Code Execution)
> 
> Vendor:
> Microsoft
> 
> Systems Affected:
> Microsoft Windows Media Player 7.1 through 10
> 
> Windows NT 4.0
> Windows 98 / ME
> Windows 2000 SP4
> Windows XP SP1 / SP2
> Windows 2003
> 
> eEye ID: EEYEB-20051017
> CVE: CVE-2006-0006
> 
> Overview:
> eEye Digital Security has discovered a critical vulnerability 
> in Windows
> Media Player. The vulnerability allows a remote attacker to reliably
> overwrite heap memory with user-controlled data and execute arbitrary
> code in the context of the user who executed the player.
> 
> Windows Media Player has a security issue within Media Player versions
> 7.1 through 10 on all Windows os's. This flaw is a heap 
> overflow, and an
> attacker can use multiple vectors to exploit it.  Attackers can create
> .asx files and open them with a URL, use activex embeded in 
> an HTML page
> or create a Media Player skin file.
> 
> 
> Technical Description:
> 
> Windows Media Player can play bit map format files, such as a 
> .bmp file
> and use Windows Media Player (WMP) to decode the .dll process 
> bmp file.
> But it can't correctly process a bmp file which declares it's 
> size as 0.
> In this case, WMP will allocate a heap size of 0 but in fact,  it will
> copy to the heap with the real file length. So a special bmp file that
> declares it's size as 0 will cause the overflow. When 
> changing the size
> to 0, WMP will allocate the heap of the new function, so actually it
> will allocate 0x2*8(heap) sized heap.  When we copy the date is will
> check two conditions:
> 
> 1.    less than the size - the bmp head, this is 0-0xe(the bmp head
> size) = 0xfffffff2
> 2.    less than 0x1000
> 
> So if the real file size is less than 0x1000, it will copy 
> the real date
> size to the 0x2*8 heap, if the real file size is larger than 
> 0x1000, it
> will copy the first 0x1000 to the 0x2*8 heap.
> 
> Protection:
> Retina Network Security Scanner has been updated to identify this
> vulnerability.
> Blink - Endpoint Vulnerability Prevention - preemptively protects from
> this vulnerability.
> 
> Vendor Status:
> Microsoft has released a patch for this vulnerability. The patch is
> available at: 
> http://www.microsoft.com/technet/security/bulletin/ms06-005.mspx
> 
> Credit:
> Fang Xing
> 
> Copyright (c) 1998-2006 eEye Digital Security
> Permission is hereby granted for the redistribution of this alert
> electronically. It is not to be edited in any way without express
> consent of eEye. If you wish to reprint the whole or any part of this
> alert in any other medium excluding electronic medium, please email
> alert@xxxxxxxx for permission.
> 
> Disclaimer
> The information within this paper may change without notice. 
> Use of this
> information constitutes acceptance for use in an AS IS 
> condition. There
> are no warranties, implied or express, with regard to this 
> information.
> In no event shall the author be liable for any direct or indirect
> damages whatsoever arising out of or in connection with the use or
> spread of this information. Any use of this information is at 
> the user's
> own risk.
> 



 




Copyright © Lexa Software, 1996-2009.