Thread-topic: iDefense Security Advisory 02.14.06: Microsoft Windows Media PlayerPlugin Buffer Overflow Vulnerability
> -----Original Message-----
> From:
> idlabs-advisories-bounces+vladimir.kazennov=billing.ru@xxxxxxx
> defense.com
> [mailto:idlabs-advisories-bounces+vladimir.kazennov=billing.ru
> @lists.idefense.com] On Behalf Of iDEFENSE Labs Security Advisories
> Sent: Tuesday, February 14, 2006 9:17 PM
> To: idlabs-advisories@xxxxxxxxxxxxxxxxxx
> Subject: iDefense Security Advisory 02.14.06: Microsoft
> Windows Media PlayerPlugin Buffer Overflow Vulnerability
>
> Microsoft Windows Media Player Plugin Buffer Overflow Vulnerability
>
> iDefense Security Advisory 02.14.06
>
> hp?id=393
> February 14, 2006
>
> I. BACKGROUND
>
> Windows Media Player is a full featured Audio/Visual playback
> application offered by Microsoft. The Windows Media Player package
> also contains a plugin component that can be utilized from most
> modern browsers such as Internet Explorer, Opera, Firefox,
> and Netscape.
>
> More information on the product can be found from the
> Microsoft Windows
> Media Web Site:
>
>
>
> II. DESCRIPTION
>
> Windows Media Player (WMP) can be launched as a plugin in popular
> browsers to view Windows Media Player file types from web pages.
>
> A vulnerability in the Windows Media Player plugin can be
> triggered from
> several popular browsers such as FireFox and Netscape. The issue
> specifically can be triggered when certain browsers launch it with an
> overly long embed src tag from a malicious html page.
>
> Upon successful exploitation, attackers will be able to overwrite a
> Structured Exception Handler (SEH) address and execute
> arbitrary code on
> the system.
>
> The vulnerability specifically lays in npdsplay.10001040 where a
> user supplied string is copied to a stack based buffer:
>
> 1000171A C1E9 02 SHR ECX,2
> >> 1000171D F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR
> DS:[ESI]
> 1000171F 8BC8 MOV ECX,EAX
>
>
> III. ANALYSIS
>
> Successful exploitation of this vulnerability allows attackers to
> execute code within the context of the currently logged in user. The
> victim would have to visit a malicious website using Firefox
> or Netscape
> browsers and have Windows Media Player installed.
>
> With properly crafted input the attacker is able to execute
> code of his
> choice. Due to unicode translations, shellcode characters are somewhat
> limited to character code values below 0x80. Successful
> exploitation of
> this vulnerability is not significantly impacted by this limitation.
>
> IV. DETECTION
>
> This vulnerability has been tested with Windows Media Player 9 and 10,
> when launched from the following browsers:
>
> * Firefox .9 - Current
> * Netscape 8
>
> Other versions of Windows Media Player may be vulnerable. This exploit
> may be able to be triggered from browsers other than those listed
> above.
>
> This condition does not appear to be able to be launched from Internet
> Explorer or Opera browsers.
>
> V. WORKAROUND
>
> This exploit can only be triggered if Windows Media Player is set as
> the default application to launch media file extensions. Exploitation
> can be prevented by remapping any media file extensions typically
> handled by Windows Media Player to an alternative application.
>
> This exploit can also only be launched from specific browsers. Users
> could use an alternative browser until an official vendor
> supplied patch
> is available.
>
> VI. VENDOR RESPONSE
>
> The vendor has issued the following security advisory for this issue:
>
>
>
> VII. CVE INFORMATION
>
> The Common Vulnerabilities and Exposures (CVE) project has
> assigned the
> name CVE-2006-0005 to this issue. This is a candidate for inclusion in
> the CVE list (), which standardizes names for
> security problems.
>
> VIII. DISCLOSURE TIMELINE
>
> 08/31/2005 Initial vendor notification
> 08/31/2005 Initial vendor response
> 02/14/2006 Coordinated public disclosure
>
> IX. CREDIT
>
> This vulnerability was submitted to iDefense by John Cobb, as
> well as a
> second researcher who wishes to remain anonymous.
>
> Get paid for vulnerability research
>
>
> Free tools, research and upcoming events
>
>
> X. LEGAL NOTICES
>
> Copyright (c) 2006 iDefense, Inc.
>
> Permission is granted for the redistribution of this alert
> electronically. It may not be edited in any way without the express
> written consent of iDefense. If you wish to reprint the whole or any
> part of this alert in any other medium other than
> electronically, please
> email customerservice@xxxxxxxxxxxx for permission.
>
> Disclaimer: The information in the advisory is believed to be accurate
> at the time of publishing based on currently available
> information. Use
> of the information constitutes acceptance for use in an AS IS
> condition.
> There are no warranties with regard to this information. Neither the
> author nor the publisher accepts any liability for any
> direct, indirect,
> or consequential loss or damage arising from use of, or reliance on,
> this information.
> _______________________________________________
> To unsubscribe, go here:
>
>
