[NT] Windows Media Player .ASF Processor Buffer Overflow Vulnerability
From: support@securiteam.comDate: 11/25/01
- Previous message: support@securiteam.com: "[NEWS] Legato NetWorker Authentication Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Subject: [NT] Windows Media Player .ASF Processor Buffer Overflow Vulnerability Message-Id: <20011125064442.D6496138BF@mail.der-keiler.de> Date: Sun, 25 Nov 2001 07:44:42 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Windows Media Player .ASF Processor Buffer Overflow Vulnerability
------------------------------------------------------------------------
SUMMARY
One of the streaming media formats supported by Windows Media Player is
Advanced Streaming Format (ASF). A security hole is exposed in Windows
Media Player 6.4 when playing malformed ASF files due to an unchecked
buffer in the code that processes the ASF format.
By creating an especially malformed ASF file and inducing a user to play
it, an attacker could overrun an internal buffer, with either of two
results: in the simplest case, Windows Media Player 6.4 would fail; in the
more complex case, code chosen by the attacker could be made to run on the
user's computer, with the privileges of the user. The scope of this
vulnerability is rather limited. It affects only Windows Media Player 6.4,
and can only be exploited by the user opening and deliberately playing an
ASF file. There is no capability to exploit this vulnerability via email
or a web page.
Microsoft has released a patch that eliminates this, as well as additional
vulnerabilities. Specifically, it eliminates all known vulnerabilities
affecting Windows Media Player 6.4 - discussed in Microsoft Security
Bulletins MS00-090, MS01-029, and MS01-042 - as well as some additional
variants of these vulnerabilities that were discovered internally by
Microsoft. Some of these vulnerabilities could be exploited via email or a
web page. In addition, some affect components of Windows Media Player 6.4
that, for purposes of backward compatibility, ship with Windows Media
Player 7, and 7.1. Microsoft therefore recommend that customers running
any of these versions of Windows Media Player apply the patch to ensure
that they are fully protected against all known vulnerabilities.
Windows Media Player for Windows XP includes components of Windows Media
Player 6.4, but they are not affected by the ASF buffer overrun or by any
of the other vulnerabilities discussed in the security bulletins listed
above. However, the version 6.4 components that ship with Windows Media
Player for Windows XP are affected by some of the newly discovered
variants of these vulnerabilities. Rather than installing this patch,
however, we recommend that customers install the 25 October 2001 Critical
Update for Windows XP.
DETAILS
Affected Software:
* Windows Media Player 6.4
* Windows Media Player 7
* Windows Media Player 7.1
* Windows Media Player for Windows XP
Mitigating factors:
* Windows Media Player runs in the security context of the user, rather
than as a system component. At best, an attacker could gain the privileges
of the user on the system. Systems configured in accordance with the least
privilege principal would be at less risk from this vulnerability.
* The vulnerability could only be exploited if the user opened and played
an affected ASF file.
* The attacker would need to know the specific operating system that the
user was running in order to tailor the attack code properly; if the
attacker made an incorrect guess about the user's operating system
platform, the attack would crash the user's Windows Media Player session,
but not run code of the attacker's choice.
Patch availability:
Download locations for this patch
* Windows Media Player 6.4, 7, or 7.1:
<http://download.microsoft.com/download/winmediaplayer/Update/308567/WIN98MeXP/EN-US/wm308567.exe> http://download.microsoft.com/download/winmediaplayer/Update/308567/WIN98MeXP/EN-US/wm308567.exe
* Windows Media Player for Windows XP:
http://www.windowsupdate.com
What vulnerabilities are eliminated by this patch?
This patch eliminates all known security vulnerabilities affecting Windows
Media Player 6.4:
* A vulnerability involving the processor for Advanced Streaming Format
(ASF) files
* The vulnerabilities previously discussed in Microsoft Security
Bulletins MS00-090, MS01-029, and MS01-042, including some newly
discovered variants of these vulnerabilities.
What's the scope of the first vulnerability?
This is a buffer-overrun vulnerability. An attacker who could entice
another user into opening a particular type of streaming media file would
be able to use the vulnerability to run programs on the user's computer.
Such programs would be capable of taking any action on the user's machine
that the user himself could take, including adding, creating or deleting
files, communicating with web sites or potentially even reformatting the
hard drive.
The vulnerability could only be exploited if the attacker could entice
another user into opening an affecting streaming media file and playing
it. It could not be exploited via either email or a web page.
What causes the vulnerability?
The vulnerability results because there is an unchecked buffer in a
section of Windows Media Player that handles .ASF files. By including a
particular type of malformed entry in an .ASF file, an attacker could
cause chosen code to execute when a user played the file.
What are .ASF files?
ASF (Advanced Streaming Format) is a data format used for storing
streaming media data and sending it over networks. It was introduced in
Windows Media Player 6.4, but is supported by all subsequent versions of
the player.
What's wrong with the way Windows Media Player handles .ASF files?
The portion of Windows Media Player 6.4 that handles ASF files does not
properly check inputs before processing them. It would be possible for an
attacker to construct an especially malformed ASF file that would overrun
an internal buffer in the player, thereby changing the operation of the
player while it was running.
What would be the effect of exploiting the vulnerability?
As we noted above, the vulnerability would, in essence, allow an attacker
to modify the operation of the player. The effect of doing this would
depend on the specific modifications that were made. If the attacker
simply overwrote the player's executable code with random data, it would
cause the player to fail. This would not have any real security
ramifications - the user could simply restart the player and resume normal
operation.
On the other hand, if the attacker overwrite the player's executable code
with valid instructions, it would be possible to change the operation of
the media player and make it take actions of the attacker's choosing. This
would pose a significant security threat.
How could an attacker exploit the vulnerability?
An attacker would need to create an ASF file containing the malformed
entry discussed above, and then convince another user to open it and play
it. This is a significant limitation on the severity of the vulnerability.
In some previous vulnerabilities affecting Windows Media Player 6.4, the
attacker could create an HTML mail that would exploit the vulnerability
simply by being opened, or a web page that could exploit the vulnerability
simply by being viewed. In this case, however, the user would need to
deliberately open the file and play it.
You said that the attacker would need to know the specific operating
system that the user was running. Why is that?
As we mentioned above, the most dangerous use of this vulnerability would
involve changing the operation of Windows Media Player while it was
running. However, the specific changes that would be needed would vary
depending on the operating system that was in use. As a result, the
attacker would need to know (or guess) what operating system the user was
running. If the attacker guessed wrong, the player would fail, but this
would not pose a security threat.
If I'm using a version of Windows Media Player other than 6.4, do I need
this patch?
Only Windows Media Player 6.4 is affected by this vulnerability. However,
as discussed below, the patch eliminates additional vulnerabilities, and
users of post-6.4 versions should install it to eliminate them.
What does the patch do?
The patch eliminates the vulnerability by implementing proper input
validation for .ASF files.
What are the additional vulnerabilities eliminated by this patch?
This is a cumulative patch, and eliminates every known security
vulnerability affecting Windows Media Player 6.4. In addition to
eliminating the vulnerability discussed above, this patch also includes
the fixes provided in Microsoft Security Bulletins MS00-090, MS01-029, and
MS01-042, and fixes for several new variants of the vulnerabilities
discussed in them.
What is the scope of these additional vulnerabilities?
Security Bulletins MS00-090, MS01-029, and MS01-042 discuss the
vulnerabilities in detail, but in the worst case, they could enable an
attacker to run programs with the privileges of the user. There are two
likely scenarios through which an attacker might be able to exploit these
vulnerabilities:
* The attacker could send an HTML email to another user that, when opened
by the recipient, would exploit the vulnerability. This approach would
allow the attacker to target specific users, but would be blocked by the
Outlook E-Mail Security Update, which is built into Outlook 2002 by
default.
* The attacker could host a file on a web site that would launch
automatically when a user visited the site, and which would exploit the
vulnerability. This approach would require that the attacker wait for the
potential victims to come to his site.
I am using another version of Windows Media Player. Do I need to install
this patch?
Yes. Although the vulnerabilities eliminated by this patch only affect
components of Windows Media Player 6.4, some of these components are
included in other versions of the player. For this reason, customers using
Windows Media Player 6.4, 7, or 7.1 should install the patch and, as
discussed below, customers using Windows Media Player for Windows XP
should install the 25 October Critical Update for Windows XP.
Why are components of Windows Media Player 6.4 installed as part of other
versions of Windows Media Player?
Beginning with version 7 of Windows Media Player, the methods through
which certain actions are requested were changed. This meant that, for
instance, a web page that had been coded to work with Windows Media Player
6.4 would not work with Windows Media Player 7. Because of this, some of
the Windows Media Player 6.4 components were included with subsequent
versions of the Player, in order to ensure that web pages could work
effectively regardless of the version of Windows Media Player a user had
installed.
Is Windows Media Player for Windows XP affected by any of these
vulnerabilities?
Yes. Windows Media Player for Windows XP does include some components from
Windows Media Player 6.4. All of the vulnerabilities discussed in Security
Bulletins MS00-090, MS01-029, and MS01-042 were corrected prior to the
release of Windows XP. However, some of the new variants referred to above
are present in the Windows Media Player 6.4 components that shipped with
Windows Media Player for Windows XP.
Customers using Windows XP should not install the patch discussed below.
Instead, they should install the 25 October Critical Update for Windows
XP, which eliminates these vulnerabilities as well as the ones discussed
in Microsoft Security Bulletins MS01-050 and MS01-054.
I have not installed Windows Media Player. Do I need to apply a patch?
Depending on the operating system you are using, you might need to, as
Windows Media Player ships as part of several operating systems. Of the
affected versions listed above, only two of them - Windows Media Player
6.4 and Windows Media Player for Windows XP -- shipped as part of an
operating system. Windows Media Player 6.4 shipped as part of both Windows
ME and Windows 2000, and Windows Media Player for Windows XP ships as part
of Windows XP.
ADDITIONAL INFORMATION
The information has been provided by <mailto:secnotif@microsoft.com>
Microsoft Product Security.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NEWS] Legato NetWorker Authentication Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
