[NT] Exploitable Windows XP Media Files
From: support@securiteam.com
Date: 12/19/02
- Previous message: support@securiteam.com: "[NT] Multiple Exploitable Buffer Overflows in Winamp"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: 19 Dec 2002 17:33:43 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
Beyond Security would like to welcome Tiscali World Online
to our service provider team.
For more info on their service offering IP-Secure,
please visit http://www.worldonline.co.za/services/work_ip.asp
- - - - - - - - -
Exploitable Windows XP Media Files
------------------------------------------------------------------------
SUMMARY
A buffer overflow exists in Explorer's automatic reading of MP3 or WMA
(Windows Media Audio) file attributes in Windows XP. An attacker could
create a malicious MP3 or WMA file that if placed in an accessed folder on
a Windows XP system, would compromise the system and allow for remote code
execution. The MP3 does not need to be played, it simply needs to be
stored in a folder that is browsed to, such as an MP3 download folder, the
desktop, or a NetBIOS share. This vulnerability is also exploitable via
Internet Explorer by loading a malicious web site. Microsoft's WMA files
also suffer from a similar vulnerability.
A Windows XP user visiting the site using Internet Explorer would be
remotely compromised without any warning or download of files regardless
of Internet Explorer security settings.
DETAILS
Unlike Windows 2000, Windows XP natively supports reading and parsing MP3
and WMA file attributes. If a user highlights an MP3 or WMA file with the
cursor, applicable details of the media file will be displayed. Explorer
automatically reads file attributes regardless of whether or not the user
actually highlights, clicks on, reads, or opens the file. Windows XP's
Explorer will overflow if corrupted attributes exist within the MP3 or WMA
file.
An unsuspecting user merely needs to browse a folder (local or network
share) that contains the file. For example, a user running Windows XP
could download an MP3 off of an Internet-based peer-to-peer file sharing
mechanism (or anywhere else on the Internet) and then open their MP3
folder (to potentially listen to that MP3 or any other MP3). Upon folder
access, Explorer would execute the code contained within the file
attributes. The code could do anything from running a reverse shell to
infecting other MP3 files on the computer.
Users of Windows 2000 or other non-Windows XP operating systems are
unaffected, and even MP3's with corrupt attributes will play fine on those
operating systems with most players.
Two additional attack vectors exist for this vulnerability via a web
browser as well as Outlook. A malicious website could contain an IFRAME of
a NetBIOS share that holds a malicious MP3. Similarly, an email could be
sent to an Outlook user containing HTML that references the NetBIOS share.
Depending on Outlook security settings and preferences, this attack may
not be directly exploitable via an email message. However, if the user
browses to a malicious web site with Internet Explorer directly, the
attack will work regardless of the Internet Explorer security settings.
Vendor Response:
Microsoft has issued a fix for this vulnerability, it is available at:
<http://www.microsoft.com/technet/security/bulletin/MS02-072.asp>
http://www.microsoft.com/technet/security/bulletin/MS02-072.asp
In addition, the patch (Q329390) is available via:
<http://windowsupdate.microsoft.com> http://windowsupdate.microsoft.com
Foundstone would like to thank Microsoft Security Response Center for
their prompt handling of this vulnerability.
Solution:
Foundstone recommends reviewing the Microsoft Security Bulletin and
immediately applying the Microsoft patch.
ADDITIONAL INFORMATION
The original advisory can be downloaded by going to:
<http://www.foundstone.com/knowledge/randd-advisories-display.html?id=339>
http://www.foundstone.com/knowledge/randd-advisories-display.html?id=339
The information has been provided by <mailto:tony.bettini@foundstone.com>
Tony Bettini, Foundstone.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Next message: support@securiteam.com: "[NT] Unchecked Buffer in Windows Shell Could Enable System Compromise"
- Previous message: support@securiteam.com: "[NT] Multiple Exploitable Buffer Overflows in Winamp"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
