[NT] Vulnerability in PNG Processing Allows Remote Code Execution (MS05-009)

From: SecuriTeam (support_at_securiteam.com)
Date: 02/09/05

Next message: SecuriTeam: "[EXPL] Prozilla Format String Vulnerability"

Previous message: SecuriTeam: "[NEWS] Linksys PSUS4 DoS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 9 Feb 2005 18:21:32 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

Vulnerability in PNG Processing Allows Remote Code Execution (MS05-009)
------------------------------------------------------------------------

SUMMARY

A remote code execution vulnerability exists in Windows Media Player,
Windows Messenger and MSN Messenger because it does not properly handle
PNG files with excessive width or height values. An attacker could try to
exploit the vulnerability by constructing a malicious PNG that could
potentially allow remote code execution if a user visited a malicious Web
site or clicked a link in a malicious e-mail message. An attacker who
successfully exploited this vulnerability could take complete control of
an affected system.

DETAILS

Affected Software:
Microsoft Windows Media Player 9 Series (when running on Windows 2000,
Windows XP Service Pack 1 and Windows Server 2003) -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=A52279DC-3B6C-4720-8192-45657EDBB14F> Download the update
Microsoft Windows Messenger version 5.0 (standalone version that can be
installed on all supported operating systems) -
<http://www.microsoft.com/downloads/details.aspx?FamilyID=A8D9EB73-5F8C-4B9A-940F-9157A3B3D774> Download the update
Microsoft MSN Messenger 6.1 -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=EBE898D8-FE1C-4A5E-993C-5FAB3E62C925> Download the update
Microsoft MSN Messenger 6.2 -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=EBE898D8-FE1C-4A5E-993C-5FAB3E62C925> Download the update
Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and
Microsoft Windows Millennium Edition (ME) Review the FAQ section of this
bulletin for details about these operating systems.

Non-Affected Software:
* Windows Media Player 6.4
* Windows Media Player 7.1
* Windows Media Player for Windows XP (8.0)
* Windows Media Player 9 Series for Windows XP Service Pack 2
* Windows Media Player 10
* MSN Messenger for Mac

Affected Components:
Microsoft Windows Messenger version 4.7.0.2009 (when running on Windows XP
Service Pack 1) -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=E3DC209B-AD57-49E1-BB90-6FA2CA8763A6> Download the update
Microsoft Windows Messenger version 4.7.0.3000 (when running on Windows XP
Service Pack 2) -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=1DCC9628-E2D0-496F-B4F2-3AFEFA0A0156> Download the update

CVE Information:
PNG Processing Vulnerability-
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1244>
CAN-2004-1244
PNG Processing Vulnerability-
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0597>
CAN-2004-0597

Mitigating Factors for PNG Processing Vulnerability in Windows Media
Player:
In a Web-based attack scenario, an attacker would have to host a Web site
that contains a Web page that is used to exploit this vulnerability
through media containing a reference to a malicious PNG file. An attacker
would have no way to force users to visit a Web site. Instead, an attacker
would have to persuade them to visit the Web site, typically by getting
them to click a link that takes them to the attacker's site or to a site
that has been compromised by the attacker.
An attacker who successfully exploited this vulnerability could gain the
same user rights as the local user. Users whose accounts are configured to
have fewer user rights on the system could be less impacted than users who
operate with administrative user rights.

Workarounds for PNG Processing Vulnerability in Windows Media Player:
Microsoft has tested the following workarounds. While these workarounds
will not correct the underlying vulnerability, they help block known
attack vectors. When a workaround reduces functionality, it is identified
below.
There are several different attack vectors that Microsoft has identified
for this vulnerability. Each attack vector has a different workaround.

Static WMP File Extension Attack workaround
Disassociate the WMP file extensions.
Disassociate the file extensions (.ASX, .WAX, .WVX, .WPL, .WMX, .WMS,
WMZ) in Windows to avoid previewing or opening files that point to
malformed PNG files.

Manual Steps - Windows Media Player method:
* Launch Windows Explorer
* On the Tools Menu select Folder Options
* Select the File Types tab
* Scroll to find the .ASX file extension and then press the Delete
button
* Repeat step 4 for each of the file extensions listed above.

In addition, enterprise customers can configure Outlook to block the
dangerous files listed using the steps documented in
<http://support.microsoft.com/?id=837388> Microsoft Knowledgebase Article
837388. Use these instructions to add the documented file extensions to
the Level1 block list.

Home users can configure Outlook Express to block the dangerous files
listed using the steps documented in
<http://support.microsoft.com/?id=291387> Microsoft Knowledge Base Article
291387. Use this information to configure each of the file extensions as
confirm open after download in the Windows file types dialog.
Impact of Workaround: Deleting the file associations with Media Player has
a high potential for breaking corporate users who may be using Windows
Media Server / Player to deliver web casts, training etc.
Home users trying to watch streaming content on various Web sites may also
be impacted by implementing this workaround.

Internet Explorer workaround for WMP ActiveX attack

Disable the Windows Media Player ActiveX Control. To prevent against an
attack within a webpage follow these steps to disable the Windows Media
Player ActiveX Control:

Follow the instructions documented in
<http://support.microsoft.com/default.aspx?scid=kb;en-us;q240797>
Microsoft Knowledge Base Article 240797 to killbit the following CLSIDs in
Internet Explorer:
CLSID:{6BF52A52-394A-11D3-B153-00C04F79FAA6}PROGID:WMPlayer.OCX.7
CLSID:{22D6F312-B0F6-11D0-94AB-0080C74C7E95}PROGID:MediaPlayer.MediaPlayer.1
CLSID:{05589FA1-C356-11CE-BF01-00AA0055595A}PROGID:AMOVIE.ActiveMovieControl.2

Impact of Workaround: When you disable the Windows Media Player ActiveX
control, pages using this control will no longer function as designed.
This prevents any content from being played though the control, including
audio and video.

Content-Type HTTP Header Attack:
The only way to prevent this attack is to remove all of the possible MIME
type entries from the registry that associate Windows Media Player with
the MIME type listed in the Content-Type header being returned by the
server since they all can be abused to exploit the vulnerability. Below is
a list of MIME types that are associated with the WMP CLSID.

HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/vnd.ms-wpl
HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-mplayer2
HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-ms-wmd
HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-ms-wmz
HKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/aiff
HKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/basic
HKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/mid
HKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/midi
HKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/mp3
HKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/mpeg
HKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/mpegurl
HKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/mpg
HKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/wav
HKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/x-aiff
HKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/x-mid
HKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/x-midi
HKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/x-mp3
HKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/x-mpeg
HKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/x-mpegurl
HKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/x-mpg
HKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/x-ms-wax
HKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/x-ms-wma
HKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/x-wav
HKEY_CLASSES_ROOT\MIME\Database\Content Type\midi/mid
HKEY_CLASSES_ROOT\MIME\Database\Content Type\video/avi
HKEY_CLASSES_ROOT\MIME\Database\Content Type\video/mpeg
HKEY_CLASSES_ROOT\MIME\Database\Content Type\video/mpg
HKEY_CLASSES_ROOT\MIME\Database\Content Type\video/msvideo
HKEY_CLASSES_ROOT\MIME\Database\Content Type\video/x-ivf
HKEY_CLASSES_ROOT\MIME\Database\Content Type\video/x-mpeg
HKEY_CLASSES_ROOT\MIME\Database\Content Type\video/x-mpeg2a
HKEY_CLASSES_ROOT\MIME\Database\Content Type\video/x-ms-asf
HKEY_CLASSES_ROOT\MIME\Database\Content Type\video/x-ms-asf-plugin
HKEY_CLASSES_ROOT\MIME\Database\Content Type\video/x-msvideo
HKEY_CLASSES_ROOT\MIME\Database\Content Type\video/x-ms-wm
HKEY_CLASSES_ROOT\MIME\Database\Content Type\video/x-ms-wmp
HKEY_CLASSES_ROOT\MIME\Database\Content Type\video/x-ms-wmv
HKEY_CLASSES_ROOT\MIME\Database\Content Type\video/x-ms-wmx
HKEY_CLASSES_ROOT\MIME\Database\Content Type\video/x-ms-wvx

Impact of Workaround: These MIME type registry keys all have a CLSID value
which points to the following CLSID:
HKEY_CLASSES_ROOT\CLSID\{CD3AFA8F-B84F-48F0-9393-7EDC34128127}\InprocServer32
This CLSID is associated with WMP.DLL which is responsible for launching
Windows Media Player when these MIME types are used. Un-registering
WMP.DLL will break Windows Media Player.
The MIME types listed in this workaround are specific to Windows XP. There
may be additional MIME types available on other platforms.
Additional information about Windows Media Player File Name Extensions if
available at the following
<http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wmplay10/mmp_sdk/filenameextensions.asp> MSDN Web site.

Frequently Asked Questions:
What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who
successfully exploited this vulnerability could take complete control of
an affected system.

What causes the vulnerability?
Windows Media Player does not completely validate PNG image formats with a
excessive width or height values.

What is PNG?
PNG stands for Portable Network Graphics. The Portable Network Graphics
(PNG) format was designed to replace the older and simpler GIF format and,
to some extent, the much more complex TIFF format. Additional information
about PNG can be found at the following
<http://www.libpng.org/pub/png/pngintro.html> Web site.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take
complete control of the affected system.

Who could exploit the vulnerability?
Any anonymous user who could host a malformed PNG file on a Web site,
network share, or persuade a user to open a PNG file that is sent as an
attachment in email could seek to exploit this vulnerability.

How could an attacker exploit the vulnerability?
An attacker could exploit the vulnerability by hosting a specially crafted
PNG file on a Web site or network share, and entice a user to visit that
Web site. Additionally, and attacker could send a link to a malicious PNG
file in an email message and entice a user to click on the link.

What systems are primarily at risk from the vulnerability?
Workstations and terminal servers are primarily at risk. Servers could be
at more risk if users who do not have sufficient administrative
credentials are given the ability to log on to servers and run programs.
However, best practices strongly discourage allowing this.

Are Windows 98, Windows 98 Second Edition or Windows Millennium Edition
critically affected by this vulnerability?
Windows 98 is not critically affected by this vulnerability, however
Windows 98 Second Edition, and Windows Millennium Edition are. A Critical
security update for these platforms is available and is provided as part
of this security bulletin and can be downloaded from the Windows Update
Web site.
For more information about severity ratings, visit the following
<http://go.microsoft.com/fwlink/?LinkId=21140> Web site.

What does the update do?
The update addresses the vulnerability by modifying the way that Windows
Media Player validates the width and height of a PNG file

When this security bulletin was issued, had this vulnerability been
publicly disclosed?
A vulnerability similar to this has been publicly released and assigned
Common Vulnerability and Exposure number
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0597>
CAN-2004-0597.

Is this vulnerability the same as the vulnerability described in
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0597>
CAN-2004-0597?
While similar to the vulnerability described here, Windows Media Player
does not use or incorporate the affected libpng library. However, Windows
Media Player is configured in such a way that makes it susceptible to the
vulnerability described here.

When this security bulletin was issued, had Microsoft received any reports
that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this
vulnerability had been publicly used to attack customers and had not seen
any examples of proof of concept code published when this security
bulletin was originally issued.

Mitigating Factors for PNG Processing Vulnerability in Windows Messenger:
* The nature of the vulnerability is different in Windows Messenger than
in MSN Messenger or Windows Media Player. The vulnerability in Windows
Messenger would be very complex to exploit and requires a large amount of
effort and knowledge about the internal network of an organization to
attempt to exploit this vulnerability.
* A user would have to be running Windows Messenger and have it
configured to receive .NET Alerts.

Workarounds for PNG Processing Vulnerability in Windows Messenger:
Microsoft has tested the following workarounds. While these workarounds
will not correct the underlying vulnerability, they help block known
attack vectors. When a workaround reduces functionality, it is identified
below.
Turn off the .NET Alerts feature in Windows Messenger.
Open Windows Messenger
* Go to the Tools menu and select Options
* In the Options Dialog go to the Privacy tab.
* Check the option that says Don t download any tabs to my computer

Note this setting will take effect the next time you sign into Windows
Messenger.
Net Alerts are only available on Passport accounts that have signed up to
receive them. Users who have never configured their account to receive
these alerts will not have this setting available.

FAQ for PNG Processing Vulnerability in Windows Messenger:
What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who
successfully exploited this vulnerability could take complete control of
an affected system.

What causes the vulnerability?
Windows Messenger implements the public lipng 1.2.5 version library that
is recently found to have several known vulnerabilities.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take
complete control of the affected system.

Who could exploit the vulnerability?
The vulnerability in Windows Messenger would be very complex to exploit
and requires a large amount of effort and knowledge about the internal
network of an organization to attempt to exploit this vulnerability. An
attacker would either need the ability to spoof the .NET Messenger
service, or would have to intercept and rewrite communications between the
client and the server. Simply sending a malformed PNG image file to
Windows Messenger does not exploit this vulnerability.

Are Windows 98, Windows 98 Second Edition or Windows Millennium Edition
critically affected by this vulnerability?
No. None of these vulnerabilities are critical in severity on Windows 98,
on Windows 98 Second Edition, or on Windows Millennium Edition. For more
information about severity ratings, visit the following
<http://go.microsoft.com/fwlink/?LinkId=21140> Web site.

Could the vulnerability be exploited over the Internet?
No. An attacker would either need the ability to spoof the .NET Messenger
service, or would have to intercept and rewrite communications between the
client and the server.
Simply sending a malformed PNG to Windows Messenger does not exploit this
vulnerability. Microsoft has provided information about how you can help
protect your PC. End users can visit the
<http://go.microsoft.com/fwlink/?LinkId=21169> Protect Your PC Web site.
IT Professionals can visit the <Security Guidance Center Web site>
Security Guidance Center Web site.

What does the update do?
The update addresses the vulnerability by updating the library used by
Windows Messenger to one that completely validates the PNG image file that
is being processed. Additionally, Windows Messenger will now validate that
PNG image files are properly formatted.

When this security bulletin was issued, had this vulnerability been
publicly disclosed?
These vulnerabilities have been publicly released and assigned Common
Vulnerability and Exposure number
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0597>
CAN-2004-0597,
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0598>
CAN-2004-0598 and
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0599>
CAN-2004-0599.

Mitigating Factors for PNG Processing Vulnerability in MSN Messenger:
MSN Messenger, by default, does not allow anonymous people to send you
messages. An attacker would first need to entice you to add them to your
contacts list.

Workarounds for PNG Processing Vulnerability in MSN Messenger:
Microsoft has tested the following workarounds. While these workarounds
will not correct the underlying vulnerability, they help block known
attack vectors. When a workaround reduces functionality, it is identified
below.
* Do not add addresses that you do not recognize or trust to your
contacts list.
* Review all of the contacts currently in your contact list and remove or
block any that you do not know, do not trust or no longer need.
* Disable display picture in MSN Messenger using the following steps:
Click Tools. Click Options. Click the Personal Tab
Clear the check box Show Display Picture from Others in Instant Message
Conversations .
* Disable Emoticons using the following steps:
Click Tools. Click Options. Click the Messages Tab
Clear the check box Show emoticons in instant messages
Clear the check box Show custom emoticons in instant message .
* Do not agree to accept file transfers from contacts you do not know or
trust.

FAQ for PNG Processing Vulnerability in MSN Messenger:
Is the MSN Messenger 7.0 beta affected by this vulnerability?
No. This vulnerability was reported prior to the release of the MSN
Messenger 7.0 beta, and is therefore already incorporated into that
product version.

What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who
successfully exploited this vulnerability could take complete control of
an affected system.

What causes the vulnerability?
MSN Messenger implements the public lipng 1.2.5 version library that is
recently found to have several known vulnerabilities.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take
complete control of the affected system.

Who could exploit the vulnerability?
An attacker would likely seek to exploit this vulnerability by convincing
a user to add them to their contacts list, and sending a specially crafted
emoticon or display picture.

Are Windows 98, Windows 98 Second Edition or Windows Millennium Edition
critically affected by this vulnerability?
Yes. Customers running an affected version of MSN Messenger should install
the updated version of MSN Messenger.

What does the update do?
The update removes the vulnerability by updating the library used by MSN
Messenger to one that correctly validates the PNG file being passed to it.

ADDITIONAL INFORMATION

The original article can be found at:
<http://www.microsoft.com/technet/security/bulletin/MS05-009.mspx>
http://www.microsoft.com/technet/security/bulletin/MS05-009.mspx

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Next message: SecuriTeam: "[EXPL] Prozilla Format String Vulnerability"

Previous message: SecuriTeam: "[NEWS] Linksys PSUS4 DoS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

[UNIX] Outlook Express Windows Address Book File Vulnerability (MS06-016)
... certain versions of Microsoft Windows starting with Windows 95 OSR-2. ... execution
vulnerability exists in Outlook Express when using a Windows ... If a user is logged on with
administrative user rights, an attacker who ... (Securiteam)
[NT] Windows Address Book Contact Record Vulnerability (MS06-076)
... Get your security news from a reliable source. ... Windows Address Book
Contact Record Vulnerability ... A remote code execution vulnerability in a component of
Outlook Express ... could allow an attacker who sent a Windows Address Book file to a user
of ... (Securiteam)
SecurityFocus Microsoft Newsletter #194
... Snitz Forums Register Script HTML Injection Vulnerability ... Relevant URL:
http://www.securityfocus.com/bid/10530 ... An attacker may be able to steal the site administrator's
credentials by exploiting this issue. ... When this URI is processed the issue leads to a crash
in the running instance of Internet Explorer and all windows spawned from this instance. ...
(Focus-Microsoft)
[NT] Vulnerability in WordPad Allow Code Execution (MS04-041)
... If a user is logged on with administrative privileges, an attacker who ... *
Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service ... CAN-2004-0571
- Table Conversion Vulnerability ... (Securiteam)
[NT] Vulnerability in Plug and Play Allows Remote Code Execution and Elevation of Privilege (MS05-03
... allows an attacker who successfully exploited this vulnerability to take ...
* Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service ... (Securiteam)