[NT] Microsoft DirectShow Remote Code Vulnerability (MS05-050)
From: SecuriTeam (support_at_securiteam.com)
To: email@example.com Date: 12 Oct 2005 09:31:07 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
- - - - - - - - -
Microsoft DirectShow Remote Code Vulnerability (MS05-050)
eEye Digital Security has discovered a vulnerability in the Windows Media
Player 9 AVI movie DirectX component that allows memory at an arbitrary
address to be modified when a specially crafted AVI file is played.
Exploitation of this vulnerability can allow the execution of
attacker-supplied code on a victim's system with the privileges of the
user who attempted to open the movie file. This vulnerability has been
identified in a component of DirectX.
Windows Media Player 9 uses QUARTZ.DLL to decode and play AVI movie files.
Due to a lack of validation, QUARTZ can be made to store a null byte to an
arbitrary memory location by creating a malformed "strn" element with a
specifically chosen length field. The following vulnerable code in
CAviMSROutPin::ParseHeader attempts to place a null terminator after the
ASCIIZ string contained in the "strn" data:
6858A436 cmp edi, 6E727473h ; EDI = [EAX], element's "strn" tag
6858A43C jz 6858A45C
6858A45C cmp ecx, ebx ; EBX = 0
6858A45E jbe 6858A44C
6858A460 lea ecx, [eax+8] ; ECX -> start of element data
6858A469 mov edi, [eax+4] ; EDI = element length
6858A46C cmp byte ptr [ecx+edi-1], 0
6858A471 lea ecx, [ecx+edi-1]
6858A475 jz 6858A44C
6858A477 and byte ptr [ecx], 0
This vulnerability can be used to produce exploitation conditions
resembling those of a heap overflow, by modifying the encompassing heap
block's own header. A length value of -(offset of "strn" element - 18h +
7) will cause the second byte of the block size field (at offset -7 within
the heap header) to be zeroed, resulting in the heap management code
operating on arbitrary data from offsets below 800h within the mutilated
Because the destination for the stored null terminator is relative to the
address of the "strn" element -- and therefore relative to the start of
the heap block -- reliable exploitation is possible, and has been
demonstrated on each of the affected versions of Windows.
Microsoft has released a patch for this vulnerability. The patch is
The information has been provided by <mailto:firstname.lastname@example.org> eEye.
The original article can be found at:
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: email@example.com
In order to subscribe to the mailing list, simply forward this email to: firstname.lastname@example.org
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.