[NT] Microsoft DirectShow Remote Code Vulnerability (MS05-050)

From: SecuriTeam (support_at_securiteam.com)
Date: 10/12/05

  • Next message: SecuriTeam: "[UNIX] Microsoft Distributed Transaction Coordinator Memory Modification (MS05-051)"
    To: list@securiteam.com
    Date: 12 Oct 2005 09:31:07 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Microsoft DirectShow Remote Code Vulnerability (MS05-050)
    ------------------------------------------------------------------------

    SUMMARY

    eEye Digital Security has discovered a vulnerability in the Windows Media
    Player 9 AVI movie DirectX component that allows memory at an arbitrary
    address to be modified when a specially crafted AVI file is played.
    Exploitation of this vulnerability can allow the execution of
    attacker-supplied code on a victim's system with the privileges of the
    user who attempted to open the movie file. This vulnerability has been
    identified in a component of DirectX.

    DETAILS

    Windows Media Player 9 uses QUARTZ.DLL to decode and play AVI movie files.
    Due to a lack of validation, QUARTZ can be made to store a null byte to an
    arbitrary memory location by creating a malformed "strn" element with a
    specifically chosen length field. The following vulnerable code in
    CAviMSROutPin::ParseHeader attempts to place a null terminator after the
    ASCIIZ string contained in the "strn" data:

        6858A436 cmp edi, 6E727473h ; EDI = [EAX], element's "strn" tag
        6858A43C jz 6858A45C
         ...
        6858A45C cmp ecx, ebx ; EBX = 0
        6858A45E jbe 6858A44C
        6858A460 lea ecx, [eax+8] ; ECX -> start of element data
         ...
        6858A469 mov edi, [eax+4] ; EDI = element length
        6858A46C cmp byte ptr [ecx+edi-1], 0
        6858A471 lea ecx, [ecx+edi-1]
        6858A475 jz 6858A44C
        6858A477 and byte ptr [ecx], 0

    This vulnerability can be used to produce exploitation conditions
    resembling those of a heap overflow, by modifying the encompassing heap
    block's own header. A length value of -(offset of "strn" element - 18h +
    7) will cause the second byte of the block size field (at offset -7 within
    the heap header) to be zeroed, resulting in the heap management code
    operating on arbitrary data from offsets below 800h within the mutilated
    heap block.

    Because the destination for the stored null terminator is relative to the
    address of the "strn" element -- and therefore relative to the start of
    the heap block -- reliable exploitation is possible, and has been
    demonstrated on each of the affected versions of Windows.

    Vendor Status:
    Microsoft has released a patch for this vulnerability. The patch is
    available at:
     <http://www.microsoft.com/technet/security/bulletin/MS05-050.mspx>
    http://www.microsoft.com/technet/security/bulletin/MS05-050.mspx

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:advisories@eeye.com> eEye.
    The original article can be found at:
    <http://www.eeye.com/html/research/advisories/AD20051011a.html>
    http://www.eeye.com/html/research/advisories/AD20051011a.html

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[UNIX] Microsoft Distributed Transaction Coordinator Memory Modification (MS05-051)"

    Relevant Pages

    • [UNIX] Novell eDirectory LDAP Search Request Heap Corruption Vulnerability
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Novell eDirectory LDAP Search Request Heap Corruption Vulnerability ...
      (Securiteam)
    • [EXPL] Smail preparse_address_1() Heap Overflow
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... There is a heap buffer overflow, ... ssize_t Send(int s, const void *buf, size_t len, int flags) ...
      (Securiteam)
    • [EXPL] Internet Explorer DHTML Arbitrary Code Execution (MS05-020)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... MOV EAX, DWORD PTR; EAX = Some pointer to the heap for mshtml ... To get some control over the "dirty" value we try to "spray" the heap ... so we use as big a string as possible. ...
      (Securiteam)
    • [EXPL] Mozilla Browsers Remote Heap Buffer Overrun (Exploit , 0xAD HOST)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A heap buffer overrun vulnerability exists in Mozilla browsers, ... of the string to create more large heap blocks. ... var startDate = new Date; ...
      (Securiteam)
    • [NT] RealPlayer embd3260.dll Error Response Heap Overflow
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The vulnerability allows a remote attacker to reliably ... This specific flaw exists within the embd3260.dll file used by RealPlayer. ... direct heap overwrite is triggered, and reliable code execution is then ...
      (Securiteam)