[NT] Windows Media Player PNG Chunk Decoding Stack-Based Buffer Overflow
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 15 Jun 2006 12:08:20 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Windows Media Player PNG Chunk Decoding Stack-Based Buffer Overflow
------------------------------------------------------------------------
SUMMARY
" <http://www.libpng.org/pub/png/> PNG (pronounced "ping") is the Portable
Network Graphics format, a format for storing bitmapped (raster) images on
computers. "
Remote exploitation of a stack-based buffer overflow in the handling of
PNG image file chunks by Windows Media Player allows attackers to execute
arbitrary code.
DETAILS
Vulnerable Systems:
* Windows Media Player 7.1
* Windows Media Player for XP
* Windows Media Player 9
* Microsoft Windows Media Player 10
The Portable Network Graphics (PNG) specification defines an extensible,
portable image format that gives lossless compression and allows
transparency masking of various types. The format was developed as a
patent-free alternative to GIF and TIFF format images, and the official
specification is published on the W3C website. It should be noted that it
is possible to cause Windows Media Player to be called as a 'helper
application' in Internet Explorer and Mozilla browsers thus increasing the
likelihood of exploitation.
Windows Media Player uses a fixed-sized buffer in a function used when
processing certain chunk types and no validation is performed on the
length of the chunks this function is is passed. Therefore, a stack based
buffer overflow can occur when WMP interprets a PNG file with an excessive
chunk size.
Exploitation allow a remote attacker to execute code in the context of the
currently logged in user. In order to exploit this vulnerability, the
victim must open a maliciously constructed file in Windows Media Player or
follow a link in their browser to a website hosting such a file. No
further user interaction is required for exploitation.
In order to trigger this vulnerability, an attacker could construct a
maliciously formed PNG file and link to it via an OBJECT tag on a website
under their control.
Workaround:
Any of the last three workarounds listed in the advisory for MS06-005 can
be used to prevent exploitation.
* Modify the Access Control List on the DirectX "Filter Graph no thread"
registry key.
* Backup and remove the DirectX "Filter Graph no thread" registry key.
* Unregister Quartz.dll.
Implementing these workarounds might prevent applications that use DirectX
from functioning properly.
This vulnerability is not the same as MS06-005, and the MS06-005 patches
do not fix this vulnerability. The workarounds for that vulnerability are
applicable here only because the vulnerability is in the same application
and called in a similar manner.
Vendor Status:
The vendor security advisory and appropriate patches are available at:
<http://www.microsoft.com/technet/security/Bulletin/MS06-024.mspx>
http://www.microsoft.com/technet/security/Bulletin/MS06-024.mspx
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2006-0025>
CAN-2006-0025
Disclosure Timeline:
02/22/2006 Initial vendor notification
02/22/2006 Initial vendor response
06/13/2006 Coordinated public disclosure
ADDITIONAL INFORMATION
The information has been provided by
<mailto:idlabs-advisories@xxxxxxxxxxxxxxxxxx> iDEFENSE Labs.
The original article can be found at:
<http://www.idefense.com/intelligence/vulnerabilities/display.php?id=406>
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=406
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [NT] ART Image Rendering Remote Code Execution (MS06-022)
- Next by Date: [NT] Outlook Web Access XSS (MS06-029)
- Previous by thread: [NT] ART Image Rendering Remote Code Execution (MS06-022)
- Next by thread: [NT] Outlook Web Access XSS (MS06-029)
- Index(es):
Relevant Pages
|
