[VulnWatch] [EEYEB20050510] - Microsoft DirectShow Remote Code Vulnerability

• Previous message: iDEFENSE Labs: "[VulnWatch] iDEFENSE Security Advisory 10.11.05: Microsoft Distributed Transaction Controller TIP DoS Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 11 Oct 2005 12:05:02 -0700
To: <bugtraq@securityfocus.com>, <full-disclosur@lists.grok.org.uk>, <vulnwatch@vulnwatch.org>, <ntbugtraq@ntbugtraq.com>

Microsoft DirectShow Remote Code Vulnerability

Release Date:
October 11, 2005

Date Reported:
May 10, 2005

Severity:
High (Code Execution)

Vendor:
Microsoft

Systems Affected:

Windows 98, 98SE, ME
Windows 2000 SP4 - Microsoft DirectX 8.0 - 9.0c
Windows XP SP1 - SP2 - DirectX 9.0 - 9.0c
Windows Server 2003 - DirectX 9.0 - 9.0c

eEye ID# EEYEB20050510
OSVDB ID# 18822
CVE #: CAN-2005-2128

Overview:
eEye Digital Security has discovered a vulnerability in the Windows
Media Player 9 AVI movie DirectX component that allows memory at an
arbitrary address to be modified when a specially crafted AVI file is
played. Exploitation of this vulnerability can allow the execution of
attacker-supplied code on a victim's system with the privileges of the
user who attempted to open the movie file. This vulnerability has been
identified in a component of DirectX.

Technical Details:
Windows Media Player 9 uses QUARTZ.DLL to decode and play AVI movie
files. Due to a lack of validation, QUARTZ can be made to store a null
byte to an arbitrary memory location by creating a malformed "strn"
element with a specifically chosen length field. The following
vulnerable code in CAviMSROutPin::ParseHeader attempts to place a null
terminator after the ASCIIZ string contained in the "strn" data:

    6858A436 cmp edi, 6E727473h ; EDI = [EAX], element's "strn"
tag
    6858A43C jz 6858A45C
     ...
    6858A45C cmp ecx, ebx ; EBX = 0
    6858A45E jbe 6858A44C
    6858A460 lea ecx, [eax+8] ; ECX -> start of element data
     ...
    6858A469 mov edi, [eax+4] ; EDI = element length
    6858A46C cmp byte ptr [ecx+edi-1], 0
    6858A471 lea ecx, [ecx+edi-1]
    6858A475 jz 6858A44C
    6858A477 and byte ptr [ecx], 0

This vulnerability can be used to produce exploitation conditions
resembling those of a heap overflow, by modifying the encompassing heap
block's own header. A length value of -(offset of "strn" element - 18h
+ 7) will cause the second byte of the block size field (at offset -7
within the heap header) to be zeroed, resulting in the heap management
code operating on arbitrary data from offsets below 800h within the
mutilated heap block.

Because the destination for the stored null terminator is relative to
the address of the "strn" element -- and therefore relative to the start
of the heap block -- reliable exploitation is possible, and has been
demonstrated on each of the affected versions of Windows.

Protection:
Retina, Network Security Scanner, has been updated to be able to
identify this vulnerability.
For more information on Retina visit: http://www.eEye.com/Retina

Blink, Endpoint Vulnerability Prevention, already provides protection
from attacks based on this vulnerability.
For more information on Blink visit: http://www.eEye.com/Blink

Vendor Status:
Microsoft has released a patch for this vulnerability. The patch is
available at:
http://www.microsoft.com/technet/security/bulletin/MS05-050.mspx

Credit:
Fang Xing

Greetings:
Thanks Derek and eEye guys help me analyze and wrote the advisory,
greetz xfocus and venus-tech lab's guys.

Copyright (c) 1998-2005 eEye Digital Security Permission is hereby
granted for the redistribution of this alert electronically. It is not
to be edited in any way without express consent of eEye. If you wish to
reprint the whole or any part of this alert in any other medium
excluding electronic medium, please email alert@eEye.com for permission.

Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are no warranties, implied or express, with regard to this information.
In no event shall the author be liable for any direct or indirect
damages whatsoever arising out of or in connection with the use or
spread of this information. Any use of this information is at the user's
own risk.

• Previous message: iDEFENSE Labs: "[VulnWatch] iDEFENSE Security Advisory 10.11.05: Microsoft Distributed Transaction Controller TIP DoS Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages [NEWS] Unchecked Buffer in DirectX Could Enable System Compromise ... Beyond Security in Canada ... to promote the most advanced vulnerability assessment solutions today. ... DirectX consists of a set of low-level Application Programming Interfaces ... that are used by Windows programs for multimedia support. ... (Securiteam) [NT] Vulnerabilities in DirectX Allows Code Execution (MS07-064) ... Vulnerabilities in DirectX Allows Code Execution ... If a user is logged on with administrative user rights, an attacker who ... Microsoft Windows 2000 Service Pack 4 ... Microsoft DirectX Code Execution Vulnerability Parsing SAMI Files - ... (Securiteam) [EEYEB20050510] - Microsoft DirectShow Remote Code Vulnerability ... Microsoft DirectShow Remote Code Vulnerability ... eEye Digital Security has discovered a vulnerability in the Windows ... identified in a component of DirectX. ... (Bugtraq) Re: Anyone hear about this overdue critical 2000 vulnerability ... "Remote Code Execution" as the vulnerability which is the same as the ... ONLY information provided at the Eeye link to their "advisory" then ... (microsoft.public.windowsxp.general) [Full-Disclosure] Misinformation in Security Advisories (ASN.1) ... this impact of this misinformation is that many corporations out there spent tens of thousands of dollars in resources and manpower last week to get this issue fixed enterprise-wide. ... When Sinan Eren questioned the exploitability of this issue, there was no response from Eeye: ... For a company that does so much quality vulnerability research and employs many talented people, it's very disappointing to see what honestly can't be characterized as anything but deliberate misinformation. ... I'd like to ask someone from Eeye to respond to these claims, but honestly they're not the only security researchers guilty of this. ... (Full-Disclosure)