Windows mplay32 buffer overflow

From: 'ken'@FTU
Date: 07/30/02 

Date: Tue, 30 Jul 2002 07:41:56 -0400
From: "'ken'@FTU" <ken_at_ftu@yahoo.com>
To: bugtraq@securityfocus.com, bugs@securitytracker.com

Microsoft is aware of the vulnerability.

Since this successful remote exploitation of this vulnerability depends
on other mitigating factors, Microsoft believes it is not worthy of a
bulletin. This overflow will be fixed in XP service pack 1.

I will explain my understanding of the vulnerability. Perhaps someone
can discover another way to exploit this executable without the other
mitigating factors...

mplay32.exe -- found in system32 directory -- suffers from a buffer
overflow. If the exe is called with a file name equal to or longer than
279 characters, EIP is overwritten.

Exploit:

Open a command prompt.
mplay32.exe A<x279>.mp3

Note: This is a unicode overflow. EIP now equals 0x00410041.

The executable runs in the user context. Privilege escalation is not an
issue. Count out the possibility of a local vulnerability.

Can this be executed remotely? With certain mitigating factors.

On an unpatched IIS server we can call

/scripts/..%255c..%255cwinnt/system32.exe?/A<x279>.mp3

and set EIP to 0x00410041. (I'm not giving further details of what to do
next, but the information is available on the internet.)

I tried to load mplay32.exe with the <object> tags but could not get it
to parse the file extension. Perhaps others will have better luck. :)

I leave everyone with the exciting possibility that there is potential
for this to be remotely exploitable. Good luck.

'ken'@FTU 

-- 
"I grew convinced that truth, sincerity and integrity in dealings
between man and man were of the utmost importance to the felicity of
life, and I formed a written resolution to practise them ever while I
lived."
	-Benjamin Franklin, The Autobiography of Benjamin Franklin

Relevant Pages

  • SecurityFocus Microsoft Newsletter #176
    ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft Windows XP HCP URI Handler Arbitrary Command Execu... ... PHPNuke Category Parameter SQL Injection Vulnerability ... Microsoft Baseline Security Analyzer Vulnerability Identific... ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #83
    ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft IIS CodeBrws.ASP Source Code Disclosure Vulnerability ... Microsoft Internet Explorer History List Script Injection ... Microsoft Windows 2000 Lanman Denial of Service Vulnerability ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #81
    ... MICROSOFT VULNERABILITY SUMMARY ... WWWIsis Remote Command Execution Vulnerability ... Windows NT 4.0 Print Spooler Security ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #336
    ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft Windows Unspecified Remote Code Execution Vulnerability ... Microsoft Windows Explorer BMP Image Denial of Service Vulnerability ... An attacker could leverage this issue to have arbitrary code execute with kernel level privileges. ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #185
    ... NEW MICROSOFT VULNERABILITIES - Audit Your Network Security ... SurgeLDAP User.CGI Directory Traversal Vulnerability ... Microsoft Windows H.323 Remote Buffer Overflow Vulnerability ... Microsoft Jet Database Engine Remote Code Execution Vulnerab... ...
    (Focus-Microsoft)