Foundstone Research Labs Advisory - Exploitable Windows XP Media Files (fwd)

From: Dave Ahmad (da@securityfocus.com)
Date: 12/19/02

  • Next message: Dave Ahmad: "Foundstone Research Labs Advisory - Multiple Exploitable Buffer Overflows in Winamp (fwd)"
    Date: Wed, 18 Dec 2002 17:31:29 -0700 (MST)
    From: Dave Ahmad <da@securityfocus.com>
    To: bugtraq@securityfocus.com
    
    

    David Mirza Ahmad
    Symantec

    0x26005712
    8D 9A B1 33 82 3D B3 D0 40 EB AB F0 1E 67 C6 1A 26 00 57 12

    ---------- Forwarded message ----------

    ----------------------------------------------------------------------
    Foundstone Research Labs Advisory - FS2002-11

    Advisory Name: Exploitable Windows XP Media Files
     Release Date: December 18, 2002
      Application: Windows Explorer
        Platforms: Windows XP
         Severity: Remote code execution
          Vendors: Microsoft (http://www.microsoft.com)
          Authors: Tony Bettini, Foundstone (tony.bettini@foundstone.com)
    CVE Candidate: CAN-2002-1327
        Reference: http://www.foundstone.com/advisories
    ----------------------------------------------------------------------

    Overview:

    A buffer overflow exists in Explorer's automatic reading of MP3
    or WMA (Windows Media Audio) file attributes in Windows XP. An
    attacker could create a malicious MP3 or WMA file, that if placed
    in an accessed folder on a Windows XP system, would compromise the
    system and allow for remote code execution. The MP3 does not need
    to be played, it simply needs to be stored in a folder that is
    browsed to, such as an MP3 download folder, the desktop, or a
    NetBIOS share. This vulnerability is also exploitable via
    Internet Explorer by loading a malicious web site. Microsoft's
    WMA files also suffer from a similar vulnerability.

    A Windows XP user visiting the site using Internet Explorer would
    be remotely compromised without any warning or download of files
    regardless of Internet Explorer security settings.

    Detailed Description:

    Unlike Windows 2000, Windows XP natively supports reading and parsing
    MP3 and WMA file attributes. If a user highlights an MP3 or WMA file
    with the cursor, applicable details of the media file will be
    displayed. Explorer automatically reads file attributes regardless
    of whether or not the user actually highlights, clicks on, reads,
    or opens the file. Windows XP's Explorer will overflow if corrupted
    attributes exist within the MP3 or WMA file.

    An unsuspecting user merely needs to browse a folder (local or
    network share) that contains the file. For example, a user running
    Windows XP could download an MP3 off of an Internet-based
    peer-to-peer file sharing mechanism (or anywhere else on the
    Internet) and then open their MP3 folder (to potentially listen to
    that MP3 or any other MP3). Upon folder access, Explorer would
    execute the code contained within the file attributes. The code could
    do anything from running a reverse shell to infecting other MP3 files
    on the computer.

    Users of Windows 2000 or other non-Windows XP operating systems are
    unaffected, and even MP3's with corrupt attributes will play fine
    on those operating systems with most players.

    Two additional attack vectors exist for this vulnerability via a web
    browser as well as Outlook. A malicious website could contain an
    IFRAME of a NetBIOS share that holds a malicious MP3. Similarly,
    an email could be sent to an Outlook user containing HTML that
    references the NetBIOS share. Depending on Outlook security settings
    and preferences, this attack may not be directly exploitable via
    an email message. However, if the user browses to a malicious web
    site with Internet Explorer directly, the attack will work
    regardless of the Internet Explorer security settings.

    Vendor Response:

    Microsoft has issued a fix for this vulnerability, it is available at:
    http://www.microsoft.com/technet/security/bulletin/MS02-072.asp

    In addition, the patch (Q329390) is available via:
    http://windowsupdate.microsoft.com

    Foundstone would like to thank Microsoft Security Response Center for
    their prompt handling of this vulnerability.

    Solution:

    Foundstone recommends reviewing the Microsoft Security Bulletin and
    immediately applying the Microsoft patch.

    The FoundScan Enterprise Vulnerability Management System has been
    updated to check for this vulnerability. For more information on
    FoundScan, go to: http://www.foundstone.com

    Disclaimer:

    The information contained in this advisory is copyright (c) 2002
    Foundstone, Inc. and is believed to be accurate at the time of
    publishing. However, no representation of any warranty is given,
    expressed, or implied as to its accuracy or completeness. In no event
    shall the author or Foundstone be liable for any direct, indirect,
    incidental, special, exemplary or consequential damages resulting from
    the use or misuse of this information. This advisory may be
    redistributed, provided that no fee is assigned and that the advisory
    is not modified in any way.

    About Foundstone Foundstone Inc. addresses the security and privacy
    needs of Global 2000 companies with world-class Enterprise
    Vulnerability Management Software, Managed Vulnerability Assessment
    Services, Professional Consulting and Education offerings. The company
    has one of the most dominant security talent pools ever assembled,
    including experts from Ernst & Young, KPMG, PricewaterhouseCoopers,
    and the United States Defense Department. Foundstone executives and
    consultants have authored nine books, including the international best
    seller Hacking Exposed: Network Security Secrets & Solutions.
    Foundstone is headquartered in Orange County, CA, and has offices in
    New York, Washington, DC, San Antonio, and Seattle. For more
    information, visit www.foundstone.com or call 1-877-91-FOUND.

    Copyright (c) 2002 Foundstone, Inc. All rights reserved worldwide.



    Relevant Pages

    • Re: Any comments?
      ... Windows just "makes a guess", and so far, it has always guessed correctly on every system I've ever built. ... With almost every Linux distribution I've ever worked with, I'm almost afraid to experiment, because it seems like the most innocent changes can have system wide repercussions. ... There's some sort of licensing issue which prevents mp3 players from being bundled with many linux distributions, ... It asks some vaguely dangerous sounding questions (something along the lines of "broken dependencies") but all the questions Linux asks me sound dangerous, ...
      (comp.lang.cobol)
    • Re: mp3 files cause popup in WMP after 10sec
      ... | When I play an mp3 in Windows Media Player audio stops after about 10 ... | I have run NOD32, Windows OneCare, Windows Defender, PCTools Spyware Doctor, ... Download and execute HiJack This! ...
      (microsoft.public.security.virus)
    • Re: Problem recognizing supportable files
      ... files and double click on it, it plays thru my pc using Windows media Player. ... the mp3 player and click on a track it plays using media player. ... in Windows Explorer" and the other details about this mode. ...
      (microsoft.public.windowsmedia)
    • Re: Extract pieces of a mp3 audio file
      ... My question is about Windows XP. ... I have some MP3 audio files, ... "extract" pieces of the sound to have like the most important ...
      (microsoft.public.windowsxp.general)
    • RE: [Full-Disclosure] Scanning the PCs for RPC Vulnerability
      ... I use scanms.exe from ISS, and run it through a little perl ... Foundstone and Microsoft for RPC vulnerable machines. ... even those machines which are Windows 9x, Windows98/Sec, Windows ME. ...
      (Full-Disclosure)