Re: exdploiting the recent windows media player nsc buffer overflow

From: Pauli Ojanpera (pauli_ojanpera@hotmail.com)
Date: 08/05/01


From: "Pauli Ojanpera" <pauli_ojanpera@hotmail.com>
To: vuln-DEV@securityfocus.com
Subject: Re: exdploiting the recent windows media player nsc buffer overflow
Date: Sun, 05 Aug 2001 15:29:34 +0300
Message-ID: <F27Vm2sMMiPo0WWy5L90000e0a7@hotmail.com>

IIRC if you feed a suitably sized string in the field
an overflow will happen before the unicode conversion.
Don't really remember it's been a long time since.

----Original Message Follows----
From: Franklin DeMatto <franklin@qdefense.com>
To: vuln-DEV@securityfocus.com
CC: pauli_ojanpera@hotmail.com
Subject: exdploiting the recent windows media player nsc buffer overflow
Date: Sun, 05 Aug 2001 07:40:55 -0400

WMP converts the IP Address field into unicode. This will insert null
bytes into every other byte in the buffer, making it very hard to exploit
(although it may be possible, like the folks at eeye did with a similar
conversion in one of their recent IIS exploits)

However, if an nsc file can use unicode directly, than an attacker would be
able to put unicode in the ip addr field, bypassing the conversion, and
easily sploiting. I have searched through the microsoft documentation, but
not been able to determine if nsc 's can be written using unicode
characters (like HTML can). Anyone have any info?

Franklin DeMatto - http://qDefense.com
qDefense - DEFENDING THE ELECTRONIC FRONTIER

Please do not send mail to antispaam@qdefense.com

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp