Microsoft DirectShow Remote Code Vulnerability
Release Date:
October 11, 2005
Date Reported:
May 10, 2005
Severity:
High (Code Execution)
Vendor:
Microsoft
Systems Affected:
Windows 98, 98SE, ME
Windows 2000 SP4 - Microsoft DirectX 8.0 - 9.0c
Windows XP SP1 - SP2 - DirectX 9.0 - 9.0c
Windows Server 2003 - DirectX 9.0 - 9.0c
eEye ID# EEYEB20050510
OSVDB ID# 18822
CVE #: CAN-2005-2128
Overview:
eEye Digital Security has discovered a vulnerability in the Windows
Media Player 9 AVI movie DirectX component that allows memory at an
arbitrary address to be modified when a specially crafted AVI file is
played. Exploitation of this vulnerability can allow the execution of
attacker-supplied code on a victim's system with the privileges of the
user who attempted to open the movie file. This vulnerability has been
identified in a component of DirectX.
Technical Details:
Windows Media Player 9 uses QUARTZ.DLL to decode and play AVI movie
files. Due to a lack of validation, QUARTZ can be made to store a null
byte to an arbitrary memory location by creating a malformed "strn"
element with a specifically chosen length field. The following
vulnerable code in CAviMSROutPin::ParseHeader attempts to place a null
terminator after the ASCIIZ string contained in the "strn" data:
6858A436 cmp edi, 6E727473h ; EDI = [EAX], element's "strn"
tag
6858A43C jz 6858A45C
...
6858A45C cmp ecx, ebx ; EBX = 0
6858A45E jbe 6858A44C
6858A460 lea ecx, [eax+8] ; ECX -> start of element data
...
6858A469 mov edi, [eax+4] ; EDI = element length
6858A46C cmp byte ptr [ecx+edi-1], 0
6858A471 lea ecx, [ecx+edi-1]
6858A475 jz 6858A44C
6858A477 and byte ptr [ecx], 0
This vulnerability can be used to produce exploitation conditions
resembling those of a heap overflow, by modifying the encompassing heap
block's own header. A length value of -(offset of "strn" element - 18h
+ 7) will cause the second byte of the block size field (at offset -7
within the heap header) to be zeroed, resulting in the heap management
code operating on arbitrary data from offsets below 800h within the
mutilated heap block.
Because the destination for the stored null terminator is relative to
the address of the "strn" element -- and therefore relative to the start
of the heap block -- reliable exploitation is possible, and has been
demonstrated on each of the affected versions of Windows.
Protection:
Retina, Network Security Scanner, has been updated to be able to
identify this vulnerability.
For more information on Retina visit: http://www.eEye.com/Retina
Blink, Endpoint Vulnerability Prevention, already provides protection
from attacks based on this vulnerability.
For more information on Blink visit: http://www.eEye.com/Blink
Vendor Status:
Microsoft has released a patch for this vulnerability. The patch is
available at:
http://www.microsoft.com/technet/security/bulletin/MS05-050.mspx
Credit:
Fang Xing
Greetings:
Thanks Derek and eEye guys help me analyze and wrote the advisory,
greetz xfocus and venus-tech lab's guys.
Copyright (c) 1998-2005 eEye Digital Security Permission is hereby
granted for the redistribution of this alert electronically. It is not
to be edited in any way without express consent of eEye. If you wish to
reprint the whole or any part of this alert in any other medium
excluding electronic medium, please email alert@eEye.com for permission.
Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are no warranties, implied or express, with regard to this information.
In no event shall the author be liable for any direct or indirect
damages whatsoever arising out of or in connection with the use or
spread of this information. Any use of this information is at the user's
own risk.
