Microsoft Windows Media Player Plugin Buffer Overflow Vulnerability
iDefense Security Advisory 02.14.06
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=393
February 14, 2006
I. BACKGROUND
Windows Media Player is a full featured Audio/Visual playback
application offered by Microsoft. The Windows Media Player package
also contains a plugin component that can be utilized from most
modern browsers such as Internet Explorer, Opera, Firefox, and Netscape.
More information on the product can be found from the Microsoft Windows
Media Web Site:
http://www.microsoft.com/windows/windowsmedia/default.aspx
II. DESCRIPTION
Windows Media Player (WMP) can be launched as a plugin in popular
browsers to view Windows Media Player file types from web pages.
A vulnerability in the Windows Media Player plugin can be triggered from
several popular browsers such as FireFox and Netscape. The issue
specifically can be triggered when certain browsers launch it with an
overly long embed src tag from a malicious html page.
Upon successful exploitation, attackers will be able to overwrite a
Structured Exception Handler (SEH) address and execute arbitrary code on
the system.
The vulnerability specifically lays in npdsplay.10001040 where a
user supplied string is copied to a stack based buffer:
1000171A C1E9 02 SHR ECX,2
>> 1000171D F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR
DS:[ESI]
1000171F 8BC8 MOV ECX,EAX
III. ANALYSIS
Successful exploitation of this vulnerability allows attackers to
execute code within the context of the currently logged in user. The
victim would have to visit a malicious website using Firefox or Netscape
browsers and have Windows Media Player installed.
With properly crafted input the attacker is able to execute code of his
choice. Due to unicode translations, shellcode characters are somewhat
limited to character code values below 0x80. Successful exploitation of
this vulnerability is not significantly impacted by this limitation.
IV. DETECTION
This vulnerability has been tested with Windows Media Player 9 and 10,
when launched from the following browsers:
* Firefox .9 - Current
* Netscape 8
Other versions of Windows Media Player may be vulnerable. This exploit
may be able to be triggered from browsers other than those listed
above.
This condition does not appear to be able to be launched from Internet
Explorer or Opera browsers.
V. WORKAROUND
This exploit can only be triggered if Windows Media Player is set as
the default application to launch media file extensions. Exploitation
can be prevented by remapping any media file extensions typically
handled by Windows Media Player to an alternative application.
This exploit can also only be launched from specific browsers. Users
could use an alternative browser until an official vendor supplied patch
is available.
VI. VENDOR RESPONSE
The vendor has issued the following security advisory for this issue:
http://www.microsoft.com/technet/security/bulletin/MS06-006.mspx
VII. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2006-0005 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.
VIII. DISCLOSURE TIMELINE
08/31/2005 Initial vendor notification
08/31/2005 Initial vendor response
02/14/2006 Coordinated public disclosure
IX. CREDIT
This vulnerability was submitted to iDefense by John Cobb, as well as a
second researcher who wishes to remain anonymous.
Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp
Free tools, research and upcoming events
http://labs.idefense.com
X. LEGAL NOTICES
Copyright © 2006 iDefense, Inc.
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
