Microsoft is aware of the vulnerability. Since this successful remote exploitation of this vulnerability depends on other mitigating factors, Microsoft believes it is not worthy of a bulletin. This overflow will be fixed in XP service pack 1. I will explain my understanding of the vulnerability. Perhaps someone can discover another way to exploit this executable without the other mitigating factors... mplay32.exe -- found in system32 directory -- suffers from a buffer overflow. If the exe is called with a file name equal to or longer than 279 characters, EIP is overwritten. Exploit: Open a command prompt. mplay32.exe A<x279>.mp3 Note: This is a unicode overflow. EIP now equals 0x00410041. The executable runs in the user context. Privilege escalation is not an issue. Count out the possibility of a local vulnerability. Can this be executed remotely? With certain mitigating factors. On an unpatched IIS server we can call /scripts/..%255c..%255cwinnt/system32.exe?/A<x279>.mp3 and set EIP to 0x00410041. (I'm not giving further details of what to do next, but the information is available on the internet.) I tried to load mplay32.exe with the <object> tags but could not get it to parse the file extension. Perhaps others will have better luck. :) I leave everyone with the exciting possibility that there is potential for this to be remotely exploitable. Good luck. 'ken'@FTU -- "I grew convinced that truth, sincerity and integrity in dealings between man and man were of the utmost importance to the felicity of life, and I formed a written resolution to practise them ever while I lived." -Benjamin Franklin, The Autobiography of Benjamin Franklin
This archive was generated by hypermail 2b30 : Tue Jul 30 2002 - 13:05:44 PDT