David Mirza Ahmad
Symantec
0x26005712
8D 9A B1 33 82 3D B3 D0 40 EB AB F0 1E 67 C6 1A 26 00 57 12
---------- Forwarded message ----------
----------------------------------------------------------------------
Foundstone Research Labs Advisory - FS2002-11
Advisory Name: Exploitable Windows XP Media Files
Release Date: December 18, 2002
Application: Windows Explorer
Platforms: Windows XP
Severity: Remote code execution
Vendors: Microsoft (http://www.microsoft.com)
Authors: Tony Bettini, Foundstone (tony.bettiniat_private)
CVE Candidate: CAN-2002-1327
Reference: http://www.foundstone.com/advisories
----------------------------------------------------------------------
Overview:
A buffer overflow exists in Explorer's automatic reading of MP3
or WMA (Windows Media Audio) file attributes in Windows XP. An
attacker could create a malicious MP3 or WMA file, that if placed
in an accessed folder on a Windows XP system, would compromise the
system and allow for remote code execution. The MP3 does not need
to be played, it simply needs to be stored in a folder that is
browsed to, such as an MP3 download folder, the desktop, or a
NetBIOS share. This vulnerability is also exploitable via
Internet Explorer by loading a malicious web site. Microsoft's
WMA files also suffer from a similar vulnerability.
A Windows XP user visiting the site using Internet Explorer would
be remotely compromised without any warning or download of files
regardless of Internet Explorer security settings.
Detailed Description:
Unlike Windows 2000, Windows XP natively supports reading and parsing
MP3 and WMA file attributes. If a user highlights an MP3 or WMA file
with the cursor, applicable details of the media file will be
displayed. Explorer automatically reads file attributes regardless
of whether or not the user actually highlights, clicks on, reads,
or opens the file. Windows XP's Explorer will overflow if corrupted
attributes exist within the MP3 or WMA file.
An unsuspecting user merely needs to browse a folder (local or
network share) that contains the file. For example, a user running
Windows XP could download an MP3 off of an Internet-based
peer-to-peer file sharing mechanism (or anywhere else on the
Internet) and then open their MP3 folder (to potentially listen to
that MP3 or any other MP3). Upon folder access, Explorer would
execute the code contained within the file attributes. The code could
do anything from running a reverse shell to infecting other MP3 files
on the computer.
Users of Windows 2000 or other non-Windows XP operating systems are
unaffected, and even MP3's with corrupt attributes will play fine
on those operating systems with most players.
Two additional attack vectors exist for this vulnerability via a web
browser as well as Outlook. A malicious website could contain an
IFRAME of a NetBIOS share that holds a malicious MP3. Similarly,
an email could be sent to an Outlook user containing HTML that
references the NetBIOS share. Depending on Outlook security settings
and preferences, this attack may not be directly exploitable via
an email message. However, if the user browses to a malicious web
site with Internet Explorer directly, the attack will work
regardless of the Internet Explorer security settings.
Vendor Response:
Microsoft has issued a fix for this vulnerability, it is available at:
http://www.microsoft.com/technet/security/bulletin/MS02-072.asp
In addition, the patch (Q329390) is available via:
http://windowsupdate.microsoft.com
Foundstone would like to thank Microsoft Security Response Center for
their prompt handling of this vulnerability.
Solution:
Foundstone recommends reviewing the Microsoft Security Bulletin and
immediately applying the Microsoft patch.
The FoundScan Enterprise Vulnerability Management System has been
updated to check for this vulnerability. For more information on
FoundScan, go to: http://www.foundstone.com
Disclaimer:
The information contained in this advisory is copyright (c) 2002
Foundstone, Inc. and is believed to be accurate at the time of
publishing. However, no representation of any warranty is given,
expressed, or implied as to its accuracy or completeness. In no event
shall the author or Foundstone be liable for any direct, indirect,
incidental, special, exemplary or consequential damages resulting from
the use or misuse of this information. This advisory may be
redistributed, provided that no fee is assigned and that the advisory
is not modified in any way.
About Foundstone Foundstone Inc. addresses the security and privacy
needs of Global 2000 companies with world-class Enterprise
Vulnerability Management Software, Managed Vulnerability Assessment
Services, Professional Consulting and Education offerings. The company
has one of the most dominant security talent pools ever assembled,
including experts from Ernst & Young, KPMG, PricewaterhouseCoopers,
and the United States Defense Department. Foundstone executives and
consultants have authored nine books, including the international best
seller Hacking Exposed: Network Security Secrets & Solutions.
Foundstone is headquartered in Orange County, CA, and has offices in
New York, Washington, DC, San Antonio, and Seattle. For more
information, visit www.foundstone.com or call 1-877-91-FOUND.
Copyright (c) 2002 Foundstone, Inc. All rights reserved worldwide.
This archive was generated by hypermail 2b30 : Thu Dec 19 2002 - 19:39:47 PST