[VulnWatch] iDefense Security Advisory 02.14.06: Microsoft Windows Media Player Plugin Buffer Overflow Vulnerability

From: labs-no-reply@private
Date: Tue Feb 14 2006 - 10:18:11 PST


Microsoft Windows Media Player Plugin Buffer Overflow Vulnerability

iDefense Security Advisory 02.14.06
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=393
February 14, 2006

I. BACKGROUND

Windows Media Player is a full featured Audio/Visual playback
application offered by Microsoft. The Windows Media Player package
also contains a plugin component that can be utilized from most
modern browsers such as Internet Explorer, Opera, Firefox, and Netscape.

More information on the product can be found from the Microsoft Windows
Media Web Site:

http://www.microsoft.com/windows/windowsmedia/default.aspx

II. DESCRIPTION

Windows Media Player (WMP) can be launched as a plugin in popular
browsers to view Windows Media Player file types from web pages.

A vulnerability in the Windows Media Player plugin can be triggered from
several popular browsers such as FireFox and Netscape. The issue
specifically can be triggered when certain browsers launch it with an
overly long embed src tag from a malicious html page.

Upon successful exploitation, attackers will be able to overwrite a
Structured Exception Handler (SEH) address and execute arbitrary code on
the system.

The vulnerability specifically lays in npdsplay.10001040 where a
user supplied string is copied to a stack based buffer:

   1000171A   C1E9 02          SHR ECX,2
 >> 1000171D   F3:A5            REP MOVS DWORD PTR ES:[EDI],DWORD PTR 
DS:[ESI]
   1000171F   8BC8             MOV ECX,EAX


III. ANALYSIS

Successful exploitation of this vulnerability allows attackers to
execute code within the context of the currently logged in user. The
victim would have to visit a malicious website using Firefox or Netscape
browsers and have Windows Media Player installed.

With properly crafted input the attacker is able to execute code of his
choice. Due to unicode translations, shellcode characters are somewhat
limited to  character code values below 0x80. Successful exploitation of
this vulnerability is not significantly impacted by this limitation.

IV. DETECTION

This vulnerability has been tested with Windows Media Player 9 and 10,
when launched from the following browsers:

    * Firefox  .9 - Current
    * Netscape 8

Other versions of Windows Media Player may be vulnerable. This exploit
may be able to be triggered from browsers other than those listed
above.

This condition does not appear to be able to be launched from Internet
Explorer or Opera browsers.

V. WORKAROUND

This exploit can only be triggered if Windows Media Player is set as
the default application to launch media file extensions. Exploitation
can be prevented by remapping any media file extensions typically
handled by Windows Media Player to an alternative application.

This exploit can also only be launched from specific browsers. Users
could use an alternative browser until an official vendor supplied patch
is available.

VI. VENDOR RESPONSE

The vendor has issued the following security advisory for this issue:

  http://www.microsoft.com/technet/security/bulletin/MS06-006.mspx

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2006-0005 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

08/31/2005  Initial vendor notification
08/31/2005  Initial vendor response
02/14/2006  Coordinated public disclosure

IX. CREDIT

This vulnerability was submitted to iDefense by John Cobb, as well as a
second researcher who wishes to remain anonymous.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

Free tools, research and upcoming events
http://labs.idefense.com

X. LEGAL NOTICES

Copyright © 2006 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@private for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.



This archive was generated by hypermail 2.1.3 : Wed Feb 15 2006 - 11:04:31 PST