Thread-topic: [EEYEB-20051017] Windows Media Player BMP Heap Overflow
> -----Original Message-----
> From: eEye Advisories [mailto:Advisories@xxxxxxxx]
> Sent: Wednesday, February 15, 2006 1:49 AM
> To: bugtraq@xxxxxxxxxxxxxxxxx; vulnwatch@xxxxxxxxxxxxx;
> full-disclosure@xxxxxxxxxxxxxxxxx; ntbugtraq@xxxxxxxxxxxxx
> Subject: [EEYEB-20051017] Windows Media Player BMP Heap Overflow
>
> EEYEB-20051017 Windows Media Player BMP Heap Overflow
>
> Release Date:
> February 14, 2006
>
> Date Reported:
> October 17, 2005
>
> Patch Development Time (In Days):
> 60
>
> Severity:
> High (Remote Code Execution)
>
> Vendor:
> Microsoft
>
> Systems Affected:
> Microsoft Windows Media Player 7.1 through 10
>
> Windows NT 4.0
> Windows 98 / ME
> Windows 2000 SP4
> Windows XP SP1 / SP2
> Windows 2003
>
> eEye ID: EEYEB-20051017
> CVE: CVE-2006-0006
>
> Overview:
> eEye Digital Security has discovered a critical vulnerability
> in Windows
> Media Player. The vulnerability allows a remote attacker to reliably
> overwrite heap memory with user-controlled data and execute arbitrary
> code in the context of the user who executed the player.
>
> Windows Media Player has a security issue within Media Player versions
> 7.1 through 10 on all Windows os's. This flaw is a heap
> overflow, and an
> attacker can use multiple vectors to exploit it. Attackers can create
> .asx files and open them with a URL, use activex embeded in
> an HTML page
> or create a Media Player skin file.
>
>
> Technical Description:
>
> Windows Media Player can play bit map format files, such as a
> .bmp file
> and use Windows Media Player (WMP) to decode the .dll process
> bmp file.
> But it can't correctly process a bmp file which declares it's
> size as 0.
> In this case, WMP will allocate a heap size of 0 but in fact, it will
> copy to the heap with the real file length. So a special bmp file that
> declares it's size as 0 will cause the overflow. When
> changing the size
> to 0, WMP will allocate the heap of the new function, so actually it
> will allocate 0x2*8(heap) sized heap. When we copy the date is will
> check two conditions:
>
> 1. less than the size - the bmp head, this is 0-0xe(the bmp head
> size) = 0xfffffff2
> 2. less than 0x1000
>
> So if the real file size is less than 0x1000, it will copy
> the real date
> size to the 0x2*8 heap, if the real file size is larger than
> 0x1000, it
> will copy the first 0x1000 to the 0x2*8 heap.
>
> Protection:
> Retina Network Security Scanner has been updated to identify this
> vulnerability.
> Blink - Endpoint Vulnerability Prevention - preemptively protects from
> this vulnerability.
>
> Vendor Status:
> Microsoft has released a patch for this vulnerability. The patch is
> available at:
>
>
> Credit:
> Fang Xing
>
> Copyright (c) 1998-2006 eEye Digital Security
> Permission is hereby granted for the redistribution of this alert
> electronically. It is not to be edited in any way without express
> consent of eEye. If you wish to reprint the whole or any part of this
> alert in any other medium excluding electronic medium, please email
> alert@xxxxxxxx for permission.
>
> Disclaimer
> The information within this paper may change without notice.
> Use of this
> information constitutes acceptance for use in an AS IS
> condition. There
> are no warranties, implied or express, with regard to this
> information.
> In no event shall the author be liable for any direct or indirect
> damages whatsoever arising out of or in connection with the use or
> spread of this information. Any use of this information is at
> the user's
> own risk.
>
