The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
None
PR
The attacker is unauthenticated prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
High
C
There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity
High
I
There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability
High
A
There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.
EEYEB-20051017 Windows Media Player BMP Heap Overflow
Release Date:
February 14, 2006
Date Reported:
October 17, 2005
Patch Development Time (In Days):
60
Severity:
High (Remote Code Execution)
Vendor:
Microsoft
Systems Affected:
Microsoft Windows Media Player 7.1 through 10
Windows NT 4.0
Windows 98 / ME
Windows 2000 SP4
Windows XP SP1 / SP2
Windows 2003
eEye ID: EEYEB-20051017
CVE: CVE-2006-0006
Overview:
eEye Digital Security has discovered a critical vulnerability in Windows
Media Player. The vulnerability allows a remote attacker to reliably
overwrite heap memory with user-controlled data and execute arbitrary
code in the context of the user who executed the player.
Windows Media Player has a security issue within Media Player versions
7.1 through 10 on all Windows os's. This flaw is a heap overflow, and an
attacker can use multiple vectors to exploit it. Attackers can create
.asx files and open them with a URL, use activex embeded in an HTML page
or create a Media Player skin file.
Technical Description:
Windows Media Player can play bit map format files, such as a .bmp file
and use Windows Media Player (WMP) to decode the .dll process bmp file.
But it can't correctly process a bmp file which declares it's size as 0.
In this case, WMP will allocate a heap size of 0 but in fact, it will
copy to the heap with the real file length. So a special bmp file that
declares it's size as 0 will cause the overflow. When changing the size
to 0, WMP will allocate the heap of the new function, so actually it
will allocate 0x2*8(heap) sized heap. When we copy the date is will
check two conditions:
1.less than the size - the bmp head, this is 0-0xe(the bmp head
size) = 0xfffffff2
2.less than 0x1000
So if the real file size is less than 0x1000, it will copy the real date
size to the 0x2*8 heap, if the real file size is larger than 0x1000, it
will copy the first 0x1000 to the 0x2*8 heap.
Protection:
Retina Network Security Scanner has been updated to identify this
vulnerability.
Blink - Endpoint Vulnerability Prevention - preemptively protects from
this vulnerability.
Vendor Status:
Microsoft has released a patch for this vulnerability. The patch is
available at:
http://www.microsoft.com/technet/security/bulletin/ms06-005.mspx
Credit:
Fang Xing
Copyright (c) 1998-2006 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express
consent of eEye. If you wish to reprint the whole or any part of this
alert in any other medium excluding electronic medium, please email
alert (at) eEye (dot) com [email concealed] for permission.
Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are no warranties, implied or express, with regard to this information.
In no event shall the author be liable for any direct or indirect
damages whatsoever arising out of or in connection with the use or
spread of this information. Any use of this information is at the user's
own risk.
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum