Microsoft Windows Media Player Plugin Buffer Overflow Vulnerability iDefense Security Advisory 02.14.06 http://www.idefense.com/intelligence/vulnerabilities/display.php?id=393 February 14, 2006 I. BACKGROUND Windows Media Player is a full featured Audio/Visual playback application offered by Microsoft. The Windows Media Player package also contains a plugin component that can be utilized from most modern browsers such as Internet Explorer, Opera, Firefox, and Netscape. More information on the product can be found from the Microsoft Windows Media Web Site: http://www.microsoft.com/windows/windowsmedia/default.aspx II. DESCRIPTION Windows Media Player (WMP) can be launched as a plugin in popular browsers to view Windows Media Player file types from web pages. A vulnerability in the Windows Media Player plugin can be triggered from several popular browsers such as FireFox and Netscape. The issue specifically can be triggered when certain browsers launch it with an overly long embed src tag from a malicious html page. Upon successful exploitation, attackers will be able to overwrite a Structured Exception Handler (SEH) address and execute arbitrary code on the system. The vulnerability specifically lays in npdsplay.10001040 where a user supplied string is copied to a stack based buffer: 1000171A C1E9 02 SHR ECX,2 >> 1000171D F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] 1000171F 8BC8 MOV ECX,EAX III. ANALYSIS Successful exploitation of this vulnerability allows attackers to execute code within the context of the currently logged in user. The victim would have to visit a malicious website using Firefox or Netscape browsers and have Windows Media Player installed. With properly crafted input the attacker is able to execute code of his choice. Due to unicode translations, shellcode characters are somewhat limited to character code values below 0x80. Successful exploitation of this vulnerability is not significantly impacted by this limitation. IV. DETECTION This vulnerability has been tested with Windows Media Player 9 and 10, when launched from the following browsers: * Firefox .9 - Current * Netscape 8 Other versions of Windows Media Player may be vulnerable. This exploit may be able to be triggered from browsers other than those listed above. This condition does not appear to be able to be launched from Internet Explorer or Opera browsers. V. WORKAROUND This exploit can only be triggered if Windows Media Player is set as the default application to launch media file extensions. Exploitation can be prevented by remapping any media file extensions typically handled by Windows Media Player to an alternative application. This exploit can also only be launched from specific browsers. Users could use an alternative browser until an official vendor supplied patch is available. VI. VENDOR RESPONSE The vendor has issued the following security advisory for this issue: http://www.microsoft.com/technet/security/bulletin/MS06-006.mspx VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2006-0005 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 08/31/2005 Initial vendor notification 08/31/2005 Initial vendor response 02/14/2006 Coordinated public disclosure IX. CREDIT This vulnerability was submitted to iDefense by John Cobb, as well as a second researcher who wishes to remain anonymous. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.idefense.com X. LEGAL NOTICES Copyright © 2006 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/