Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
SecuriTeam™  Beyond Security®  SecuriTeam™ Home  Ask the Team  Mailing Lists  Advertising Info  Blogs SecuriTeam™ in Your Inbox   E-mail this CVE-2006-0006 to a friend New vulnerability? New tool? Tell us	CVE-2006-0006 Windows Media Player BMP Buffer Overflow (MS06-005)     Credit: The information has been provided by eEye Advisories . The original article can be found at: http://www.eeye.com/html/research/advisories/AD20060214.html The vendor advisory can be found at: http://www.securiteam.com/windowsntfocus/5DP0G1FHPS.html Website Security Scan Code Vulnerability Test Network Assessment Tool Detect hidden vulnerabilities Exhaustive automated testing Real-time, continuous security Get guidance from professionals of internal or 3rd party code. scanning for your entire network    CVE-2006-0006 Details Check for CVE-2006-0006 Vulnerability Assessment and Management. Automated Pen Testing for 50 to 50,000 nodes beyondsecurity.com/vulnerability-scanner Vulnerable Systems:  * Windows Media Player for XP on Microsoft Windows XP Service Pack 1  * Windows Media Player 9 on Microsoft Windows XP Service Pack 2  * Windows Media Player 9 on Microsoft Windows Server 2003  * Microsoft Windows 98  * Microsoft Windows 98 Second Edition (SE)  * Microsoft Windows Millennium Edition (ME)  * Microsoft Windows Media Player 7.1 when installed on Windows 2000 Service Pack 4  * Microsoft Windows Media Player 9 when installed on Windows 2000 Service Pack 4 or Windows XP Service Pack 1  * Microsoft Windows Media Player 10 when installed on Windows XP Service Pack 1 or Windows XP Service Pack 2 Immune Systems:  * Windows Media Player 6.4 on all Microsoft Windows operating systems  * Windows Media Player 10 on Microsoft Windows Server 2003 Service Pack 1  * Microsoft Windows XP Professional x64 Edition  * Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems  * Microsoft Windows Server 2003 x64 Edition Windows Media Player can play bitmap format files, such as a .bmp file and use Windows Media Player (WMP) to decode a dll process of a .bmp file. If a bitmap file declears with a size of 0, Windows Media Player is unable to handle the bitmap currectly. In this case, WMP will allocate a heap size of 0 bytes, but it will copy the heap with the real file length. A specially crafted bitmap file that declares it's size as 0 will cause the the buffer overflow. When changing the size to 0 bytes, WMP will allocate the heap of the new function, so actually it will allocate 0x2*8(heap) sized heap. When it copy the date it will check two conditions:  1. Less than the size - the bmp head, this is 0-0xe(the bmp head size) = 0xfffffff2  2. Less than 0x1000 So if the real file size is less than 0x1000, it will copy the real date size to the 0x2*8 heap, if the real file size is larger than 0x1000, it will copy the first 0x1000 to the 0x2*8 heap. CVE Information: CVE-2006-0006  Comments on CVE-2006-0006:  Add new comment:  Subject:  Name/Nick/Email:          Chars Left:	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Copyright © 1998-2010 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®