SecurityReason - Windows Media Player BMP Heap Overflow

Advisory Text :

EEYEB-20051017 Windows Media Player BMP Heap Overflow

Release Date:
February 14, 2006

Date Reported:
October 17, 2005

Patch Development Time (In Days):
60

Severity:
High (Remote Code Execution)

Vendor:
Microsoft

Systems Affected:
Microsoft Windows Media Player 7.1 through 10

Windows NT 4.0
Windows 98 / ME
Windows 2000 SP4
Windows XP SP1 / SP2
Windows 2003

eEye ID: EEYEB-20051017
CVE: CVE-2006-0006

Overview:
eEye Digital Security has discovered a critical vulnerability in Windows
Media Player. The vulnerability allows a remote attacker to reliably
overwrite heap memory with user-controlled data and execute arbitrary
code in the context of the user who executed the player.

Windows Media Player has a security issue within Media Player versions
7.1 through 10 on all Windows os's. This flaw is a heap overflow, and an
attacker can use multiple vectors to exploit it. Attackers can create
.asx files and open them with a URL, use activex embeded in an HTML page
or create a Media Player skin file.

Technical Description:

Windows Media Player can play bit map format files, such as a .bmp file
and use Windows Media Player (WMP) to decode the .dll process bmp file.
But it can't correctly process a bmp file which declares it's size as 0.
In this case, WMP will allocate a heap size of 0 but in fact, it will
copy to the heap with the real file length. So a special bmp file that
declares it's size as 0 will cause the overflow. When changing the size
to 0, WMP will allocate the heap of the new function, so actually it
will allocate 0x2*8(heap) sized heap. When we copy the date is will
check two conditions:

1. less than the size - the bmp head, this is 0-0xe(the bmp head
size) = 0xfffffff2
2. less than 0x1000

So if the real file size is less than 0x1000, it will copy the real date
size to the 0x2*8 heap, if the real file size is larger than 0x1000, it
will copy the first 0x1000 to the 0x2*8 heap.

Protection:
Retina Network Security Scanner has been updated to identify this
vulnerability.
Blink - Endpoint Vulnerability Prevention - preemptively protects from
this vulnerability.

Vendor Status:
Microsoft has released a patch for this vulnerability. The patch is
available at:
http://www.microsoft.com/technet/security/bulletin/ms06-005.mspx

Credit:
Fang Xing

Copyright (c) 1998-2006 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express
consent of eEye. If you wish to reprint the whole or any part of this
alert in any other medium excluding electronic medium, please email
alert (at) eEye (dot) com [email concealed] for permission.

Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are no warranties, implied or express, with regard to this information.
In no event shall the author be liable for any direct or indirect
damages whatsoever arising out of or in connection with the use or
spread of this information. Any use of this information is at the user's
own risk.