Microsoft DirectShow Remote Code Vulnerability

Release Date:
October 11, 2005

Date Reported:
May 10, 2005

Severity:
High (Code Execution)

Vendor:
Microsoft

Systems Affected:

Windows 98, 98SE, ME
Windows 2000 SP4 - Microsoft DirectX 8.0 - 9.0c
Windows XP SP1 - SP2 - DirectX 9.0 - 9.0c
Windows Server 2003 - DirectX 9.0 - 9.0c

eEye ID# EEYEB20050510
OSVDB ID# 18822
CVE #: CAN-2005-2128


Overview:
eEye Digital Security has discovered a vulnerability in the Windows
Media Player 9 AVI movie DirectX component that allows memory at an
arbitrary address to be modified when a specially crafted AVI file is
played.  Exploitation of this vulnerability can allow the execution of
attacker-supplied code on a victim's system with the privileges of the
user who attempted to open the movie file.  This vulnerability has been
identified in a component of DirectX.

Technical Details:
Windows Media Player 9 uses QUARTZ.DLL to decode and play AVI movie
files.  Due to a lack of validation, QUARTZ can be made to store a null
byte to an arbitrary memory location by creating a malformed "strn"
element with a specifically chosen length field.  The following
vulnerable code in CAviMSROutPin::ParseHeader attempts to place a null
terminator after the ASCIIZ string contained in the "strn" data:

    6858A436    cmp     edi, 6E727473h  ; EDI = [EAX], element's "strn"
tag
    6858A43C    jz      6858A45C
     ...
    6858A45C    cmp     ecx, ebx        ; EBX = 0
    6858A45E    jbe     6858A44C
    6858A460    lea     ecx, [eax+8]    ; ECX -> start of element data
     ...
    6858A469    mov     edi, [eax+4]    ; EDI = element length
    6858A46C    cmp     byte ptr [ecx+edi-1], 0
    6858A471    lea     ecx, [ecx+edi-1]
    6858A475    jz      6858A44C
    6858A477    and     byte ptr [ecx], 0

This vulnerability can be used to produce exploitation conditions
resembling those of a heap overflow, by modifying the encompassing heap
block's own header.  A length value of -(offset of "strn" element - 18h
+ 7) will cause the second byte of the block size field (at offset -7
within the heap header) to be zeroed, resulting in the heap management
code operating on arbitrary data from offsets below 800h within the
mutilated heap block.  

Because the destination for the stored null terminator is relative to
the address of the "strn" element -- and therefore relative to the start
of the heap block -- reliable exploitation is possible, and has been
demonstrated on each of the affected versions of Windows.

Protection:
Retina, Network Security Scanner, has been updated to be able to
identify this vulnerability.
For more information on Retina visit: http://www.eEye.com/Retina 

Blink, Endpoint Vulnerability Prevention, already provides protection
from attacks based on this vulnerability.
For more information on Blink visit: http://www.eEye.com/Blink

Vendor Status:
Microsoft has released a patch for this vulnerability. The patch is
available at:
http://www.microsoft.com/technet/security/bulletin/MS05-050.mspx

Credit:
Fang Xing

Greetings:
Thanks Derek and eEye guys help me analyze and wrote the advisory,
greetz xfocus and venus-tech lab's guys.


Copyright (c) 1998-2005 eEye Digital Security Permission is hereby
granted for the redistribution of this alert electronically. It is not
to be edited in any way without express consent of eEye. If you wish to
reprint the whole or any part of this alert in any other medium
excluding electronic medium, please email alert@eEye.com for permission.

Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are no warranties, implied or express, with regard to this information.
In no event shall the author be liable for any direct or indirect
damages whatsoever arising out of or in connection with the use or
spread of this information. Any use of this information is at the user's
own risk.