Microsoft DirectShow Remote Code Vulnerability Release Date: October 11, 2005 Date Reported: May 10, 2005 Severity: High (Code Execution) Vendor: Microsoft Systems Affected: Windows 98, 98SE, ME Windows 2000 SP4 - Microsoft DirectX 8.0 - 9.0c Windows XP SP1 - SP2 - DirectX 9.0 - 9.0c Windows Server 2003 - DirectX 9.0 - 9.0c eEye ID# EEYEB20050510 OSVDB ID# 18822 CVE #: CAN-2005-2128 Overview: eEye Digital Security has discovered a vulnerability in the Windows Media Player 9 AVI movie DirectX component that allows memory at an arbitrary address to be modified when a specially crafted AVI file is played. Exploitation of this vulnerability can allow the execution of attacker-supplied code on a victim's system with the privileges of the user who attempted to open the movie file. This vulnerability has been identified in a component of DirectX. Technical Details: Windows Media Player 9 uses QUARTZ.DLL to decode and play AVI movie files. Due to a lack of validation, QUARTZ can be made to store a null byte to an arbitrary memory location by creating a malformed "strn" element with a specifically chosen length field. The following vulnerable code in CAviMSROutPin::ParseHeader attempts to place a null terminator after the ASCIIZ string contained in the "strn" data: 6858A436 cmp edi, 6E727473h ; EDI = [EAX], element's "strn" tag 6858A43C jz 6858A45C ... 6858A45C cmp ecx, ebx ; EBX = 0 6858A45E jbe 6858A44C 6858A460 lea ecx, [eax+8] ; ECX -> start of element data ... 6858A469 mov edi, [eax+4] ; EDI = element length 6858A46C cmp byte ptr [ecx+edi-1], 0 6858A471 lea ecx, [ecx+edi-1] 6858A475 jz 6858A44C 6858A477 and byte ptr [ecx], 0 This vulnerability can be used to produce exploitation conditions resembling those of a heap overflow, by modifying the encompassing heap block's own header. A length value of -(offset of "strn" element - 18h + 7) will cause the second byte of the block size field (at offset -7 within the heap header) to be zeroed, resulting in the heap management code operating on arbitrary data from offsets below 800h within the mutilated heap block. Because the destination for the stored null terminator is relative to the address of the "strn" element -- and therefore relative to the start of the heap block -- reliable exploitation is possible, and has been demonstrated on each of the affected versions of Windows. Protection: Retina, Network Security Scanner, has been updated to be able to identify this vulnerability. For more information on Retina visit: http://www.eEye.com/Retina Blink, Endpoint Vulnerability Prevention, already provides protection from attacks based on this vulnerability. For more information on Blink visit: http://www.eEye.com/Blink Vendor Status: Microsoft has released a patch for this vulnerability. The patch is available at: http://www.microsoft.com/technet/security/bulletin/MS05-050.mspx Credit: Fang Xing Greetings: Thanks Derek and eEye guys help me analyze and wrote the advisory, greetz xfocus and venus-tech lab's guys. Copyright (c) 1998-2005 eEye Digital Security Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.