[26415] in bugtraq
Windows mplay32 buffer overflow
daemon@ATHENA.MIT.EDU ('ken'@FTU)
Tue Jul 30 16:03:04 2002
Date: Tue, 30 Jul 2002 07:41:56 -0400
From: "'ken'@FTU" <ken_at_ftu@yahoo.com>
To: bugtraq@securityfocus.com, bugs@securitytracker.com
Message-id: <3D467B84.6040407@yahoo.com>
MIME-version: 1.0
Content-type: text/plain; charset=us-ascii; format=flowed
Content-transfer-encoding: 7BIT
Microsoft is aware of the vulnerability.
Since this successful remote exploitation of this vulnerability depends
on other mitigating factors, Microsoft believes it is not worthy of a
bulletin. This overflow will be fixed in XP service pack 1.
I will explain my understanding of the vulnerability. Perhaps someone
can discover another way to exploit this executable without the other
mitigating factors...
mplay32.exe -- found in system32 directory -- suffers from a buffer
overflow. If the exe is called with a file name equal to or longer than
279 characters, EIP is overwritten.
Exploit:
Open a command prompt.
mplay32.exe A<x279>.mp3
Note: This is a unicode overflow. EIP now equals 0x00410041.
The executable runs in the user context. Privilege escalation is not an
issue. Count out the possibility of a local vulnerability.
Can this be executed remotely? With certain mitigating factors.
On an unpatched IIS server we can call
/scripts/..%255c..%255cwinnt/system32.exe?/A<x279>.mp3
and set EIP to 0x00410041. (I'm not giving further details of what to do
next, but the information is available on the internet.)
I tried to load mplay32.exe with the <object> tags but could not get it
to parse the file extension. Perhaps others will have better luck. :)
I leave everyone with the exciting possibility that there is potential
for this to be remotely exploitable. Good luck.
'ken'@FTU
--
"I grew convinced that truth, sincerity and integrity in dealings
between man and man were of the utmost importance to the felicity of
life, and I formed a written resolution to practise them ever while I
lived."
-Benjamin Franklin, The Autobiography of Benjamin Franklin
