Heap Overflow Vulnerability in WMP

By Scott M. Fulton, III | Published December 8, 2006, 3:55 PM

Microsoft yesterday officially acknowledged -– albeit two weeks after its discovery –- that a vulnerability in Windows Media Player found by security research team eEye Digital Security could indeed become an exploitable problem. Thankfully, no exploit seems to have turned up yet.

As an eEye report on November 22 indicated, a function that handles the XML-based ASX playlists in, apparently, all known versions of Media Player that support them (perhaps, based on our research, back to version 6.4 for Windows 95 in 1999) can be fooled into allocating too much heap memory to handle a string that should contain the URL of a media file included in the playlist. It isn’t much –- the entire overflow could be three or four bytes, maximum -– but the fact that it is an overflow could create an exploitable condition, eEye points out.

Heap overflow problems with ASX files in Media Player have been discovered almost since version 6.4 was first released. This particular one, though, may have been hiding in plain sight, which is one of the places eEye eventually looks.

As the firm’s bulletin describes, the XML element that contains the URL of the media file is REF. It uses an HREF attribute that’s set to the URL, just like with an A tag in HTML. The first part of a URL is always the protocol name, such as http://. In the event that protocol is omitted or isn’t recognized, Media Player assumes the media file is a streaming URL, and automatically attaches mms://. That’s a six-character appendage.

Assuming Media Player has to make this substitution, then when it allocates the heap memory for the name, it counts the number of characters in the URL that was supplied, then adds six for the appendage. Since no acceptable protocol names are shorter than three characters – that is, shorter than “mms” – then you’d think this would be fine.

But suppose somebody were to pass an illegitimate protocol that was shorter. Thankfully, as part of its diligent type checking, WMP checks to make sure that no protocol supplied can be shorter than three characters. So you can’t write REF HREF="bn://try_this_one.avi" into an ASX file and get away with it; WMP will filter it out.

So what’s the problem? An eEye engineer discovered that the parser that looks at the supplied URL first to replace character codes with characters, functions after the protocol filter. So if you enter REF HREF="b%6e://try_this_one.avi", the seemingly four-character protocol name would pass the filter first, then the %6e would get replaced with n and the URL would be in violation. WMP would have allocated two more bytes on the heap than it actually needed, triggering the overflow.

Microsoft’s Security Response Center says it’s also investigating the possibility of other ways in which the same trigger could possibly be exploited. No exploits are currently known, though eEye says it believes exploitability is possible. Meanwhile, Secunia rates the overflow as “Highly Critical.”

Other than simply avoiding opening ASX playlists altogether, one other approach eEye suggests is to use a different media player for ASX.

Comments

Anyone else think WMP sucks? The interface is horrible. It's even hard to find "File->Open." Also, on vista it keeps slowing down on me (like it's in slow motion). They seriously need to redesign it and make it more user friendly.

Score: 0

|

The latest Windows Media Player 11 is NOT affected by this flaw

Score: 0

|

Thanks Microsoft Security. I can tell that the initiative you took 4+ years ago to make your platform more secure has really helped your customers!

/me watches botnets attack my leg.

Score: 0

|

flaws are in every programs. You just only have interest to find them...

Score: 0

|

The article even points at steps WMP does take to try to prevent overflows. The developer has simply overlooked one possible method of writing a URL. It's easy to do, and it's taken many years for even security researches to spot the potential problem. I bet there are lots of media player apps that don't even do this much sanity checking.

Sometimes it's appropriate to lay the smack down on Microsoft. I don't think this is one of those times.

Score: 0

|

Don't wait for Microsoft's patch: Secure Windows now from today's 0-day

Microsoft is recommending users simply get rid of a vulnerable ActiveX control that no one even uses any more. We'll show you how to do that right now.

Nokia: Android? Are you crazy?

Rumors about new Android devices abound, but Nokia squashes this one.

Symantec goes live with Norton 2010 betas

Norton Internet Security and Norton Antivirus 2010 are now available for testing.

What's Now: Drenched with 'Purple Ra1n,' iPhone users caught eating 'redsn0w'

Plus: Symantec and McAfee go to war, and what's LucasArts building in its top-secret, moon-shaped orbital facility?

In New York, online booze loses a Circuit Court decision

Court worried about gangster influence if liquor purchased directly.

British Telecom sacks bitterly unpopular Phorm ad platform

Phorm under BT is no more, but the targeted ad service could still go on under Virgin or TalkTalk.

CBS is the last man standing against Hulu

Popular streaming syndication site Hulu now has all the major networks in its camp except CBS.

Not just Vista: The operating system is dying, too

Carmi Levy: Wide Angle Zoom Vista's troubles point to a bigger shift that will affect more than just Microsoft.

Bolt: the dark horse mobile browser

Bitstream's small-footprint mobile browser is available in Beta 3

IE8 WSUS update push to begin August 25

After months of availability to users willing to seek it out, Internet Explorer 8 will be rolled into Windows Server...

Geeks vs. journalists: A tale of two worldviews

Recovery with Angela Gunn Why geeks think most mainstream journalism is flaky, and why the mainstream thinks geeks are trying to kill them. (They're both right.)

Can Linux do BitLocker better than Windows 7?

Betanews kicks off a new series with a look at how the Linux operating system's FDE stacks up against BitLocker, the Windows feature that today commands a $120 premium.

Windows 7 ISO Verifier 1.0

July 6 - 5:40 PM ET

ProgDVB 6.10.2

July 6 - 5:19 PM ET

FreeBSD 8.0 Beta 1

July 6 - 4:58 PM ET

K-Lite Codec Pack 64-bit 2.5.0

July 6 - 3:55 PM ET

SysCheckUp 1.4.0

July 6 - 3:34 PM ET