发布时间 :2002-12-31 00:00:00
修订时间 :2008-09-05 16:31:40

[原文]Buffer overflow in mplay32.exe of Microsoft Windows Media Player (WMP) 6.3 through 7.1 allows remote attackers to execute arbitrary commands via a long mp3 filename command line argument. NOTE: since the only known attack vector requires command line access, this may not be a vulnerability.

[CNNVD]Windows mplay32本地缓冲区溢出漏洞(CNNVD-200212-771)

        Windows mplay32是一款Windows系统中自带的媒体播放器,可播放Mp3文件。
        Windows mplay32在处理长文件名mp3文件时缺少正确检查,本地攻击者可以利用这个漏洞进行远程缓冲区溢出攻击。
        Windows mplay32在处理长文件名mp3文件时存在漏洞,本地攻击者可以提供包含超过279字符文件名的mp3文件让mplay32播放,可导致产生缓冲溢出,由于mplay32.exe以用户本身权限执行,所以不能进行权限提升攻击,但如果利用其他如IIS WEB的Unicode漏洞,就可以远程利用这个漏洞可能获得一个WEB权限的SHELL。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:microsoft:windows_media_player:7.1Microsoft windows_media_player 7.1
cpe:/a:microsoft:windows_media_player:6.3Microsoft windows_media_player 6.3
cpe:/a:microsoft:windows_media_player:6.4Microsoft windows_media_player 6.4
cpe:/a:microsoft:windows_media_player:xpMicrosoft windows_media_player xp
cpe:/a:microsoft:windows_media_player:7Microsoft windows_media_player 7

- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  BID  5357
(UNKNOWN)  XF  mediaplayer-mplay32-filename-bo(9727)

- 漏洞信息

Windows mplay32本地缓冲区溢出漏洞
高危 边界条件错误
2002-12-31 00:00:00 2005-10-20 00:00:00
        Windows mplay32是一款Windows系统中自带的媒体播放器,可播放Mp3文件。
        Windows mplay32在处理长文件名mp3文件时缺少正确检查,本地攻击者可以利用这个漏洞进行远程缓冲区溢出攻击。
        Windows mplay32在处理长文件名mp3文件时存在漏洞,本地攻击者可以提供包含超过279字符文件名的mp3文件让mplay32播放,可导致产生缓冲溢出,由于mplay32.exe以用户本身权限执行,所以不能进行权限提升攻击,但如果利用其他如IIS WEB的Unicode漏洞,就可以远程利用这个漏洞可能获得一个WEB权限的SHELL。

- 公告与补丁

        * 暂时没有合适的临时解决方法。

- 漏洞信息 (21670)

Microsoft Windows Media Player 6/7 Filename Buffer Overflow Vulnerability (EDBID:21670)
windows remote
2002-07-30 Verified
0 ken@FTU
N/A [点击下载]

The Microsoft Windows Media Player executable is prone to a buffer overflow condition when invoked with an oversized filename.

Since the program is executed in the context of the user invoking it, it is not likely that a local attacker could exploit this issue to gain elevated privileges. However, if the program can be invoked remotely or a user can be somehow enticed into invoking the program with a malformed filename, then this may be exploited by an attacker. Realistically, another exposure or vulnerability would have to exist on the host system for an attacker to exploit this issue.

It is not currently known exactly which versions of the software are affected. 

From the command prompt it is possible to reproduce this issue with this command:

mplay32.exe A<x279>.mp3

On an unpatched IIS server it is possibly to invoke the application with the following request:


- 漏洞信息

Microsoft Windows Media Player (WMP) mplay32.exe MP3 Filename Handling Local Overflow
Input Manipulation
Loss of Integrity

- 漏洞描述

- 时间线

2002-07-30 Unknow
Unknow Unknow

- 解决方案


Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete