CVE-2003-0346
CVSS7.5
发布时间 :2003-08-27 00:00:00
修订时间 :2016-10-17 22:32:51
NMCOS    

[原文]Multiple integer overflows in a Microsoft Windows DirectX MIDI library (QUARTZ.DLL) allow remote attackers to execute arbitrary code via a MIDI (.mid) file with (1) large length for a Text or Copyright string, or (2) a large number of tracks, which leads to a heap-based buffer overflow.


[CNNVD]Windows MIDI解析器quartz.dll远程堆破坏漏洞(MS03-030)(CNNVD-200308-167)

        
        DirectX包含一套低级别API可由Windows程序调用来支持多媒体,其中quartz.dll允许Windows应用程序通过普通接口播放MIDI音乐。Windows Media Player和IE使用此dll来播放MIDI文件。
        quartz.dll在处理畸形MIDI文件时存在问题,远程攻击者可以利用这个漏洞构建恶意WEB页面,诱使用户访问,以用户进程权限在系统上执行任意指令。
        quartz.dll存在整数溢出而导致的堆破坏漏洞,如果MIDI文件中的Text或Copyright字符串的长度为FFFFFFFFh,quartz尝试分配0字节大小的堆快,然后拷贝text字符串或任何下面的数据到新分配的堆中,结果导致0字节块相邻的对内存结构被破坏。
        主要问题是quartz增加指定字符串的长度没有进行任何缓冲区边界检查,增加的值(now 0)传递给LocalAlloc(),然后memcpy()函数将会使用原始值(FFFFFFFFh)从文件映象中拷贝字符串到堆缓冲区中。
        还有一个堆破坏发生在16位整数溢出中,问题存在于MThd chunk的轨道数中,这个数值是一个16位整数,用于部分算法中可以判断轨道数据结构数组所需的大小,如块的大小按照如下方法计算:
         (number_of_tracks * 24h) + 9E0h
        
        如果设置轨道数为1751(6D7h)或更大会导致分配一个不充分的较小的堆块,导致在拷贝数据的时候发生溢出。Windows 2003不受此漏洞影响。
        攻击者可以利用构建恶意WEB页面,或发送使用HTML形式的EMAIL给有此漏洞的用户。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:microsoft:directx:5.2Microsoft DirectX 5.2
cpe:/a:microsoft:directx:6.1Microsoft DirectX 6.1
cpe:/a:microsoft:directx:7.0Microsoft DirectX 7.0
cpe:/a:microsoft:directx:7.0aMicrosoft DirectX 7.0a
cpe:/a:microsoft:directx:9.0aMicrosoft DirectX 9.0a
cpe:/a:microsoft:directx:8.1Microsoft DirectX 8.1

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:218Integer Overflows in Windows NT DirectX MIDI Library (QUARTZ.DLL)
oval:org.mitre.oval:def:1104DirectX 9 DirectShow Malicious MIDI File Vulnerability
oval:org.mitre.oval:def:1095DirectX 8 DirectShow Malicious MIDI File Vulnerability
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0346
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0346
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200308-167
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=105899759824008&w=2
(UNKNOWN)  BUGTRAQ  20030723 EEYE: Windows MIDI Decoder (QUARTZ.DLL) Heap Corruption
http://www.cert.org/advisories/CA-2003-18.html
(VENDOR_ADVISORY)  CERT  CA-2003-18
http://www.kb.cert.org/vuls/id/265232
(UNKNOWN)  CERT-VN  VU#265232
http://www.kb.cert.org/vuls/id/561284
(UNKNOWN)  CERT-VN  VU#561284
http://www.microsoft.com/technet/security/bulletin/MS03-030.asp
(VENDOR_ADVISORY)  MS  MS03-030

- 漏洞信息

Windows MIDI解析器quartz.dll远程堆破坏漏洞(MS03-030)
高危 边界条件错误
2003-08-27 00:00:00 2005-10-20 00:00:00
远程  
        
        DirectX包含一套低级别API可由Windows程序调用来支持多媒体,其中quartz.dll允许Windows应用程序通过普通接口播放MIDI音乐。Windows Media Player和IE使用此dll来播放MIDI文件。
        quartz.dll在处理畸形MIDI文件时存在问题,远程攻击者可以利用这个漏洞构建恶意WEB页面,诱使用户访问,以用户进程权限在系统上执行任意指令。
        quartz.dll存在整数溢出而导致的堆破坏漏洞,如果MIDI文件中的Text或Copyright字符串的长度为FFFFFFFFh,quartz尝试分配0字节大小的堆快,然后拷贝text字符串或任何下面的数据到新分配的堆中,结果导致0字节块相邻的对内存结构被破坏。
        主要问题是quartz增加指定字符串的长度没有进行任何缓冲区边界检查,增加的值(now 0)传递给LocalAlloc(),然后memcpy()函数将会使用原始值(FFFFFFFFh)从文件映象中拷贝字符串到堆缓冲区中。
        还有一个堆破坏发生在16位整数溢出中,问题存在于MThd chunk的轨道数中,这个数值是一个16位整数,用于部分算法中可以判断轨道数据结构数组所需的大小,如块的大小按照如下方法计算:
         (number_of_tracks * 24h) + 9E0h
        
        如果设置轨道数为1751(6D7h)或更大会导致分配一个不充分的较小的堆块,导致在拷贝数据的时候发生溢出。Windows 2003不受此漏洞影响。
        攻击者可以利用构建恶意WEB页面,或发送使用HTML形式的EMAIL给有此漏洞的用户。
        

- 公告与补丁

        厂商补丁:
        Microsoft
        ---------
        Microsoft已经为此发布了一个安全公告(MS03-030)以及相应补丁:
        MS03-030:Unchecked Buffer in DirectX Could Enable System Compromise (Q819696)
        链接:
        http://www.microsoft.com/technet/security/bulletin/MS03-030.asp

        补丁下载:
        Windows 98, Windows 98 SE和Windows Millennium Edition系统下的Microsoft DirectX 5.2, DirectX 6.1和DirectX 7.0a:
        
        http://microsoft.com/downloads/details.aspx?FamilyId=141D5F9E-07C1-462A-BAEF-5EAB5C851CF5&displaylang=en

        Windows 2000 下的Microsoft DirectX 7.0 :
        
        http://microsoft.com/downloads/details.aspx?FamilyId=7D0E4787-A993-4C49-A5A7-9A6DE8EFDB9E&displaylang=en

        Windows XP 32-bit Edition下的Microsoft DirectX 8.1:
        
        http://microsoft.com/downloads/details.aspx?FamilyId=5ABA6A3B-F67B-4B18-B4B5-62E69A0104CE&displaylang=en

        Windows XP 64-bit Edition 下的Microsoft DirectX 8.1:
        
        http://microsoft.com/downloads/details.aspx?FamilyId=8F23F7AF-5317-4502-8B17-7C1A2139EBDC&displaylang=en

        Windows Server 2003 32-bit Edition 下的Microsoft DirectX 8.1:
        
        http://microsoft.com/downloads/details.aspx?FamilyId=A5156FF8-1812-4DB4-9175-BF9CA370279D&displaylang=en

        Windows Server 2003 64-bit Edition 下的Microsoft DirectX 8.1:
        
        http://microsoft.com/downloads/details.aspx?FamilyId=59732FCF-993A-45E8-8BA4-064575055D86&displaylang=en

        所有Windows版本下的Microsoft DirectX 9.0a:
        
        http://microsoft.com/downloads/details.aspx?FamilyId=22F990CB-E9F9-4670-8B4F-AC4F6F66C3A2&displaylang=en

        Microsoft Windows NT 4.0:
        
        http://microsoft.com/downloads/details.aspx?FamilyId=E238B8A1-4146-400A-A6F6-68E0D3B44163&displaylang=en

        Microsoft Windows NT 4.0, Terminal Server Edition:
        
        http://microsoft.com/downloads/details.aspx?FamilyId=BC72BE54-081D-43AE-B9C9-D08496C03BA3&displaylang=en

        All Windows Versions except Windows NT 4.0:
        
        http://microsoft.com/downloads/details.aspx?FamilyId=141D5F9E-07C1-462A-BAEF-5EAB5C851CF5&displaylang=en

- 漏洞信息

13389
Microsoft Windows DirectX QUARTZ.DLL Multiple Field .mid File Overflows
Input Manipulation
Loss of Integrity

- 漏洞描述

Unknown or Incomplete

- 时间线

2003-07-23 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Microsoft DirectShow MIDI Filetype Buffer Overflow Vulnerability
Boundary Condition Error 8262
Yes No
2003-07-23 12:00:00 2009-07-11 10:56:00
Discovery is credited to eEye Digital Security.

- 受影响的程序版本

Microsoft Windows NT Workstation 4.0 SP6a
Microsoft Windows NT Terminal Server 4.0 SP6
Microsoft Windows NT Server 4.0 SP6a
+ Avaya DefinityOne Media Servers
+ Avaya DefinityOne Media Servers
+ Avaya IP600 Media Servers
+ Avaya IP600 Media Servers
+ Avaya S3400 Message Application Server 0
+ Avaya S8100 Media Servers 0
+ Avaya S8100 Media Servers 0
Microsoft Windows NT 4.0 SP6a
+ Microsoft Windows NT Enterprise Server 4.0 SP6a
+ Microsoft Windows NT Enterprise Server 4.0 SP6a
+ Microsoft Windows NT Server 4.0 SP6a
+ Microsoft Windows NT Server 4.0 SP6a
+ Microsoft Windows NT Terminal Server 4.0 SP6a
+ Microsoft Windows NT Workstation 4.0 SP6a
+ Microsoft Windows NT Workstation 4.0 SP6a
Microsoft DirectX 9.0 a
+ Microsoft Windows 2000 Advanced Server SP4
+ Microsoft Windows 2000 Advanced Server SP4
+ Microsoft Windows 2000 Advanced Server SP3
+ Microsoft Windows 2000 Advanced Server SP3
+ Microsoft Windows 2000 Advanced Server SP2
+ Microsoft Windows 2000 Advanced Server SP2
+ Microsoft Windows 2000 Advanced Server SP1
+ Microsoft Windows 2000 Advanced Server SP1
+ Microsoft Windows 2000 Advanced Server
+ Microsoft Windows 2000 Advanced Server
+ Microsoft Windows 2000 Datacenter Server SP4
+ Microsoft Windows 2000 Datacenter Server SP4
+ Microsoft Windows 2000 Datacenter Server SP3
+ Microsoft Windows 2000 Datacenter Server SP3
+ Microsoft Windows 2000 Datacenter Server SP2
+ Microsoft Windows 2000 Datacenter Server SP2
+ Microsoft Windows 2000 Datacenter Server SP1
+ Microsoft Windows 2000 Datacenter Server SP1
+ Microsoft Windows 2000 Datacenter Server
+ Microsoft Windows 2000 Datacenter Server
+ Microsoft Windows 2000 Professional SP4
+ Microsoft Windows 2000 Professional SP4
+ Microsoft Windows 2000 Professional SP3
+ Microsoft Windows 2000 Professional SP3
+ Microsoft Windows 2000 Professional SP2
+ Microsoft Windows 2000 Professional SP2
+ Microsoft Windows 2000 Professional SP1
+ Microsoft Windows 2000 Professional SP1
+ Microsoft Windows 2000 Professional
+ Microsoft Windows 2000 Professional
+ Microsoft Windows 2000 Server SP4
+ Microsoft Windows 2000 Server SP4
+ Microsoft Windows 2000 Server SP3
+ Microsoft Windows 2000 Server SP3
+ Microsoft Windows 2000 Server SP2
+ Microsoft Windows 2000 Server SP2
+ Microsoft Windows 2000 Server SP1
+ Microsoft Windows 2000 Server SP1
+ Microsoft Windows 2000 Server
+ Microsoft Windows 2000 Server
+ Microsoft Windows ME
+ Microsoft Windows ME
+ Microsoft Windows Server 2003 Datacenter Edition
+ Microsoft Windows Server 2003 Datacenter Edition
+ Microsoft Windows Server 2003 Datacenter Edition Itanium 0
+ Microsoft Windows Server 2003 Datacenter Edition Itanium 0
+ Microsoft Windows Server 2003 Enterprise Edition
+ Microsoft Windows Server 2003 Enterprise Edition
+ Microsoft Windows Server 2003 Enterprise Edition Itanium 0
+ Microsoft Windows Server 2003 Enterprise Edition Itanium 0
+ Microsoft Windows Server 2003 Standard Edition
+ Microsoft Windows Server 2003 Standard Edition
+ Microsoft Windows Server 2003 Web Edition
+ Microsoft Windows Server 2003 Web Edition
+ Microsoft Windows XP 0
+ Microsoft Windows XP 64-bit Edition SP1
+ Microsoft Windows XP 64-bit Edition SP1
+ Microsoft Windows XP 64-bit Edition
+ Microsoft Windows XP 64-bit Edition
+ Microsoft Windows XP Home SP1
+ Microsoft Windows XP Home SP1
+ Microsoft Windows XP Home
+ Microsoft Windows XP Home
+ Microsoft Windows XP Media Center Edition
+ Microsoft Windows XP Media Center Edition
+ Microsoft Windows XP Professional SP1
+ Microsoft Windows XP Professional SP1
+ Microsoft Windows XP Professional
+ Microsoft Windows XP Professional
Microsoft DirectX 8.1 b
Microsoft DirectX 8.1 a
Microsoft DirectX 8.1
Microsoft DirectX 8.0 a
Microsoft DirectX 8.0
Microsoft DirectX 7.1
Microsoft DirectX 7.0 a
+ Microsoft Windows ME
+ Microsoft Windows ME
Microsoft DirectX 7.0
+ Microsoft Windows 2000 Advanced Server SP4
+ Microsoft Windows 2000 Advanced Server SP4
+ Microsoft Windows 2000 Advanced Server SP3
+ Microsoft Windows 2000 Advanced Server SP3
+ Microsoft Windows 2000 Advanced Server SP2
+ Microsoft Windows 2000 Advanced Server SP2
+ Microsoft Windows 2000 Advanced Server SP1
+ Microsoft Windows 2000 Advanced Server SP1
+ Microsoft Windows 2000 Advanced Server
+ Microsoft Windows 2000 Advanced Server
+ Microsoft Windows 2000 Datacenter Server SP4
+ Microsoft Windows 2000 Datacenter Server SP4
+ Microsoft Windows 2000 Datacenter Server SP3
+ Microsoft Windows 2000 Datacenter Server SP3
+ Microsoft Windows 2000 Datacenter Server SP2
+ Microsoft Windows 2000 Datacenter Server SP2
+ Microsoft Windows 2000 Datacenter Server SP1
+ Microsoft Windows 2000 Datacenter Server SP1
+ Microsoft Windows 2000 Datacenter Server
+ Microsoft Windows 2000 Datacenter Server
+ Microsoft Windows 2000 Professional SP4
+ Microsoft Windows 2000 Professional SP4
+ Microsoft Windows 2000 Professional SP3
+ Microsoft Windows 2000 Professional SP3
+ Microsoft Windows 2000 Professional SP2
+ Microsoft Windows 2000 Professional SP2
+ Microsoft Windows 2000 Professional SP1
+ Microsoft Windows 2000 Professional SP1
+ Microsoft Windows 2000 Professional
+ Microsoft Windows 2000 Professional
+ Microsoft Windows 2000 Server SP4
+ Microsoft Windows 2000 Server SP4
+ Microsoft Windows 2000 Server SP3
+ Microsoft Windows 2000 Server SP3
+ Microsoft Windows 2000 Server SP2
+ Microsoft Windows 2000 Server SP2
+ Microsoft Windows 2000 Server SP1
+ Microsoft Windows 2000 Server SP1
+ Microsoft Windows 2000 Server
+ Microsoft Windows 2000 Server
Microsoft DirectX 6.1
+ Microsoft Windows 98SE
+ Microsoft Windows 98SE
Microsoft DirectX 5.2
+ Microsoft Windows 98
+ Microsoft Windows 98

- 漏洞讨论

Microsoft DirectX is vulnerable to two buffer overflows in the routine used to handle MIDI files. These vulnerabilities may allow attackers to construct a specially malformed MIDI file that when executed, overruns an internal buffer and potentially executes arbitrary code.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 解决方案

Microsoft has released fixes for this issue.


Microsoft Windows NT Terminal Server 4.0 SP6

Microsoft DirectX 7.0 a

Microsoft DirectX 7.0

Microsoft Windows NT Workstation 4.0 SP6a

Microsoft Windows NT Server 4.0 SP6a

Microsoft DirectX 9.0 a

Microsoft Windows NT 4.0 SP6a

Microsoft DirectX 8.1

Microsoft DirectX 5.2

Microsoft DirectX 6.1

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站