CVE-2005-2128
CVSS5.0
发布时间 :2005-10-12 09:04:00
修订时间 :2008-09-10 15:41:06
NMCOPS    

[原文]QUARTZ.DLL in Microsoft Windows Media Player 9 allows remote attackers to write a null byte to arbitrary memory via an AVI file with a crafted strn element with a modified length value.


[CNNVD]Microsoft Windows Media Player 9 'QUARTZ.DLL'动态链接库 溢出漏洞(CNNVD-200510-064)

        Windows Media player是 微软的多媒体播放器,可在任何地点享受数字媒体高品质的体验。
        Windows Media Player 9里的动态链接库QUARTZ.DLL允许攻击者通过AVI文件向任意内存写空字节而造成溢出。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:1434WinXP,SP1 DirectShow Malicious avi File Vulnerability
oval:org.mitre.oval:def:1424Server 2003 DirectShow Malicious avi File Vulnerability
oval:org.mitre.oval:def:1267Win2k,SP4 DirectShow Malicious avi File Vulnerability
oval:org.mitre.oval:def:1231WinXP,SP2 DirectShow Malicious avi File Vulnerability
oval:org.mitre.oval:def:1149Server 2003,SP1 DirectShow Malicious avi File Vulnerability
oval:gov.nist.fdcc.patch:def:241MS05-050: Vulnerability in DirectShow Could Allow Remote Code Execution (904706)
oval:gov.nist.USGCB.patch:def:241MS05-050: Vulnerability in DirectShow Could Allow Remote Code Execution (904706)
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2128
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2128
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200510-064
(官方数据源) CNNVD

- 其它链接及资源

http://www.us-cert.gov/cas/techalerts/TA05-284A.html
(UNKNOWN)  CERT  TA05-284A
http://www.kb.cert.org/vuls/id/995220
(UNKNOWN)  CERT-VN  VU#995220
http://www.microsoft.com/technet/security/bulletin/MS05-050.mspx
(VENDOR_ADVISORY)  MS  MS05-050
http://www.osvdb.org/18822
(UNKNOWN)  OSVDB  18822
http://www.securityfocus.com/bid/15063
(UNKNOWN)  BID  15063
http://www.eeye.com/html/research/advisories/AD20051011a.html
(UNKNOWN)  EEYE  AD20051011a
http://support.avaya.com/elmodocs2/security/ASA-2005-214.pdf
(UNKNOWN)  CONFIRM  http://support.avaya.com/elmodocs2/security/ASA-2005-214.pdf
http://secunia.com/advisories/17509
(UNKNOWN)  SECUNIA  17509
http://secunia.com/advisories/17172
(UNKNOWN)  SECUNIA  17172
http://secunia.com/advisories/17160
(UNKNOWN)  SECUNIA  17160

- 漏洞信息

Microsoft Windows Media Player 9 'QUARTZ.DLL'动态链接库 溢出漏洞
中危 边界条件错误
2005-10-12 00:00:00 2005-10-20 00:00:00
远程  
        Windows Media player是 微软的多媒体播放器,可在任何地点享受数字媒体高品质的体验。
        Windows Media Player 9里的动态链接库QUARTZ.DLL允许攻击者通过AVI文件向任意内存写空字节而造成溢出。

- 公告与补丁

        暂无数据

- 漏洞信息 (F40633)

EEYEB-20050510.txt (PacketStormID:F40633)
2005-10-12 00:00:00
eEye  eeye.com
advisory,arbitrary
windows
CVE-2005-2128
[点击下载]

eEye Security Advisory - eEye Digital Security has discovered a vulnerability in the Windows Media Player 9 AVI movie DirectX component that allows memory at an arbitrary address to be modified when a specially crafted AVI file is played. Exploitation of this vulnerability can allow the execution of attacker-supplied code on a victim's system with the privileges of the user who attempted to open the movie file. This vulnerability has been identified in a component of DirectX.

Microsoft DirectShow Remote Code Vulnerability

Release Date:
October 11, 2005

Date Reported:
May 10, 2005

Severity:
High (Code Execution)

Vendor:
Microsoft

Systems Affected:

Windows 98, 98SE, ME
Windows 2000 SP4 - Microsoft DirectX 8.0 - 9.0c
Windows XP SP1 - SP2 - DirectX 9.0 - 9.0c
Windows Server 2003 - DirectX 9.0 - 9.0c

eEye ID# EEYEB20050510
OSVDB ID# 18822
CVE #: CAN-2005-2128


Overview:
eEye Digital Security has discovered a vulnerability in the Windows
Media Player 9 AVI movie DirectX component that allows memory at an
arbitrary address to be modified when a specially crafted AVI file is
played.  Exploitation of this vulnerability can allow the execution of
attacker-supplied code on a victim's system with the privileges of the
user who attempted to open the movie file.  This vulnerability has been
identified in a component of DirectX.

Technical Details:
Windows Media Player 9 uses QUARTZ.DLL to decode and play AVI movie
files.  Due to a lack of validation, QUARTZ can be made to store a null
byte to an arbitrary memory location by creating a malformed "strn"
element with a specifically chosen length field.  The following
vulnerable code in CAviMSROutPin::ParseHeader attempts to place a null
terminator after the ASCIIZ string contained in the "strn" data:

    6858A436    cmp     edi, 6E727473h  ; EDI = [EAX], element's "strn"
tag
    6858A43C    jz      6858A45C
     ...
    6858A45C    cmp     ecx, ebx        ; EBX = 0
    6858A45E    jbe     6858A44C
    6858A460    lea     ecx, [eax+8]    ; ECX -> start of element data
     ...
    6858A469    mov     edi, [eax+4]    ; EDI = element length
    6858A46C    cmp     byte ptr [ecx+edi-1], 0
    6858A471    lea     ecx, [ecx+edi-1]
    6858A475    jz      6858A44C
    6858A477    and     byte ptr [ecx], 0

This vulnerability can be used to produce exploitation conditions
resembling those of a heap overflow, by modifying the encompassing heap
block's own header.  A length value of -(offset of "strn" element - 18h
+ 7) will cause the second byte of the block size field (at offset -7
within the heap header) to be zeroed, resulting in the heap management
code operating on arbitrary data from offsets below 800h within the
mutilated heap block.  

Because the destination for the stored null terminator is relative to
the address of the "strn" element -- and therefore relative to the start
of the heap block -- reliable exploitation is possible, and has been
demonstrated on each of the affected versions of Windows.

Protection:
Retina, Network Security Scanner, has been updated to be able to
identify this vulnerability.
For more information on Retina visit: http://www.eEye.com/Retina 

Blink, Endpoint Vulnerability Prevention, already provides protection
from attacks based on this vulnerability.
For more information on Blink visit: http://www.eEye.com/Blink

Vendor Status:
Microsoft has released a patch for this vulnerability. The patch is
available at:
http://www.microsoft.com/technet/security/bulletin/MS05-050.mspx

Credit:
Fang Xing

Greetings:
Thanks Derek and eEye guys help me analyze and wrote the advisory,
greetz xfocus and venus-tech lab's guys.


Copyright (c) 1998-2005 eEye Digital Security Permission is hereby
granted for the redistribution of this alert electronically. It is not
to be edited in any way without express consent of eEye. If you wish to
reprint the whole or any part of this alert in any other medium
excluding electronic medium, please email alert@eEye.com for permission.

Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are no warranties, implied or express, with regard to this information.
In no event shall the author be liable for any direct or indirect
damages whatsoever arising out of or in connection with the use or
spread of this information. Any use of this information is at the user's
own risk.
    

- 漏洞信息 (F40630)

EEYEB-20050708.txt (PacketStormID:F40630)
2005-10-12 00:00:00
eEye  eeye.com
advisory,tcp
windows,2k
CVE-2005-2128
[点击下载]

eEye Security Advisory - eEye Digital Security has discovered a critical vulnerability in the Microsoft Distributed Transaction Coordinator (MSDTC) service that would allow an anonymous attacker to take complete control over an affected system. MSDTC listens on TCP port 3372 and a dynamic high TCP port, and is enabled by default on all Windows 2000 systems.

Microsoft Distributed Transaction Coordinator Memory Modification
Vulnerability

Release Date:
October 11, 2005

Date Reported:
July 8, 2005

Severity:
High (Remote Code Execution)

Vendor:
Microsoft

Systems Affected:
Windows 2000 Server SP0 - SP4
     - Vulnerable - Anonymous remotely exploitable by default

Windows XP SP0 - SP1
     - Not Vulnerable by default
     - Vulnerable if Service Started (Anonymously)

Windows 2003 Server SP0
     - Not Vulnerable by default
     - Vulnerable if anonymous Network DTC Access is enabled

eEye ID#:  EEYEB20050708
OSVDB #:  18828
CVE #:  CAN-2005-2119

Overview:
eEye Digital Security has discovered a critical vulnerability in the
Microsoft Distributed Transaction Coordinator (MSDTC) service that would
allow an anonymous attacker to take complete control over an affected
system. MSDTC listens on TCP port 3372 and a dynamic high TCP port, and
is enabled by default on all Windows 2000 systems.

Technical Details:
The Distributed Transaction Coordinator interface proxy (MSDTCPRX.DLL)
functions as an RPC server that handles requests on the interface
{906B0CE0-C70B-1067-B317-00DD010662DA} v1.0.  Its MIDL_user_allocate
function implementation features an unusual behavior in that will always
allocate a single 4KB page of memory using VirtualAlloc, regardless of
how much memory is requested. Therefore, allocation will always succeed
and return a pointer to a 4KB block, entirely disregarding the
allocation size -- which, in the case of the BuildContextW (opnum 7) RPC
function, is specified by the caller.

Because the memory is allocated using VirtualAlloc, it will not
generally have any neighboring data that can be overwritten, but it
turns out that the RPC run-time library itself has a behavior that can
be exploited in conjunction with MSDTCPRX's unconventional allocation
routine. As the following disassembly illustrates, RPCRT4.DLL's
NdrAllocate function attempts to store certain management data after
blocks it allocates:

; ESI = allocation size rounded up to 8-byte multiple
; EBX = total allocation size (alloc size + 0Ch)
; checked for integer overflow, so alloc size must be <= FFFFFFF0h

786F828D    push    ebx                 ; EBX = total alloc size
786F828E    call    dword ptr [edi+48h] ;
MSDTCPRX.DLL!MIDL_user_allocate
786F8291    mov     ebx, eax
786F8293    test    ebx, ebx
786F8295    jz      78735490
786F829B    lea     eax, [esi+ebx]      ; ESI = allocation size
786F829E    lea     ecx, [edi+0B0h]
786F82A4    mov     dword ptr [eax], 4D454D4Ch  ; +00h "LMEM" tag
786F82AA    mov     [eax+4], ebx                ; +04h start of block
786F82AD    mov     edx, [ecx]
786F82AF    mov     [eax+8], edx                ; +08h singly-linked
list
786F82B2    mov     [ecx], eax          ; add this block to linked list

Because the user-supplied allocation size is implicitly "validated" by
the success of the allocation function, any size value FFFFFFF0h or less
can be passed to NdrAllocate, and as a result, these 12 bytes of
management data can be stored at an arbitrary address relative to the
location of the VirtualAlloc'ed memory. The second of the three
DWORD-size fields is a pointer to this memory, which facilitates
exploitation even further.

Protection:
Retina, Network Security Scanner, has been updated to be able to
identify this vulnerability.
For more information on Retina visit: http://www.eEye.com/Retina 

Blink, Endpoint Vulnerability Prevention, already provides protection
from attacks based on this vulnerability.
For more information on Blink visit: http://www.eEye.com/Blink

Vendor Status:
Microsoft has released a patch for this vulnerability. The patch is
available at:
http://www.microsoft.com/technet/security/bulletin/MS05-051.mspx

Credit:
Fang Xing

Greetings:
Thanks Derek and eEye guys help me analyze and wrote the advisory,
greetz xfocus and venus-tech lab's guys.

Copyright (c) 1998-2005 eEye Digital Security Permission is hereby
granted for the redistribution of this alert electronically. It is not
to be edited in any way without express consent of eEye. If you wish to
reprint the whole or any part of this alert in any other medium
excluding electronic medium, please email alert@eEye.com for permission.

Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are no warranties, implied or express, with regard to this information.
In no event shall the author be liable for any direct or indirect
damages whatsoever arising out of or in connection with the use or
spread of this information. Any use of this information is at the user's
own risk.
    

- 漏洞信息 (F40619)

Technical Cyber Security Alert 2005-284A (PacketStormID:F40619)
2005-10-12 00:00:00
US-CERT  cert.org
advisory,remote,denial of service,arbitrary,vulnerability
windows
CVE-2005-2120,CVE-2005-1987,CVE-2005-2122,CVE-2005-2128,CVE-2005-2119,CVE-2005-1978,CVE-2005-2127,CVE-2005-0163
[点击下载]

Microsoft has released updates that address critical vulnerabilities in Windows, Internet Explorer, and Exchange Server. Exploitation of these vulnerabilities could allow a remote, unauthenticated attacker to execute arbitrary code or cause a denial of service on an affected system.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


            Technical Cyber Security Alert TA05-284A 
  Microsoft Windows, Internet Explorer, and Exchange Server
  Vulnerabilities

   Original release date: October 11, 2005
   Last revised: --
   Source: US-CERT

Systems Affected

     * Microsoft Windows
     * Microsoft Internet Explorer
     * Microsoft Exchange Server

   For more complete information, refer to the Microsoft Security
   Bulletin Summary for October 2005.

Overview

   Microsoft has released updates that address critical vulnerabilities
   in Windows, Internet Explorer, and Exchange Server. Exploitation of
   these vulnerabilities could allow a remote, unauthenticated attacker
   to execute arbitrary code or cause a denial of service on an affected
   system.

I. Description

   Microsoft Security Bulletins for October 2005 address vulnerabilities
   in Windows and Internet Explorer. Further information is available in
   the following US-CERT Vulnerability Notes:


   VU#214572 - Microsoft Plug and Play fails to properly validate user
   supplied data 

   Microsoft Plug and Play contains a flaw in the handling of message
   buffers that may result in local or remote arbitrary code execution or
   denial-of-service conditions.
   (CAN-2005-2120)


   VU#883460 - Microsoft Collaboration Data Objects buffer overflow 

   A buffer overflow in Microsoft Collaboration Data Objects may allow a
   remote, unauthenticated attacker to execute arbitrary code on a
   vulnerable system.
   (CAN-2005-1987)


   VU#922708 - Microsoft Windows Shell fails to handle shortcut files
   properly 

   Microsoft Windows Shell does not properly handle some shortcut files
   and may permit arbitrary code execution when a specially-crafted file
   is opened.
   (CAN-2005-2122)


   VU#995220 - Microsoft DirectShow buffer overflow 

   A buffer overflow in Microsoft DirectShow may allow a remote,
   unauthenticated attacker to execute arbitrary code on a vulnerable
   system.
   (CAN-2005-2128)


   VU#180868 - Microsoft Distributed Transaction Coordinator vulnerable
   to buffer overflow via specially crafted network message 

   Microsoft Distributed Transaction Coordinator (MSDTC) may be
   vulnerable to a flaw that allows remote, unauthenticated attackers to
   execute arbitrary code.
   (CAN-2005-2119)


   VU#950516 - Microsoft COM+ contains a memory management flaw 

   Microsoft COM+ contains a vulnerability due to a memory management
   flaw that may allow an attacker to take complete control of an
   affected system.
   (CAN-2005-1978)


   VU#959049 - Several COM objects cause memory corruption in Microsoft
   Internet Explorer 

   Microsoft Internet Explorer will initialize COM objects that were not
   intended to be used in the web browser. Several COM objects have been
   identified that may allow an attacker to execute arbitrary code or
   crash Internet Explorer.
   (CAN-2005-2127)


   VU#680526 - Microsoft Internet Explorer allows non-ActiveX COM objects
   to be instantiated

   Microsoft Internet Explorer will initialize COM objects that were not
   intended to be used in the web browser. This may allow an attacker to
   execute arbitrary code or crash Internet Explorer.
   (CAN-2005-0163)

II. Impact

   Exploitation of these vulnerabilities may allow a remote,
   unauthenticated attacker to execute arbitrary code with SYSTEM
   privileges or with the privileges of the user. If the user is logged
   on with administrative privileges, the attacker could take complete
   control of an affected system. An attacker may also be able to cause a
   denial of service.

III. Solution

Apply Updates

   Microsoft has provided the updates for these vulnerabilities in the
   Security Bulletins and on the Microsoft Update site.

Workarounds

   Please see the following US-CERT Vulnerability Notes for workarounds.

Appendix A. References

     * Microsoft Security Bulletin Summary for October 2005 -
       <http://www.microsoft.com/technet/security/bulletin/ms05-oct.mspx>

     * US-CERT Vulnerability Note VU#214572 -
       <http://www.kb.cert.org/vuls/id/214572>

     * US-CERT Vulnerability Note VU#883460 -
       <http://www.kb.cert.org/vuls/id/883460>

     * US-CERT Vulnerability Note VU#922708 -
       <http://www.kb.cert.org/vuls/id/922708>

     * US-CERT Vulnerability Note VU#995220 -
       <http://www.kb.cert.org/vuls/id/995220>

     * US-CERT Vulnerability Note VU#180868 -
       <http://www.kb.cert.org/vuls/id/180868>

     * US-CERT Vulnerability Note VU#950516 -
       <http://www.kb.cert.org/vuls/id/950516>

     * US-CERT Vulnerability Note VU#959049 -
       <http://www.kb.cert.org/vuls/id/959049>

     * US-CERT Vulnerability Note VU#680526 -
       <http://www.kb.cert.org/vuls/id/680526>

     * CAN-2005-2120 -
       <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2120>

     * CAN-2005-1987 -
       <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1987>

     * CAN-2005-2122 -
       <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2122>

     * CAN-2005-2128 -
       <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2128>

     * CAN-2005-2119 -
       <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2119>

     * CAN-2005-1978 -
       <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1978>

     * CAN-2005-2127 -
       <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2127>

     * CAN-2005-0163 -
       <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0163>

     * Microsoft Update - <https://update.microsoft.com/microsoftupdate>


  _________________________________________________________________

   The most recent version of this document can be found at:

   <http://www.us-cert.gov/cas/techalerts/TA05-284A.html> 
  _________________________________________________________________

   Feedback can be directed to US-CERT.  Please send email to:
   <cert@cert.org> with "TA05-284A Feedback VU#959049" in the subject.
  _________________________________________________________________

   Revision History

   Oct 11, 2004: Initial release
  _________________________________________________________________

   Produced 2005 by US-CERT, a government organization.
  
   Terms of use

   <http://www.us-cert.gov/legal.html>
  _________________________________________________________________

   For instructions on subscribing to or unsubscribing from this 
   mailing list, visit <http://www.us-cert.gov/cas/>.





-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBQ0xBVn0pj593lg50AQJvOQf/QqIy3putm/wkUAUguQaylsCfC38Lysdc
bqbtj7oF6HEoCzhQguaqQdMGOqa4QJnrObnkHN29xFhYovKWOIYkYsh6c3IXaNLK
PdImVbcMFNn9VsBNNRVr2dqPXJPvgFFzQKsDcKkknnZyxLf5mshwDJoKFsKDGr9c
1P9yxwyagQ8G73gTq6hPV/Wl/6zElXH/chlh6haXe6XN9ArTmz8A3OCAN+BZQUqe
/9T4US8oxLeLlNDcQc/PV5v3VuXXW0v9kjEjqAVEH5tRKH/oIkVdgpj7gdrAzDjM
MUojHfl1v2/JwWubQ9DFQsBx4Jxv5YvJEREsU7RbVJotn02+Yaaeog==
=5hXu
-----END PGP SIGNATURE-----
    

- 漏洞信息

18822
Microsoft DirectX DirectShow QUARTZ.DLL AVI Processing Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Vendor Verified

- 漏洞描述

A remote overflow exists in Microsoft DirectX. The 'QUARTZ.DLL' library fails to perform proper bounds checking resulting in a buffer overflow. With a specially crafted AVI movie file, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2005-10-11 Unknow
Unknow 2005-10-11

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

- 漏洞信息

Microsoft DirectX DirectShow AVI Processing Buffer Overflow Vulnerability
Boundary Condition Error 15063
Yes No
2005-10-11 12:00:00 2009-07-12 05:07:00
Discovery is credited to Fang Xing of eEye Digital Security.

- 受影响的程序版本

Nortel Networks Centrex IP Element Manager 2.5
Nortel Networks Centrex IP Client Manager 2.5
Nortel Networks CallPilot 4.0
Nortel Networks CallPilot 3.0
Nortel Networks CallPilot 2.0
Nortel Networks CallPilot 1.0.7
Microsoft Windows XP Tablet PC Edition SP2
Microsoft Windows XP Tablet PC Edition SP1
Microsoft Windows XP Professional x64 Edition
Microsoft Windows XP Professional SP2
Microsoft Windows XP Professional SP1
Microsoft Windows XP Media Center Edition SP2
Microsoft Windows XP Media Center Edition SP1
Microsoft Windows XP Home SP2
Microsoft Windows XP Home SP1
Microsoft Windows Server 2003 Web Edition SP1
Microsoft Windows Server 2003 Web Edition
Microsoft Windows Server 2003 Standard x64 Edition
Microsoft Windows Server 2003 Standard Edition SP1
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Enterprise x64 Edition
Microsoft Windows Server 2003 Enterprise Edition Itanium SP1
Microsoft Windows Server 2003 Enterprise Edition Itanium 0
Microsoft Windows Server 2003 Enterprise Edition SP1
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Datacenter x64 Edition
Microsoft Windows Server 2003 Datacenter Edition Itanium SP1
Microsoft Windows Server 2003 Datacenter Edition Itanium 0
Microsoft Windows Server 2003 Datacenter Edition SP1
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows ME
Microsoft Windows 98SE
Microsoft Windows 98
Microsoft Windows 2000 Server SP4
Microsoft Windows 2000 Professional SP4
Microsoft Windows 2000 Datacenter Server SP4
Microsoft Windows 2000 Advanced Server SP4
Microsoft Small Business Server 2003
Microsoft DirectX 9.0b
Microsoft DirectX 9.0 c
Microsoft DirectX 9.0 a
+ Microsoft Windows 2000 Advanced Server SP4
+ Microsoft Windows 2000 Advanced Server SP4
+ Microsoft Windows 2000 Advanced Server SP3
+ Microsoft Windows 2000 Advanced Server SP3
+ Microsoft Windows 2000 Advanced Server SP2
+ Microsoft Windows 2000 Advanced Server SP2
+ Microsoft Windows 2000 Advanced Server SP1
+ Microsoft Windows 2000 Advanced Server SP1
+ Microsoft Windows 2000 Advanced Server
+ Microsoft Windows 2000 Advanced Server
+ Microsoft Windows 2000 Datacenter Server SP4
+ Microsoft Windows 2000 Datacenter Server SP4
+ Microsoft Windows 2000 Datacenter Server SP3
+ Microsoft Windows 2000 Datacenter Server SP3
+ Microsoft Windows 2000 Datacenter Server SP2
+ Microsoft Windows 2000 Datacenter Server SP2
+ Microsoft Windows 2000 Datacenter Server SP1
+ Microsoft Windows 2000 Datacenter Server SP1
+ Microsoft Windows 2000 Datacenter Server
+ Microsoft Windows 2000 Datacenter Server
+ Microsoft Windows 2000 Professional SP4
+ Microsoft Windows 2000 Professional SP4
+ Microsoft Windows 2000 Professional SP3
+ Microsoft Windows 2000 Professional SP3
+ Microsoft Windows 2000 Professional SP2
+ Microsoft Windows 2000 Professional SP2
+ Microsoft Windows 2000 Professional SP1
+ Microsoft Windows 2000 Professional SP1
+ Microsoft Windows 2000 Professional
+ Microsoft Windows 2000 Professional
+ Microsoft Windows 2000 Server SP4
+ Microsoft Windows 2000 Server SP4
+ Microsoft Windows 2000 Server SP3
+ Microsoft Windows 2000 Server SP3
+ Microsoft Windows 2000 Server SP2
+ Microsoft Windows 2000 Server SP2
+ Microsoft Windows 2000 Server SP1
+ Microsoft Windows 2000 Server SP1
+ Microsoft Windows 2000 Server
+ Microsoft Windows 2000 Server
+ Microsoft Windows ME
+ Microsoft Windows ME
+ Microsoft Windows Server 2003 Datacenter Edition
+ Microsoft Windows Server 2003 Datacenter Edition
+ Microsoft Windows Server 2003 Datacenter Edition Itanium 0
+ Microsoft Windows Server 2003 Datacenter Edition Itanium 0
+ Microsoft Windows Server 2003 Enterprise Edition
+ Microsoft Windows Server 2003 Enterprise Edition
+ Microsoft Windows Server 2003 Enterprise Edition Itanium 0
+ Microsoft Windows Server 2003 Enterprise Edition Itanium 0
+ Microsoft Windows Server 2003 Standard Edition
+ Microsoft Windows Server 2003 Standard Edition
+ Microsoft Windows Server 2003 Web Edition
+ Microsoft Windows Server 2003 Web Edition
+ Microsoft Windows XP 0
+ Microsoft Windows XP 64-bit Edition SP1
+ Microsoft Windows XP 64-bit Edition SP1
+ Microsoft Windows XP 64-bit Edition
+ Microsoft Windows XP 64-bit Edition
+ Microsoft Windows XP Home SP1
+ Microsoft Windows XP Home SP1
+ Microsoft Windows XP Home
+ Microsoft Windows XP Home
+ Microsoft Windows XP Media Center Edition
+ Microsoft Windows XP Media Center Edition
+ Microsoft Windows XP Professional SP1
+ Microsoft Windows XP Professional SP1
+ Microsoft Windows XP Professional
+ Microsoft Windows XP Professional
Microsoft DirectX 9.0
Microsoft DirectX 8.2
Microsoft DirectX 8.1 b
Microsoft DirectX 8.1 a
Microsoft DirectX 8.1
Microsoft DirectX 8.0 a
Microsoft DirectX 8.0
Microsoft DirectX 7.0
+ Microsoft Windows 2000 Advanced Server SP4
+ Microsoft Windows 2000 Advanced Server SP4
+ Microsoft Windows 2000 Advanced Server SP3
+ Microsoft Windows 2000 Advanced Server SP3
+ Microsoft Windows 2000 Advanced Server SP2
+ Microsoft Windows 2000 Advanced Server SP2
+ Microsoft Windows 2000 Advanced Server SP1
+ Microsoft Windows 2000 Advanced Server SP1
+ Microsoft Windows 2000 Advanced Server
+ Microsoft Windows 2000 Advanced Server
+ Microsoft Windows 2000 Datacenter Server SP4
+ Microsoft Windows 2000 Datacenter Server SP4
+ Microsoft Windows 2000 Datacenter Server SP3
+ Microsoft Windows 2000 Datacenter Server SP3
+ Microsoft Windows 2000 Datacenter Server SP2
+ Microsoft Windows 2000 Datacenter Server SP2
+ Microsoft Windows 2000 Datacenter Server SP1
+ Microsoft Windows 2000 Datacenter Server SP1
+ Microsoft Windows 2000 Datacenter Server
+ Microsoft Windows 2000 Datacenter Server
+ Microsoft Windows 2000 Professional SP4
+ Microsoft Windows 2000 Professional SP4
+ Microsoft Windows 2000 Professional SP3
+ Microsoft Windows 2000 Professional SP3
+ Microsoft Windows 2000 Professional SP2
+ Microsoft Windows 2000 Professional SP2
+ Microsoft Windows 2000 Professional SP1
+ Microsoft Windows 2000 Professional SP1
+ Microsoft Windows 2000 Professional
+ Microsoft Windows 2000 Professional
+ Microsoft Windows 2000 Server SP4
+ Microsoft Windows 2000 Server SP4
+ Microsoft Windows 2000 Server SP3
+ Microsoft Windows 2000 Server SP3
+ Microsoft Windows 2000 Server SP2
+ Microsoft Windows 2000 Server SP2
+ Microsoft Windows 2000 Server SP1
+ Microsoft Windows 2000 Server SP1
+ Microsoft Windows 2000 Server
+ Microsoft Windows 2000 Server
Avaya Unified Communication Center
Avaya S8100 Media Servers R9
Avaya S8100 Media Servers R8
Avaya S8100 Media Servers R7
Avaya S8100 Media Servers R6
Avaya S8100 Media Servers R12
Avaya S8100 Media Servers R11
Avaya S8100 Media Servers R10
Avaya S8100 Media Servers 0
+ Microsoft Windows 2000 Server
+ Microsoft Windows NT Server 4.0 SP6a
Avaya S3400 Message Application Server 0
+ Microsoft Windows 2000 Server
Avaya IP600 Media Servers R9
Avaya IP600 Media Servers R8
Avaya IP600 Media Servers R7
Avaya IP600 Media Servers R6
Avaya IP600 Media Servers R12
Avaya IP600 Media Servers R11
Avaya IP600 Media Servers R10
Avaya IP600 Media Servers
Avaya DefinityOne Media Servers R9
Avaya DefinityOne Media Servers R8
Avaya DefinityOne Media Servers R7
Avaya DefinityOne Media Servers R6
Avaya DefinityOne Media Servers R12
Avaya DefinityOne Media Servers R11
Avaya DefinityOne Media Servers R10
Avaya DefinityOne Media Servers

- 漏洞讨论

A buffer overflow vulnerability exists in the Microsoft Windows DirectX component. This issue is related to processing of .AVI (Audio Visual Interleave) media files. The specific vulnerability exists in DirectShow and could be exposed through applications that employ DirectShow to process .AVI files.

Successful exploitation will permit execution of arbitrary code in the context of the user who opens a malicious .AVI file.

This issue could be exploited through any means that will allow the attacker to deliver a malicious .AVI file to a victim user. In Web-based attack scenarios, exploitation could occur automatically if the malicious Web page can cause the .AVI file to be loaded automatically by Windows Media Player. Other attack vectors such as email or instant messaging may require the victim user to manually open the malicious .AVI.

It is not known if third-party applications rely on DirectShow to process .AVI files. If so, these applications could also present an attack vector.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com &lt;mailto:vuldb@securityfocus.com&gt;.

- 解决方案

Microsoft has released updates to address this vulnerability. Fixes for Windows 98/98SE/ME are available through Windows Update.

Avaya has released advisory ASA-2005-214 to state which Avaya products are affected by The October 2005 release of Microsoft Windows security updates. Please see the referenced advisory for further information.

Nortel Networks has released a technical support bulletin (2005006318) regarding this and other issues for their Centrex IP Client Manager (CICM). They report the vulnerabilities will be fixed in the upcoming 2.5, 7.0 and 8.0 maintenance releases. Please see the referenced bulletin for further information.

Nortel Networks has released a technical support bulletin (2005006315) regarding this issue for CallPilot. Users are advised to contact Nortel for further information.

Microsoft has updated Microsoft Security Bulletin MS05-050 detailing possible problems with previous updates; new updates are also available. Please see the referenced advisory for further information.


Microsoft Windows Server 2003 Datacenter Edition SP1

Microsoft Windows XP Media Center Edition SP2

Microsoft DirectX 8.1 a

Microsoft Small Business Server 2003

Microsoft Windows Server 2003 Enterprise Edition Itanium SP1

Microsoft Windows XP Tablet PC Edition SP1

Microsoft DirectX 8.0

Microsoft Windows XP Tablet PC Edition SP2

Microsoft Windows XP Media Center Edition SP1

Microsoft DirectX 8.0 a

Microsoft DirectX 9.0 c

Microsoft DirectX 8.1

Microsoft Windows Server 2003 Enterprise Edition Itanium 0

Microsoft Windows Server 2003 Standard Edition SP1

Microsoft Windows Server 2003 Standard Edition

Microsoft Windows Server 2003 Enterprise x64 Edition

Microsoft Windows Server 2003 Datacenter Edition Itanium 0

Microsoft Windows Server 2003 Datacenter x64 Edition

Microsoft Windows Server 2003 Enterprise Edition SP1

Microsoft DirectX 9.0 a

Microsoft DirectX 8.1 b

Microsoft Windows Server 2003 Datacenter Edition

Microsoft Windows 2000 Advanced Server SP4

Microsoft DirectX 8.2

Microsoft Windows Server 2003 Enterprise Edition

Microsoft Windows XP Home SP2

Microsoft Windows 2000 Datacenter Server SP4

Microsoft Windows Server 2003 Web Edition

Microsoft Windows XP Home SP1

Microsoft DirectX 9.0b

Microsoft Windows XP Professional x64 Edition

Microsoft Windows Server 2003 Web Edition SP1

Microsoft DirectX 9.0

Microsoft Windows Server 2003 Datacenter Edition Itanium SP1

Microsoft Windows XP Professional SP2

Microsoft Windows Server 2003 Standard x64 Edition

Microsoft Windows 2000 Server SP4

Microsoft Windows 2000 Professional SP4

Microsoft Windows XP Professional SP1

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站