CVE-2006-0025
CVSS9.3
发布时间 :2006-06-13 15:06:00
修订时间 :2011-03-07 21:29:11
NMCOS    

[原文]Stack-based buffer overflow in Microsoft Windows Media Player 9 and 10 allows remote attackers to execute arbitrary code via a PNG image with a large chunk size.


[CNNVD]Microsoft Windows Media Player PNG块解码 栈溢出漏洞(CNNVD-200606-292)

        Microsoft Media Player是一款流行的媒体播放器。
        Windows Media Player在解码PNG图形文件块时存在栈溢出漏洞,成功利用这个漏洞的攻击者可以完全控制受影响系统。
        攻击者可以创建特制的Windows Media Player内容,如果用户访问了Web站点或特制邮件消息的话就会导致执行任意指令。

- CVSS (基础分值)

CVSS分值: 9.3 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: MEDIUM [漏洞利用存在一定的访问条件]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-119 [内存缓冲区边界内操作的限制不恰当]

- CPE (受影响的平台与产品)

cpe:/a:microsoft:windows_media_player:10Microsoft Windows Media Player 10
cpe:/a:microsoft:windows_media_player:9Microsoft Windows Media Player 9

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:1974Windows Media Player PNG Vulnerability (v10.0 on S03)
oval:org.mitre.oval:def:1820Windows Media Player PNG Vulnerability (v9.0)
oval:org.mitre.oval:def:1807Windows Media Player PNG Vulnerability (v8.0)
oval:org.mitre.oval:def:1805Windows Media Player PNG Vulnerability (v10.0, 64-bit)
oval:org.mitre.oval:def:1729Windows Media Player PNG Vulnerability (v10.0 on WinXP)
oval:org.mitre.oval:def:1230Windows Media Player PNG Vulnerability (v7.1)
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0025
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-0025
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200606-292
(官方数据源) CNNVD

- 其它链接及资源

http://www.us-cert.gov/cas/techalerts/TA06-164A.html
(UNKNOWN)  CERT  TA06-164A
http://www.kb.cert.org/vuls/id/608020
(UNKNOWN)  CERT-VN  VU#608020
http://www.securityfocus.com/bid/18385
(PATCH)  BID  18385
http://www.microsoft.com/technet/security/bulletin/ms06-024.mspx
(VENDOR_ADVISORY)  MS  MS06-024
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=406
(VENDOR_ADVISORY)  IDEFENSE  20060613 Windows Media Player PNG Chunk Decoding Stack-Based Buffer Overflow
http://secunia.com/advisories/20626
(VENDOR_ADVISORY)  SECUNIA  20626
http://xforce.iss.net/xforce/xfdb/26788
(UNKNOWN)  XF  win-media-player-png-bo(26788)
http://www.vupen.com/english/advisories/2006/2322
(UNKNOWN)  VUPEN  ADV-2006-2322
http://www.osvdb.org/26430
(UNKNOWN)  OSVDB  26430
http://securitytracker.com/id?1016284
(UNKNOWN)  SECTRACK  1016284

- 漏洞信息

Microsoft Windows Media Player PNG块解码 栈溢出漏洞
高危 缓冲区溢出
2006-06-13 00:00:00 2006-06-14 00:00:00
远程  
        Microsoft Media Player是一款流行的媒体播放器。
        Windows Media Player在解码PNG图形文件块时存在栈溢出漏洞,成功利用这个漏洞的攻击者可以完全控制受影响系统。
        攻击者可以创建特制的Windows Media Player内容,如果用户访问了Web站点或特制邮件消息的话就会导致执行任意指令。

- 公告与补丁

        临时解决方法:
        * 修改DirectX "Filter Graph no thread"注册表项的访问控制列表。
        * 备份并删除DirectX "Filter Graph no thread"注册表项。
        * 注销Wmp.dll。
        * 解除WMZ文件扩展名的关联。
        厂商补丁:
        Microsoft
        ---------
        Microsoft已经为此发布了一个安全公告(MS06-024)以及相应补丁:
        MS06-024:Vulnerability in Windows Media Player Could Allow Remote Code Execution (917734)
        链接:
        http://www.microsoft.com/technet/security/Bulletin/MS06-024.mspx
临时解决方法:
        * 禁用远程访问连接管理器服务。
        * 在防火墙阻断:
         UDP端口135、137、138、445,以及TCP端口135、139、445、593
         所有大于1024端口上的未经请求的入站通讯
         任何其他明确配置的RPC端口
        * 使用个人防火墙,如Windows XP和Windows Server 2003捆绑的Internet连接防火墙。
        * 在支持的系统上启用高级TCP/IP过滤功能。
        * 在受影响的系统上使用IPSec阻断受影响的端口。
        厂商补丁:
        Microsoft
        ---------
        Microsoft已经为此发布了一个安全公告(MS06-025)以及相应补丁:
        MS06-025:Vulnerability in Routing and Remote Access Could Allow Remote Code Execution (911280)
        链接:
        http://www.microsoft.com/technet/security/Bulletin/MS06-025.mspx

- 漏洞信息

26430
Microsoft Windows Media Player PNG Processing Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Patch / RCS
Exploit Commercial Vendor Verified

- 漏洞描述

A remote overflow exists in Windows Media Player. The program fails to validate PNG image files resulting in a buffer overflow. With a specially crafted file, an attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2006-06-13 2006-02-22
2006-06-16 2006-07-19

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability in versions 9, 10 and XP. There is no current update for Windows 98, 98 SE or ME.

- 相关参考

- 漏洞作者

- 漏洞信息

Microsoft Windows Media Player Malformed PNG Remote Code Execution Vulnerability
Boundary Condition Error 18385
Yes No
2006-06-13 12:00:00 2008-01-17 04:58:00
Greg MacManus is credited with discovery of this vulnerability.

- 受影响的程序版本

Microsoft Windows Media Player XP
+ Microsoft Windows XP Home
+ Microsoft Windows XP Professional
Microsoft Windows Media Player 9.0
+ Microsoft Windows Server 2003 Datacenter Edition
+ Microsoft Windows Server 2003 Datacenter Edition
+ Microsoft Windows Server 2003 Datacenter Edition Itanium 0
+ Microsoft Windows Server 2003 Datacenter Edition Itanium 0
+ Microsoft Windows Server 2003 Enterprise Edition
+ Microsoft Windows Server 2003 Enterprise Edition
+ Microsoft Windows Server 2003 Enterprise Edition Itanium 0
+ Microsoft Windows Server 2003 Enterprise Edition Itanium 0
+ Microsoft Windows Server 2003 Standard Edition
+ Microsoft Windows Server 2003 Standard Edition
+ Microsoft Windows Server 2003 Web Edition
+ Microsoft Windows Server 2003 Web Edition
Microsoft Windows Media Player 7.1
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows ME
- Microsoft Windows ME
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0
Microsoft Windows Media Player 10.0

- 漏洞讨论

Microsoft Windows Media Player is prone to a remote code-execution vulnerability. This vulnerability is related to handling of malicious PNG images.

PNG images may be embedded in Windows Media Player skin files. Attackers may be able to exploit this issue by causing the application to load a malicious skin file, which could be hosted on an attacker-controlled web page or through email attachments. If successful, an attacker could execute arbitrary code in the context of the affected user.

Microsoft has stated that web-based attack scenarios are not possible with Media Player 7.1 on Windows 2000 SP4 and Media Player XP on Windows XP SP2. However, a victim may still be affected if they manually download and install a malicious skin file on these platforms.

- 漏洞利用

A proof-of-concept exploit is available to members of the Immunity Partner's Program:

https://www.immunityinc.com/downloads/immpartners/MS06-024-PoC.wmz.tar.gz

Further reports suggest that exploit code is publicly available and that this issue is being actively exploited in the wild.

Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.

- 解决方案

Microsoft has released a security bulletin and fixes to address this issue.


Microsoft Windows Media Player 7.1

Microsoft Windows Media Player 9.0

Microsoft Windows Media Player XP

Microsoft Windows Media Player 10.0

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站