Microsoft is aware of the vulnerability.

Since this successful remote exploitation of this vulnerability depends
on other mitigating factors, Microsoft believes it is not worthy of a
bulletin. This overflow will be fixed in XP service pack 1.

I will explain my understanding of the vulnerability. Perhaps someone
can discover another way to exploit this executable without the other
mitigating factors...

mplay32.exe -- found in system32 directory -- suffers from a buffer
overflow. If the exe is called with a file name equal to or longer than
279 characters, EIP is overwritten.

Exploit:

Open a command prompt.
mplay32.exe A<x279>.mp3

Note: This is a unicode overflow. EIP now equals 0x00410041.

The executable runs in the user context. Privilege escalation is not an
issue. Count out the possibility of a local vulnerability.

Can this be executed remotely? With certain mitigating factors.

On an unpatched IIS server we can call

/scripts/..%255c..%255cwinnt/system32.exe?/A<x279>.mp3

and set EIP to 0x00410041. (I'm not giving further details of what to do
next, but the information is available on the internet.)

I tried to load mplay32.exe with the <object> tags but could not get it
to parse the file extension. Perhaps others will have better luck. :)

I leave everyone with the exciting possibility that there is potential
for this to be remotely exploitable. Good luck.

'ken'FTU

-- 
"I grew convinced that truth, sincerity and integrity in dealings
between man and man were of the utmost importance to the felicity of
life, and I formed a written resolution to practise them ever while I
lived."
	-Benjamin Franklin, The Autobiography of Benjamin Franklin

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]