1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP WMP Malformed PNG Handling BO

HTTP WMP Malformed PNG Handling BO

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects malformed PNG files that could cause a buffer overflow in Windows Media Player.

Additional Information

A stack buffer overflow vulnerability exists in Windows Media Player (WMP) due to the way WMP processes .PNG files. An attacker can craft a specially formed PNG file and cause Windows Media Player to overrun a stack-based buffer in WMP.DLL, allowing code of choice to run in the context of the currently logged on user. The PNG file format specification can be found at: //www.w3.org/TR/2003/REC-PNG-20031110/.

The PNG file format is comprised of a number of 'chunks' that all have a standard chunk header. Part of the chunk header is a 'data length' field that indicates how much 'data' is in that chunk. Windows Media Player's chunk processing code allocates a 4096 character array for the chunk data for most types of chunks, but does not verify that the chunk data being read from the file is less than 4096 bytes before attempting to fill that array.

The following are the likely attack vectors for this issue:

Web-based Attack Vectors: These are the most dangerous attack vectors, because they are either "view and you're owned" or "click and you're owned" vectors that don't require much, if any, social engineering.

1. Object Tag Attack
a. Attacker hosts the Media Player ActiveX control on their Web page and configures it to play a PNG hosted on their server. As soon as the user browses to the attacker's site, Internet Explorer loads the control without prompting the user (by default) and processes the PNG.

2. ASX MetaFile Attack
a. Attacker hosts a Windows Media Player MetaFile (.ASX etc.) on a Web server that, when clicked, causes Media Player to open and point it to a malformed PNG for playback.
b. The ASX could also be placed on a local folder/file share, and an administrator could be enticed into double-clicking it for a local user to admin EoP type attack.

3. Content-Type Header Attack
a. Attacker hosts PNG on a Web server, configures the server to return a "Content-Type" set to "video/x-ms-asf" for PNG files, and entices the user to click on a link to the PNG.
b. Internet Explorer launches Media Player to process the PNG file based on the "Content-Type" header returned by the server.

Affected

  • Microsoft Windows Media Player XP, 9.0, 10.0

Response

Ensure that all available patches from Microsoft are applied.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube