Contribute  :  Advanced Search  :  Site Statistics  :  Directory  :  Calendar  :  Links  :  Polls  :  About Us  :  The Staff  
Topsight.net Discussions on computers and beyond

advanced search 

Sections

Home
Announcements (19/0)
Useful Info (10/0)
Spy vs. Spy (8/0)
Software (13/0)
Security (41/0)
Security 2 me (6/0)
Radio Frequency (3/0)
Reviews (7/0)
Rants (28/0)
Privacy (6/0)
Microsoft (44/0)
Linux (16/0)
Interesting Stuff (49/0)
Hacking (27/0)
General (22/0)
Funny Stuff (17/0)
Apple (29/0)
US Politics (12/0)

User Functions

:

:

Don't have an account yet? Sign up as a New User
Lost your password?

What’s New

STORIES

No new stories

COMMENTS last 2 days

No new comments

LINKS last 2 weeks

No recent new links
Welcome to Topsight.net
Thursday, May 15 2008 @ 11:37 PM EDT
   

Microsoft DirectX Bug Allows Arbitrary Execution of Code

Wednesday, July 23 2003 @ 09:05 PM EDT
Contributed by: logikal
Views: 797
SecurityWatch out who you get MIDI files from! A bug in DirectX allows for a specially crafted MIDI file to execute code on your machine if it is played in a Microsoft program (such as by visiting a web page in Internet Explorer that has the midi file set to play in a background or by playing it in Windows Media Player).

Actual Exploit and more indepth explanation reposted from bugtraq

Windows MIDI Decoder (QUARTZ.DLL) Heap Corruption

Release Date:
July 23, 2003

Severity:
High (Remote Code Execution)

Systems Affected:
Windows 98
Windows 98 SE
Windows Millennium Edition
Windows NT 4.0
Windows NT 4.0, Terminal Server Edition
Windows 2000
Windows XP
Windows Server 2003

Description:
A little over six hundred years ago, in a quaint German hamlet called Hamelin, the Pied Piper proved to the townsfolk that he could take control of their rodents and children with just a song. Turns out the same thing works on Windows.

Microsoft provides a component called QUARTZ.DLL that allows Windows applications to play MIDI music through a common interface. Windows Media Player and Internet Explorer, for example, both use QUARTZ.DLL to play MIDI music files (.mid extension); in the case of Internet Explorer, MIDI files can be played automatically when a web page is visited through the use of a specific HTML tag.

eEye Digital Security has discovered a pair of flaws in all versions of QUARTZ.DLL that would allow a specially-crafted MIDI file to cause the execution of arbitrary code when played. In the worst case, an attacker could construct a malicious .mid file and have it play automatically whenever a victim attempts to view certain HTML, such as an attacker-controlled website, resulting in the compromise of the victim's machine.

Technical Description:
Modern folklore contends that some bands used to inject subliminal messages into their music by recording spoken commands or phrases and dubbing them backwards into the track. Although these allegations and the effectiveness of the technique were never proven conclusively, it is known that computers running a vulnerable version of QUARTZ.DLL will happily do whatever they're instructed to do without litigation, as long as the commands in the MIDI music are in machine language.

The QUARTZ.DLL vulnerability discussed in this advisory is a heap buffer overrun resulting from an integer overflow. If a Text or Copyright string with a specified length of FFFFFFFFh is included in the MIDI file, QUARTZ will attempt to allocate a zero-byte heap block, then copy the text string -- and any data following it -- to the newly-allocated location in the heap. As a result, all contiguous pages of heap memory following the zero-byte block are overwritten until either the source pointer reaches an invalid page boundary, the destination pointer reaches the end of heap memory, or another thread is dispatched and faults out trying to use corrupted heap memory.

The reason this vulnerability exists is because QUARTZ increments the specified string length (in order to make room for a null terminator) without checking for a potential overflow condition. The incremented value (now 0) is passed to LocalAlloc(), which succeeds, while the original value (FFFFFFFFh) is given to memcpy() to copy the string data from the file image into the heap buffer.

For the sake of brevity, we have unfortunately omitted the details of the MIDI file format from this advisory, and will instead skip straight to the following example of a malicious MIDI:

4D 54 68 64 ; 'MThd' header
chunk tag 00 00 00 06 ; size of header
chunk data (6) 00 01 ; MIDI file version
(1) 00 01 ; number of tracks
(1) 65 49 ; pulses per quarter
note (PPQN) 4D 54 72 6B ; 'MTrk' track
chunk tag 00 00 00 10 ; size of track
chunk data (16) 00 ; delta-time for event
(0) FF 02 ; non-MIDI event
(Copyright) 8F FF FF FF 7F ; VLQ for text
length (FFFFFFFFh) 65 45 79 65 32 30 30 33 ; (start of malicious data)

There are many possible ways to exploit this overflow; the following is a sampling of instructions at which exceptions were observed in the aftermath of loading a malicious MIDI in Internet Explorer:

CALL [EAX] ; we control EAX
CALL [EAX+C4h] ; we control EAX
CALL [ECX+0Ch] ; we control ECX
JMP [EAX+28h] ; we control EAX
MOV [ECX], EAX ; we control EAX, ECX
MOV [ESI], ECX ; we control ECX, ESI

Of particular interest are "unlink" sequences such as "MOV [ECX], EAX / MOV [EAX+4], ECX", which could be used to overwrite the unhandled exception filter in KERNEL32 during the first instruction, then cause an exception with the second (for instance, if EAX pointed somewhere into read-only memory, or if EAX was near a page boundary such that EAX+4..7 landed in an invalid memory region).

A second heap buffer overrun involving a 16-bit integer overflow and subsequent memory allocation was also discovered, but to save space we will only briefly mention it here. The number of tracks in the MThd chunk, a 16-bit field, is subjected to some arithmetic in order to determine the necessary size for an array of track data structures. In particular, the size of the block is calculated as:

(number_of_tracks * 24h) + 9E0h

However, the arithmetic is performed entirely in 16 bits, and as a result, setting the number of tracks to 1751 (6D7h) or greater will cause an insufficiently small heap block to be allocated. This vulnerability can be leveraged to overwrite DWORDs in the heap at specific intervals with arbitrary data. Note that Windows 2003 is not susceptible to this vulnerability, as it contained a check to ensure that the number of tracks is never greater than the exact highest value safe for the 16-bit arithmetic.

Vendor Status:
Microsoft was contacted on April 16, 2003, and has released a patch for this vulnerability. The patch is available at: http://www.microsoft.com/technet/security/bulletin/MS03-030.asp This vulnerability has been assigned the CVE identifier CAN-2003-0346.

Credit:
Derek Soeder - eEye Digital Security

Greetin's:
6Ds; TJB, JC, MC, JAG, AH, JRJ, SMJ, JM, KP; Uma; and finally, Trust, when it's not spelled with a $.

Copyright (c) 1998-2003 eEye Digital Security Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission.

 

What's Related

Story Options

Microsoft DirectX Bug Allows Arbitrary Execution of Code | 0 comments | Create New Account
The following comments are owned by whomever posted them. This site is not responsible for what they say.

 Copyright © 2008 Topsight.net
 All trademarks and copyrights on this page are owned by their respective owners.		 Powered By Geeklog 
Created this page in 0.19 seconds