Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Windows :: win5585.htm

mplay32.exe buffer overflow
31th Jul 2002 [SBWID-5585]

	mplay32.exe buffer overflow


	mplay32.exe included in any Windows prior to XP SP1


	'ken'@FTU [] reported following:

	Microsoft is aware of the vulnerability.

	Since this successful remote exploitation of this vulnerability  depends
	on other mitigating factors, Microsoft believes it is not  worthy  of  a
	bulletin. This overflow will be fixed in XP service pack 1.

	I will explain my understanding of the  vulnerability.  Perhaps  someone
	can discover another way to exploit this executable  without  the  other
	mitigating factors...

	mplay32.exe -- found in system32 directory  --  suffers  from  a  buffer
	overflow. If the exe is called with a file name equal to or longer  than
	279 characters, EIP is overwritten.




	Open a command prompt.

	mplay32.exe A<x279>.mp3



	Note: This is a unicode overflow. EIP now equals 0x00410041.

	The executable runs in the user context. Privilege escalation is not  an
	issue. Count out the possibility of a local vulnerability.

	Can this be executed remotely? With certain mitigating factors.

	On an unpatched IIS server we can call





	and set EIP to 0x00410041. (I'm not giving further details  of  what  to
	do next, but the information is available on the internet.)

	I tried to load mplay32.exe with the <object> tags but could not  get
	it to parse the file extension. Perhaps others will  have  better  luck.

	I leave everyone with the exciting possibility that there  is  potential
	for this to be remotely exploitable. Good luck.


	Editor's suggestion of the day: remove mplay32.exe... your  computer  is
	a working tool, isn't it ?

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH