MS Windows Media Player Integer Overflow (Oct 23, 2009)

The Advanced Systems Format (ASF) is an extensible file format designed for storing and playing synchronized digital media streams. The ASF file is organized in multiple sections called objects. All ASF objects begin with a globally unique identifier (GUID), a size field, and are followed by object data. Two vulnerabilities exist in the Windows Media Format runtime library which is responsible for processing ASF files. The vulnerabilities are due to integer overflow errors during handling of ASF files. The following two ASF objects are affected:

• ASF_Simple_Index_Object GUID 33000890-E5B1-11CF-89F4-00A0C90349CB
• ASF_Marker_Object GUID F487CD01-A951-11CF-8EE6-00C00C205365

ASF_Simple_Index_Object structure is as follows:

Field name 		Field type 	Size ----------------------- --------------- ----------- ObjectID		GUID		16 ObjectSize		QWORD		8 FileID			GUID		16 IndexTimeInterval	QWORD		8 MaxPacketCount		DWORD		4 IndexEntriesCount	DWORD		4=x IndexEntries		IndexEnt	IndexEnt[x]

The vulnerable function that parses the ASF_Simple_Index_Object uses the IndexEntriesCount field value to calculate the size of the required buffer to hold index data. The buffer calculation procedure may in certain situations result in an integer overflow resulting in an insufficient buffer size. The index data is then copied to the allocated buffer in a loop controlled by the original counter value. This results in the buffer being overrun with user controlled data.

ASF_Marker_Object structure is as follows:

Field name		Field type	Size ----------------------- --------------- ----------- ObjectID		GUID		16 ObjectSize		QWORD		8 Reserved		GUID		16 MarkersCount		DWORD		4=x Reserved		WORD		2 NameLength		WORD		2=y Name			WCHAR		y Markers			MarkerEnt	MarkerT[x]

The vulnerable function that parses the ASF_Marker_Object uses the MarkersCount field value to calculate the size of the required buffer. The buffer calculation may result in an integer overflow of the result value. Consequently, the buffer allocated is of insufficient size.

Exploitation requires an attacker to entice the target user to visit a web site which contains a malicious ASF file. An email attack vector is also a feasible way of delivering the exploit, providing that the end user either explicitly views the attachment or the email client automatically opens it. Successful exploitation may result in malicious code injection and execution.
SonicWALL has developed two IPS signatures that detect and block specific attacks targeting this vulnerability. The signatures that address this flaw are listed.

• 4617 – MS Windows Media Player ASF Integer Overflow PoC 1 (MS09-052)
• 4618 – MS Windows Media Player ASF Integer Overflow PoC 2 (MS09-052)

This vulnerability has been assigned CVE-2009-2527 by mitre. The vendor has released a security bulletin Microsoft Security Bulletin MS09-052 addressing this issue.

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.