MS Windows Media Player Integer Overflow
The Advanced Systems Format (ASF) is an extensible file format designed for storing and playing synchronized digital media streams. The ASF file is organized in multiple sections called objects. All ASF objects begin with a globally unique identifier (GUID), a size field, and are followed by object data. Two vulnerabilities exist in the Windows Media Format runtime library which is responsible for processing ASF files. The vulnerabilities are due to integer overflow errors during handling of ASF files. The following two ASF objects are affected:
- ASF_Simple_Index_Object GUID 33000890-E5B1-11CF-89F4-00A0C90349CB
- ASF_Marker_Object GUID F487CD01-A951-11CF-8EE6-00C00C205365
ASF_Simple_Index_Object structure is as follows:
Field name Field type Size ----------------------- --------------- ----------- ObjectID GUID 16 ObjectSize QWORD 8 FileID GUID 16 IndexTimeInterval QWORD 8 MaxPacketCount DWORD 4 IndexEntriesCount DWORD 4=x IndexEntries IndexEnt IndexEnt[x]
The vulnerable function that parses the ASF_Simple_Index_Object uses the IndexEntriesCount field value to calculate the size of the required buffer to hold index data. The buffer calculation procedure may in certain situations result in an integer overflow resulting in an insufficient buffer size. The index data is then copied to the allocated buffer in a loop controlled by the original counter value. This results in the buffer being overrun with user controlled data.
ASF_Marker_Object structure is as follows:
Field name Field type Size ----------------------- --------------- ----------- ObjectID GUID 16 ObjectSize QWORD 8 Reserved GUID 16 MarkersCount DWORD 4=x Reserved WORD 2 NameLength WORD 2=y Name WCHAR y Markers MarkerEnt MarkerT[x]
The vulnerable function that parses the ASF_Marker_Object uses the MarkersCount field value to calculate the size of the required buffer. The buffer calculation may result in an integer overflow of the result value. Consequently, the buffer allocated is of insufficient size.
Exploitation requires an attacker to entice the target user to visit a web site which contains a malicious ASF file. An email attack vector is also a feasible way of delivering the exploit, providing that the end user either explicitly views the attachment or the email client automatically opens it. Successful exploitation may result in malicious code injection and execution.
SonicWALL has developed two IPS signatures that detect and block specific attacks targeting this vulnerability. The signatures that address this flaw are listed.
- 4617 - MS Windows Media Player ASF Integer Overflow PoC 1 (MS09-052)
- 4618 - MS Windows Media Player ASF Integer Overflow PoC 2 (MS09-052)