Code smuggling through ASX playlists
Manipulated websites represent a new threat to a vulnerability in the processing routines for ASX playlists in Windows Media Player 9 and 10. Attackers can exploit the hole to smuggle in arbitrary malicious code. The first signs of the bug emerged through a denial-of-service attack against the affected Windows Media players. Security vendor eEye followed up with analysis and determined that attackers could potentially smuggle code through the vulnerability.
The bug is part of the wmvcore.dll library. A buffer can overflow during the processing of ref href tags, which point to the data stream to be played back. The address is copied into a buffer and its protocol handler modified to mms:; at the time of copying, however, only enough memory is reserved for the original URL. The function refuses protocols with only one letter, but attackers can circumvent the check by using coding in forms. For example by inserting the %20 code for a space. URLs manipulated in this way can overwrite up to four bytes on the heap.
The problem is compounded by Internet Explorer's method of handling ASX files embedded in websites: it opens them automatically. eEye recommends deactivating the automatic opening of ASX playlists until Microsoft releases a patch. Affected users can change the auto-open settings for ASX under "Tools>Folder Options>File Types" to something other than Windows Media Player--Notepad being a good option.
- Windows Media ASX PlayList File Denial Of Service Vulnerability, security advisory from Bugtraq
- Analysis from eEye