Microsoft is aware of the vulnerability.
Since this successful remote exploitation of this vulnerability depends
on other mitigating factors, Microsoft believes it is not worthy of a
bulletin. This overflow will be fixed in XP service pack 1.
I will explain my understanding of the vulnerability. Perhaps someone
can discover another way to exploit this executable without the other
mitigating factors…
mplay32.exe – found in system32 directory – suffers from a buffer
overflow. If the exe is called with a file name equal to or longer than
279 characters, EIP is overwritten.
Exploit:
Open a command prompt.
mplay32.exe A<x279>.mp3
Note: This is a unicode overflow. EIP now equals 0x00410041.
The executable runs in the user context. Privilege escalation is not an
issue. Count out the possibility of a local vulnerability.
Can this be executed remotely? With certain mitigating factors.
On an unpatched IIS server we can call
/scripts/…%255c…%255cwinnt/system32.exe?/A<x279>.mp3
and set EIP to 0x00410041. (I'm not giving further details of what to do
next, but the information is available on the internet.)
I tried to load mplay32.exe with the <object> tags but could not get it
to parse the file extension. Perhaps others will have better luck. :)
I leave everyone with the exciting possibility that there is potential
for this to be remotely exploitable. Good luck.
'ken'@FTU
–
"I grew convinced that truth, sincerity and integrity in dealings
between man and man were of the utmost importance to the felicity of
life, and I formed a written resolution to practise them ever while I
lived."
-Benjamin Franklin, The Autobiography of Benjamin Franklin