Microsoft Windows up to 10 Media Player ASX Playlist memory corruption

Summaryinfo

A vulnerability categorized as critical has been discovered in Microsoft Windows up to 10. The impacted element is an unknown function of the component Media Player. The manipulation with the input REF HREF as part of ASX Playlist results in memory corruption. This vulnerability is cataloged as CVE-2006-6134. Furthermore, there is an exploit available. It is recommended to use an alternative to replace the affected component.

Detailsinfo

A vulnerability was found in Microsoft Windows up to 10 (Operating System). It has been classified as critical. Affected is an unknown functionality of the component Media Player. The manipulation with the input value REF HREF leads to a memory corruption vulnerability. CWE is classifying the issue as CWE-119. The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer. This is going to have an impact on confidentiality, integrity, and availability. CVE summarizes:

Heap-based buffer overflow in the WMCheckURLScheme function in WMVCORE.DLL in Microsoft Windows Media Player (WMP) 10.00.00.4036 on Windows XP SP2, Server 2003, and Server 2003 SP1 allows remote attackers to cause a denial of service (application crash) and execute arbitrary code via a long HREF attribute, using an unrecognized protocol, in a REF element in an ASX PlayList file.

The bug was discovered 11/22/2006. The weakness was shared 12/08/2006 by sehato with Yandex as MS06-078 (Website). The advisory is shared for download at blogs.technet.com. This vulnerability is traded as CVE-2006-6134 since 11/27/2006. It is possible to launch the attack remotely. The exploitation doesn't require any form of authentication. Technical details and a public exploit are known.

The exploit is shared for download at securityfocus.com. It is declared as proof-of-concept. The vulnerability was handled as a non-public zero-day exploit for at least 5 days. During that time the estimated underground price was around $100k and more. The vulnerability scanner Nessus provides a plugin with the ID 23838 (MS06-078: Vulnerability in Windows Media Format Could Allow Remote Code Execution (923689/925398)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Windows : Microsoft Bulletins and running in the context l. The commercial vulnerability scanner Qualys is able to test this issue with plugin 90367 (Windows Media Format Vulnerability Could Allow Remote Code Execution (MS06-078)).

Applying a patch is able to eliminate this problem. The bugfix is ready for download at windowsupdate.microsoft.com. The problem might be mitigated by replacing the product with as an alternative. The best possible mitigation is suggested to be establishing an alternative product. A possible mitigation has been published 4 days after the disclosure of the vulnerability. Attack attempts may be identified with Snort ID 9625. In this case the pattern is used for detection. Furthermore it is possible to detect and prevent this kind of attack with TippingPoint and the filter 4910.

The vulnerability is also documented in the databases at X-Force (30595), Tenable (23838), SecurityFocus (BID 21247†), OSVDB (30819†) and Secunia (SA22971†). The entry VDB-33795 is related to this item. Once again VulDB remains the best source for vulnerability data.

Productinfo

Type

• Operating System

Vendor

• Microsoft

Name

• Windows

Version

• 7
• 8
• 8.1
• 10
• Vista
• XP

License

• commercial

Website

• Vendor: https://www.microsoft.com/
• Product: https://www.microsoft.com/en-us/windows

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info