Bugtraq mailing list archives

Microsoft Media Player ASX Parser buffer overflow vulnerability

From: Pauli Ojanpera <pauli_ojanpera () HOTMAIL COM>
Date: Wed, 2 May 2001 13:57:12 +0300

-------------------------------------------------------------------
LEGAL STATEMENT:

The information contained in this mail message is confidential.
The information contained in this mail message is a trade
secret of mine and is protected under law.

Basically: You're not allowed to read or use or act upon the information
contained in this message unless you fall into a
category who are specifically allowed to.

1. People/entities with any formal relationship with Microsoft are
not allowed to read the content of this message.
2. People who do not fall into category 1 are allowed to do anything
they like but are not allowed to bypass this information forward.

--------------------------------------------------------------------
RANDOM RANT:

You know, somebody's got to take care of the client side.
--------------------------------------------------------------------
REVELATION:

HREF attribute of BANNER tag can be abused to smash our lovely stack.

This information applies to Media Player 6.4 at least.
You can try it out with your version at
<a
href="http://mediaplayerbug.tripod.com/";>http://mediaplayerbug.tripod.com/</a>.

Known status of different versions of dxmasf.dll:
Invulnerable: Size 427280 bytes. Time stamp 0x35ed5d3d. (From Finnish SP4
CD.)
Vulnerable: Size 498960 bytes. Time stamp 0x382cbe58. (From mpfull.exe
version 6.4. dunno more.)
Vulnerable: Size 525008 bytes. Time stamp 0x3a2ed2f1. (The patched version
that comes in wmqfe33955.exe.)
(Got the time stamps using File Viewer.)

As what comes to the .asx attachment, it won't work as it is. You've
got to edit it to refer a valid .asf/.avi file. I didn't want to waste
bandwidth. It is a text file so that should not be too much a trouble.

Umm. Analysis.txt is at Tripod too, no link to it though. Guess the
URL if you need it. :)
_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.

Attachment: Analysis.txt
Description:

Attachment: Money_is_wrong.asx
Description:

Current thread:

Microsoft Media Player ASX Parser buffer overflow vulnerability Pauli Ojanpera (May 02)
- Re: Microsoft Media Player ASX Parser buffer overflow vulnerability ByteRage (May 11)