// back

Microsoft Windows Media Player Plugin Buffer Overflow Vulnerability



Windows Media Player is a full featured Audio/Visual playback
application offered by Microsoft. The Windows Media Player package
also contains a plugin component that can be utilized from most
modern browsers such as Internet Explorer, Opera, Firefox, and Netscape.

More information on the product can be found from the Microsoft Windows
Media Web Site:



Windows Media Player (WMP) can be launched as a plugin in popular
browsers to view Windows Media Player file types from web pages.

A vulnerability in the Windows Media Player plugin can be triggered from
several popular browsers such as FireFox and Netscape. The issue
specifically can be triggered when certain browsers launch it with an
overly long embed src tag from a malicious html page.

Upon successful exploitation, attackers will be able to overwrite a
Structured Exception Handler (SEH) address and execute arbitrary code on
the system.

The vulnerability specifically lays in npdsplay.10001040 where a
user supplied string is copied to a stack based buffer:

   1000171A   C1E9 02  SHR ECX,2
   1000171F   8BC8     MOV ECX,EAX


Successful exploitation of this vulnerability allows attackers to
execute code within the context of the currently logged in user. The
victim would have to visit a malicious website using Firefox or Netscape
browsers and have Windows Media Player installed.

With properly crafted input the attacker is able to execute code of his
choice. Due to unicode translations, shellcode characters are somewhat
limited to  character code values below 0x80. Successful exploitation of
this vulnerability is not significantly impacted by this limitation.


This vulnerability has been tested with Windows Media Player 9 and 10,
when launched from the following browsers:

    * Firefox  .9 - Current
    * Netscape 8

Other versions of Windows Media Player may be vulnerable. This exploit
may be able to be triggered from browsers other than those listed

This condition does not appear to be able to be launched from Internet
Explorer or Opera browsers.


This exploit can only be triggered if Windows Media Player is set as
the default application to launch media file extensions. Exploitation
can be prevented by remapping any media file extensions typically
handled by Windows Media Player to an alternative application.

This exploit can also only be launched from specific browsers. Users
could use an alternative browser until an official vendor supplied patch
is available.


The vendor has issued the following security advisory for this issue:



The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2006-0005 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.


08/31/2005   Initial vendor notification
08/31/2005   Initial vendor response
02/14/2006   Coordinated public disclosure


This vulnerability was submitted to iDefense by John Cobb, as well as a
second researcher who wishes to remain anonymous.

Get paid for vulnerability research

Free tools, research and upcoming events


Copyright © 2006 Verisign, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.