COMMAND

	mplay32.exe buffer overflow

SYSTEMS AFFECTED

	mplay32.exe included in any Windows prior to XP SP1

PROBLEM

	'ken'@FTU [ken_at_ftu@yahoo.com] reported following:
	

	Microsoft is aware of the vulnerability.
	

	Since this successful remote exploitation of this vulnerability  depends
	on other mitigating factors, Microsoft believes it is not  worthy  of  a
	bulletin. This overflow will be fixed in XP service pack 1.
	

	I will explain my understanding of the  vulnerability.  Perhaps  someone
	can discover another way to exploit this executable  without  the  other
	mitigating factors...
	

	mplay32.exe -- found in system32 directory  --  suffers  from  a  buffer
	overflow. If the exe is called with a file name equal to or longer  than
	279 characters, EIP is overwritten.
	

	 Exploit

	 =======

	

	Open a command prompt.
	

	mplay32.exe A<x279>.mp3

	

	

	Note: This is a unicode overflow. EIP now equals 0x00410041.
	

	The executable runs in the user context. Privilege escalation is not  an
	issue. Count out the possibility of a local vulnerability.
	

	Can this be executed remotely? With certain mitigating factors.
	

	On an unpatched IIS server we can call
	

	

	/scripts/..%255c..%255cwinnt/system32.exe?/A<x279>.mp3

	

	

	and set EIP to 0x00410041. (I'm not giving further details  of  what  to
	do next, but the information is available on the internet.)
	

	I tried to load mplay32.exe with the <object> tags but could not  get
	it to parse the file extension. Perhaps others will  have  better  luck.
	:)
	

	I leave everyone with the exciting possibility that there  is  potential
	for this to be remotely exploitable. Good luck.

SOLUTION

	Editor's suggestion of the day: remove mplay32.exe... your  computer  is
	a working tool, isn't it ?