Pakistan Computer Emergency Response Team

The Security Standard


HOME | ABOUT US | SERVICES | ADVISORIES | RESOURCES | DEFACEMENT ARCHIVE | MEMBERS AREA | TRAINING | CONTACT US

Copyright | Disclaimer

 

 

 


 
CA-2003-18 Integer Overflows in Microsoft Windows DirectX MIDI Library

-----BEGIN PGP SIGNED MESSAGE-----


CERT Advisory CA-2003-18 Integer Overflows in Microsoft Windows DirectX
MIDI Library

Original issue date: July 25, 2003
Last revised: --
Source: CERT/CC

A complete revision history is at the end of this file.


Systems Affected

* Microsoft Windows systems running DirectX (Windows 98, 98SE, NT
4.0, NT 4.0 TSE, 2000, Server 2003)


Overview

A set of integer overflows exists in a DirectX library included in
Microsoft Windows. An attacker could exploit this vulnerability to
execute arbitrary code or to cause a denial of service.


I. Description

Microsoft Windows operating systems include multimedia technologies
called DirectX and DirectShow. From Microsoft Security Bulletin
MS03-030, "DirectX consists of a set of low-level Application
Programming Interfaces (APIs) that are used by Windows programs for
multimedia support. Within DirectX, the DirectShow technology performs
client-side audio and video sourcing, manipulation, and rendering."

DirectShow support for MIDI files is implemented in a library called
quartz.dll. This library contains two vulnerabilities:

VU#561284 - Microsoft Windows DirectX MIDI library does not
adequately validate Text or Copyright parameters in
MIDI files

VU#265232 - Microsoft Windows DirectX MIDI library does not
adequately validate MThd track values in MIDI files

In both cases, a specially crafted MIDI file could cause an integer
overflow, leading to incorrect memory allocation and heap corruption.

Any application that uses DirectX/DirectShow to process MIDI files may
be affected by this vulnerability. Of particular concern, Internet
Explorer (IE) uses the Windows Media Player ActiveX control and
quartz.dll to handle MIDI files embedded in HTML documents. An
attacker could therefore exploit this vulnerability by convincing a
victim to view an HTML document, such as a web page or an HTML email
message, that contains an embedded MIDI file. Note that in addition to
IE, a number of applications, including Outlook, Outlook Express,
Eudora, AOL, Lotus Notes, and Adobe PhotoDeluxe, use the WebBrowser
ActiveX control to interpret HTML documents.

Further technical details are available in eEye Digital Security
advisory AD20030723. Common Vulnerabilities and Exposures (CVE) refers
to these vulnerabilities as CAN-2003-0346.


II. Impact

By convincing a victim to access a specially crafted MIDI or HTML
file, an attacker could execute arbitrary code with the privileges of
the victim. The attacker could also cause a denial of service in any
application that uses the vulnerable functions in quartz.dll.


III. Solution

Apply a patch

Apply the appropriate patch as specified by Microsoft Security
Bulletin MS03-030.

Disable embedded MIDI files

Change the Run ActiveX controls and plug-ins security setting to
Disable in the Internet zone and the zone(s) used by Outlook, Outlook
Express, and any other application that uses the WebBrowser ActiveX
control to render HTML. This modification will prevent MIDI files from
being automatically loaded from HTML documents. This workaround is not
a complete solution and will not prevent attacks that attempt to load
MIDI files directly.

Instructions for modifying IE security zone settings can be found in
the CERT/CC Malicious Web Scripts FAQ.


Appendix A. Vendor Information

This appendix contains information provided by vendors. When vendors
report new information, this section is updated and the changes are
noted in the revision history. If a vendor is not listed below, we
have not received their comments.

Microsoft

Please see Microsoft Security Bulletin MS03-030.


Appendix B. References

* CERT/CC Vulnerability Note VU#561284 -
http://www.kb.cert.org/vuls/id/561284
* CERT/CC Vulnerability Note VU#265232 -
http://www.kb.cert.org/vuls/id/265232
* eEye Digital Security advisory AD20030723 -
http://www.eeye.com/html/Research/Advisories/AD20030723.html
* Microsoft Security Bulletin MS03-030 -
http://microsoft.com/technet/security/bulletin/MS03-030.asp
* Microsoft Knowledge Base article 819696 -
http://support.microsoft.com/default.aspx?scid=kb;en-us;819696
_________________________________________________________________

These vulnerabilities were researched and reported by eEye Digital
Security.
_________________________________________________________________

Feedback can be directed to the author, Art Manion.
______________________________________________________________________

This document is available from:
http://www.cert.org/advisories/CA-2003-18.html
______________________________________________________________________


CERT/CC Contact Information

Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.

CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
EDT(GMT-4) Monday through Friday; they are on call for emergencies
during other hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from
http://www.cert.org/CERT_PGP.key

If you prefer to use DES, please call the CERT hotline for more
information.

Getting security information

CERT publications and other security information are available from
our web site
http://www.cert.org/

To subscribe to the CERT mailing list for advisories and bulletins,
send email to majordomo@cert.org. Please include in the body of your
message

subscribe cert-advisory

* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office.
______________________________________________________________________

NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
______________________________________________________________________

Conditions for use, disclaimers, and sponsorship information

Copyright 2003 Carnegie Mellon University.


Revision History

July 25, 2003: Initial release


-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQCVAwUBPyF6V2jtSoHZUTs5AQFGtgP/VJsEVZ1blK04pZhjSIlJuPJJg1PU4Xwi
/lvJFdpvkqKrEH27NHBkfJGN/rSs7kinSq6dEsJeenjb3rcDQMd/VdFEm83cF51/
NDyMt4osvtXveYSR1oorbMbSVQ4tF5yItsOchRfZsfigyk3tvzPA1kawuWBxy2KZ
Gmjs9RLgmxI=
=3ICC
-----END PGP SIGNATURE-----

All rights reserved. Copyright© PakCERT 2000-2017