| Business Impact: |
This codec is a component of Microsoft Media Player, found in all modern Microsoft operating systems, including Microsoft Windows Vista. Compromise of machines using affected versions of this codec may lead to exposure of confidential information, loss of productivity, and further compromise. An attacker may need to entice a user to perform an operation to trigger this vulnerability. These operations include: visiting a web page, browsing either a local or remote directory containing the malicious file, causing an application using an embedded version of Microsoft Media Player to play or preview the file, and opening a specially crafted Microsoft Office or media file. Successful exploitation grants an attacker the privileges of the user performing the action. |
| Technical Description: |
These vulnerabilities are invoked when specially-crafted MJPEG data is encountered in either an AVI or ASF data file (and possibly others). Specifically, an output buffer is allocated based on the reported size and width of the image as specified by the MJPEG stream format block. This format block is read straight from the media file and is lightly checked for validity. The JPEG stream is then interpreted by the codec including the JPEG headers. These JPEG headers can indicate a completely different size and width than that indicated in the format block, and this second set of values from the JPEG header is used to determine how much data is actually read in to the allocated buffer. Thus, by making the values in the JPEG header larger than those indicated in the format block, a heap overflow can be triggered.
In addition, scan lines from the JPEG image are read into the buffer in reverse. If the pointer into the allocated buffer decrements below the beginning of the buffer, this condition is detected, and the rest of the JPEG scanlines are read into a stack buffer. Since the stack buffer is a fixed size and the scan line can be arbitrarily larger, a stack overflow can also be triggered. |
