Vulnerabilities > CVE-2008-2253 - Code Injection vulnerability in Microsoft Windows Media Player 11

047910
CVSS 9.3 - CRITICAL
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
microsoft
CWE-94
critical
nessus

Summary

Unspecified vulnerability in Microsoft Windows Media Player 11 allows remote attackers to execute arbitrary code via a crafted audio-only file that is streamed from a Server-Side Playlist (SSPL) on Windows Media Server, aka "Windows Media Player Sampling Rate Vulnerability." http://www.microsoft.com/technet/security/Bulletin/MS08-054.mspx Security updates are available from Microsoft Update, Windows Update, and Office Update. Security updates are also available from the Microsoft Download Center. You can find them most easily by doing a keyword search for "security update. *Windows Server 2008 server core installation not affected. The vulnerability addressed by this update does not affect supported editions of Windows Server 2008 if Windows Server 2008 was installed using the Server Core installation option, even though the files affected by this vulnerability may be present on the system. However, users with the affected files will still be offered this update because the update files are newer (with higher version numbers) than the files that are currently on your system. For more information on this installation option, see Server Core. Note that the Server Core installation option does not apply to certain editions of Windows Server 2008; see Compare Server Core Installation Options.

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Leverage Executable Code in Non-Executable Files
    An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
  • Manipulating User-Controlled Variables
    This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An attacker can override environment variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the attacker can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS08-054.NASL
descriptionThe remote host is running Windows Media Player 11. There is a vulnerability in the remote version of this software that could allow an attacker to execute arbitrary code on the remote host. To exploit this flaw, the attacker would need to set up a rogue audio file and send it to a victim on the remote host.
last seen2020-06-01
modified2020-06-02
plugin id34122
published2008-09-10
reporterThis script is Copyright (C) 2008-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/34122
titleMS08-054: Vulnerability in Windows Media Player Could Allow Remote Code Execution (954154)

Oval

accepted2014-08-18T04:05:59.988-04:00
classvulnerability
contributors
  • nameSudhir Gandhe
    organizationSecure Elements, Inc.
  • nameSudhir Gandhe
    organizationSecure Elements, Inc.
  • nameMaria Mikhno
    organizationALTX-SOFT
definition_extensions
  • commentMicrosoft Windows XP (32-bit) is installed
    ovaloval:org.mitre.oval:def:1353
  • commentMicrosoft Windows XP x64 is installed
    ovaloval:org.mitre.oval:def:15247
  • commentWindows Media Player v11 is installed.
    ovaloval:org.mitre.oval:def:2126
  • commentMicrosoft Windows Vista (32-bit) is installed
    ovaloval:org.mitre.oval:def:1282
  • commentMicrosoft Windows Server 2008 (32-bit) is installed
    ovaloval:org.mitre.oval:def:4870
  • commentWindows Media Player v11 is installed.
    ovaloval:org.mitre.oval:def:2126
  • commentMicrosoft Windows Vista (32-bit) is installed
    ovaloval:org.mitre.oval:def:1282
  • commentWindows Media Player v11 is installed.
    ovaloval:org.mitre.oval:def:2126
  • commentMicrosoft Windows Vista x64 Edition is installed
    ovaloval:org.mitre.oval:def:2041
  • commentWindows Media Player v11 is installed.
    ovaloval:org.mitre.oval:def:2126
  • commentMicrosoft Windows Vista x64 Edition is installed
    ovaloval:org.mitre.oval:def:2041
  • commentMicrosoft Windows Server 2008 (64-bit) is installed
    ovaloval:org.mitre.oval:def:5356
  • commentWindows Media Player v11 is installed.
    ovaloval:org.mitre.oval:def:2126
descriptionUnspecified vulnerability in Microsoft Windows Media Player 11 allows remote attackers to execute arbitrary code via a crafted audio-only file that is streamed from a Server-Side Playlist (SSPL) on Windows Media Server, aka "Windows Media Player Sampling Rate Vulnerability."
familywindows
idoval:org.mitre.oval:def:5615
statusaccepted
submitted2008-09-09T13:58:00
titleWindows Media Player Sampling Rate Vulnerability
version72

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 30550 CVE ID:CVE-2008-2253 CNCVE ID:CNCVE-20082253 Microsoft Windows Media Player是一款流行的媒体播放程序。 Microsoft Windows Media Player处理样取样速率存在缓冲区溢出,远程攻击者可以利用漏洞构建特殊音频文件触发此漏洞,可导致以应用程序权限执行任意指令。 目前没有详细漏洞细节提供。 Microsoft Windows Media Player 11 可参考如下临时解决方案: -反注册wmpeffects.dll: 在32-bit Windows系统下: Regsvr32.exe –u %WINDIR%\system32\wmpeffects.dll 在64-bit Windows系统下: Regsvr32.exe –u %WINDIR%\syswow64\wmpeffects.dll 怎样恢复反注册操作: 在32-bit Windows系统下: Regsvr32.exe %WINDIR%\system32\wmpeffects.dll 在64-bit Windows系统下: Regsvr32.exe %WINDIR%\syswow64\wmpeffects.dll 可参考如下补丁: Microsoft Windows Media Player 11 Microsoft Security Update for Windows Server 2008 (KB954154) <a href=http://www.microsoft.com/downloads/details.aspx?FamilyId=72fc6028-6af4 target=_blank>http://www.microsoft.com/downloads/details.aspx?FamilyId=72fc6028-6af4</a> -44ec-8d2a-28c53807d6bc&amp;displaylang=en Microsoft Security Update for Windows Server 2008 x64 Edition (KB954154) <a href=http://www.microsoft.com/downloads/details.aspx?FamilyId=3906512b-26db target=_blank>http://www.microsoft.com/downloads/details.aspx?FamilyId=3906512b-26db</a> -473e-b522-3883ff34a21c&amp;displaylang=en Microsoft Security Update for Windows Vista (KB954154) <a href=http://www.microsoft.com/downloads/details.aspx?FamilyId=2f4118fd-1ffb target=_blank>http://www.microsoft.com/downloads/details.aspx?FamilyId=2f4118fd-1ffb</a> -46da-b922-cd4ca4f9d84e&amp;displaylang=en Microsoft Security Update for Windows Vista for x64-based Systems (KB954154) <a href=http://www.microsoft.com/downloads/details.aspx?FamilyId=334352e7-d41f target=_blank>http://www.microsoft.com/downloads/details.aspx?FamilyId=334352e7-d41f</a> -494f-866d-f1f1745ffd17&amp;displaylang=en Microsoft Security Update for Windows XP (KB954154) <a href=http://www.microsoft.com/downloads/details.aspx?FamilyId=3906512b-26db target=_blank>http://www.microsoft.com/downloads/details.aspx?FamilyId=3906512b-26db</a> -473e-b522-3883ff34a21c&amp;displaylang=en Microsoft Security Update for Windows XP x64 Edition (KB954154) <a href=http://www.microsoft.com/downloads/details.aspx?FamilyId=caf8a45e-a9f8 target=_blank>http://www.microsoft.com/downloads/details.aspx?FamilyId=caf8a45e-a9f8</a> -4e91-98fd-87eddbeae64c&amp;displaylang=en
idSSV:4017
last seen2017-11-19
modified2008-09-11
published2008-09-11
reporterRoot
titleMicrosoft Windows Media Player SSPL文件远程代码执行漏洞(MS08-054)