Vulnerabilities > CVE-2010-0268 - Unspecified vulnerability in Microsoft Windows 2000, Windows Media Player and Windows XP

047910
CVSS 9.3 - CRITICAL
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
microsoft
critical
nessus
NVD
Published: 2010-04-14
Updated: 2018-10-12

Summary

Unspecified vulnerability in the Windows Media Player ActiveX control in Windows Media Player (WMP) 9 on Microsoft Windows 2000 SP4 and XP SP2 and SP3 allows remote attackers to execute arbitrary code via crafted media content, aka "Media Player Remote Code Execution Vulnerability."

Vulnerable Configurations

Part Description Count
Application
Microsoft
1
OS
Microsoft
3

Msbulletin

bulletin_idMS10-027
bulletin_url
date2010-04-13T00:00:00
impactRemote Code Execution
knowledgebase_id979402
knowledgebase_url
severityCritical
titleVulnerability in Windows Media Player Could Allow Remote Code Execution

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS10-027.NASL
descriptionThe Windows Media Player 9 ActiveX control has an unspecified code execution vulnerability. A remote attacker could exploit this by tricking a user into requesting a maliciously crafted web page, resulting in arbitrary code execution.
last seen2020-06-01
modified2020-06-02
plugin id45514
published2010-04-13
reporterThis script is Copyright (C) 2011-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/45514
titleMS10-027: Vulnerability in Windows Media Player Could Allow Remote Code Execution (979402)
code
#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");


if (description)
{
  script_id(45514);
  script_version("1.20");
  script_cvs_date("Date: 2018/11/15 20:50:30");

  script_cve_id("CVE-2010-0268");
  script_bugtraq_id(39351);
  script_xref(name:"MSFT", value:"MS10-027");
  script_xref(name:"MSKB", value:"979402");

  script_name(english:"MS10-027: Vulnerability in Windows Media Player Could Allow Remote Code Execution (979402)");
  script_summary(english:"Checks the version of wmp.dll");

  script_set_attribute(
    attribute:"synopsis",
    value:
"The remote Windows host has an ActiveX control that is affected by a
code execution vulnerability."
  );
  script_set_attribute(
    attribute:"description",
    value:
"The Windows Media Player 9 ActiveX control has an unspecified code
execution vulnerability.

A remote attacker could exploit this by tricking a user into
requesting a maliciously crafted web page, resulting in arbitrary code
execution."
  );
  script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2010/ms10-027");
  script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for Windows 2000 and XP.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2010/04/13");
  script_set_attribute(attribute:"patch_publication_date", value:"2010/04/13");
  script_set_attribute(attribute:"plugin_publication_date", value:"2010/04/13");

  script_set_attribute(attribute:"plugin_type", value:"local");

  script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.");

  script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
  script_require_keys("SMB/MS_Bulletin_Checks/Possible");
  script_require_ports(139, 445, 'Host/patch_management_checks');

  exit(0);
}

include("audit.inc");
include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS10-027';
kbs = make_list("979402");
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);

get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

if (hotfix_check_sp_range(win2k:'4,5', xp:'2,3') <= 0) audit(AUDIT_OS_SP_NOT_VULN);

rootfile = hotfix_get_systemroot();
if (!rootfile) exit(1, "Failed to get the system root.");

share = hotfix_path2share(path:rootfile);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

kb = "979402";

if (
  # Windows XP x86
  hotfix_is_vulnerable(os:"5.1", sp:3, arch:"x86", file:"Wmp.dll", version:"9.0.0.4508", min_version:"9.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.1", sp:2, arch:"x86", file:"Wmp.dll", version:"9.0.0.3367", min_version:"9.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) ||

  # Windows 2000
  hotfix_is_vulnerable(os:"5.0",                   file:"Wmp.dll", version:"9.0.0.3367", min_version:"9.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb)
)
{
  set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
  hotfix_security_hole();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}

Oval

accepted2010-06-07T04:00:34.527-04:00
classvulnerability
contributors
nameDragos Prisaca
organizationSymantec Corporation
definition_extensions
  • commentWindows Media Player v9 is installed.
    ovaloval:org.mitre.oval:def:2147
  • commentMicrosoft Windows 2000 SP4 or later is installed
    ovaloval:org.mitre.oval:def:229
  • commentMicrosoft Windows XP (x86) SP2 is installed
    ovaloval:org.mitre.oval:def:754
  • commentWindows Media Player v9 is installed.
    ovaloval:org.mitre.oval:def:2147
  • commentMicrosoft Windows XP (x86) SP3 is installed
    ovaloval:org.mitre.oval:def:5631
descriptionUnspecified vulnerability in the Windows Media Player ActiveX control in Windows Media Player (WMP) 9 on Microsoft Windows 2000 SP4 and XP SP2 and SP3 allows remote attackers to execute arbitrary code via crafted media content, aka "Media Player Remote Code Execution Vulnerability."
familywindows
idoval:org.mitre.oval:def:7281
statusaccepted
submitted2010-03-13T13:00:00
titleMedia Player Remote Code Execution Vulnerability
version72

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 39351 CVE ID: CVE-2010-0268 Windows Media Player是微软操作系统中默认捆绑的媒体播放器。 Windows Media Player中用于检索未知fourCC压缩代码codec的功能中存在安全漏洞。当嵌入式的Windows Media Player控件试图播放包含有未知类型codec的媒体文件时,就会向Microsoft提交请求检索必须的功能。如果在此期间从网页删除了这个控件,清空例程会调用已经释放的指针。 如果Windows Media Player打开恶意网站上特制的媒体内容,此漏洞可能允许远程执行代码。成功利用此漏洞的攻击者可以获得与本地用户相同的用户权限。 Microsoft Windows Media Player 9.0 临时解决方法: * 阻止在Internet Explorer中运行Windows Media Player ActiveX控件。 * 将Internet Explorer配置为在Internet和本地Intranet安全区域中运行ActiveX控件和活动脚本之前进行提示。 * 将Internet和本地Intranet安全区域设置设为“高”,以便在这些区域中运行ActiveX控件和活动脚本之前进行提示。 厂商补丁: Microsoft --------- Microsoft已经为此发布了一个安全公告(MS10-027)以及相应补丁: MS10-027:Vulnerability in Windows Media Player Could Allow Remote Code Execution (979402) 链接:http://www.microsoft.com/technet/security/bulletin/MS10-027.mspx?pf=true
idSSV:19459
last seen2017-11-19
modified2010-04-14
published2010-04-14
reporterRoot
titleWindows Media Player Codec检索释放后使用漏洞(MS10-027)

References