Cert-Lexsi - Microsoft Windows Media Services MMS Buffer Overflow Vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cert-Lexsi - Microsoft Windows Media Services MMS Buffer Overflow
Vulnerability
13/04/2010

Priority: High
Type: Remote
Impact: Remote code execution
CVE id: CVE-2010-0478
CVSSv2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

---

1. Software Description (from vendor)

---

Windows Media Services is a Windows server component that enables
content to be streamed from a Windows Media server to Windows Media
clients over the Internet or over an intranet. Clients who receive the
content can render, as in play or display, it as it is being received
without first downloading the content.

---

2. Vulnerability Description

---

Cert-Lexsi discovered a critical vulnerability in Windows Media
Services 4.1.

The vulnerability is a stack-based buffer overflow when handling a
specially crafted MMS TRANSPORT_INFO packet.
It could be exploited to execute arbitrary code with NetShowServices
privileges (which belongs to the Administrators group).

---

3. Affected Software

---

Microsoft Windows Media Services 4.1 (included with Microsoft Windows
2000 Server)

---

4. Solution

---

Apply Microsoft's patches provided by MS10-025.

As a workaround, you can disable the "Windows Media Unicast Service",
listening on port TCP 1755.

---

5. Timeline

---

26/08/2009 - Vendor notified
26/08/2009 - Vendor response
16/09/2009 - Vendor acknowledges the vulnerability
14/10/2009 - Status update from vendor
16/01/2010 - Status update from vendor
16/03/2010 - Status update from vendor
13/04/2010 - Coordinated disclosure

---

6. Credits

---

Vulnerability discovered by Fabien Perigaud, Cert-Lexsi.

---

7. About Cert-Lexsi

---

Cert-Lexsi, Division of LEXSI, is an international team dedicated to
cybercrime mitigation, vulnerability management and incident response
handling.
Cert-Lexsi employs researchers, developers, analysts and consultants
working 24/7 from Montreal, Paris, Geneva and Singapore.

More information:
http://cert.lexsi.com/

---

8. References

---

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0478
http://www.microsoft.com/technet/security/Bulletin/MS10-025.mspx
https://www.lexsi.com/abonnes/labs/adviso-cve-2010-0478.txt

---

Fabien Perigaud

• • Consultant sécurité et veille technologique -

Cert-Lexsi - Laboratoire d'EXpertise en Sécurité Informatique
Weblog Cert-Lexsi : http://cert.lexsi.com/weblog/
E-mail : [email protected]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJLxW6IAAoJELyB3TrCVXqQ1ZgH/AgKT7G3KumIq0CMkLOgoJkH
EB1Ip1rtNrsMlEO5NF1cdOU1vviwPzZQwehPPlSRlEa2KLY9wjDyxiEiuXsd/0vD
0ElKBTXeakL2AJgMgh6c3jMU9XgSMbOVDI0pe1RNSwA6Sv18iSpBvKK/VyQRYpAf
PkxI4fxRJgdyVvvMZFpA/4lv1pAsffjTu++hrC6/48Ux3jl6lOqaqgtfAeE1cH8C
UxD0Or54oRsIzRw2p+QYzoJTCvjPSGfp7YfRkmHfeoCZPEIrvIQG6iCjDDZMX0gT
ZoU+TR3K5sJGETGhZ8qsysim0l/8c0sCPWlq2Cq6F/aW5aujRn4iTEXAtUcnwcA=
=bbCo
-----END PGP SIGNATURE-----