Threat Level: green Handler on Duty: Russell Eubanks

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Windows Media Player Integer Overflow

Published: 2008-12-27
Last Updated: 2008-12-29 22:51:51 UTC
by Koon Yaw Tan (Version: 2)
0 comment(s)

A vulnerability was reported on Windows Media Player claiming that using a specially crafted WAV, SND, or MIDI file can trigger an integer overflow and execute arbitrary code on the system.

One of our reader has tested the POC on a fully patched windows XP SP3 with both Media Player 9 and 11 and has shown to crash the application.

Some basic crash results with the latest Media Player 11 provided by our reader:

AppName: wmplayer.exe    AppVer: 11.0.5721.5145  ModName: quartz.dll
ModVer: 6.5.2600.5596    Offset: 000f2121

Unhandled exeption in wmplayer.exe (QUARTZ.DLL):0xC0000095: Integer Overflow

FILE_DESCRIPTION="DirectShow Runtime."

<EXE NAME="quartz.dll" FILTER="GRABMI_FILTER_THISFILEONLY">
<MATCHING_FILE NAME="quartz.dll" SIZE="1288192" CHECKSUM="0x4569894" BIN_FILE_VERSION="6.5.2600.5596" BIN_PRODUCT_VERSION="6.5.2600.5596" PRODUCT_VERSION="6.05.2600.5596" FILE_DESCRIPTION="DirectShow Runtime." COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="DirectShow" FILE_VERSION="6.05.2600.5596" ORIGINAL_FILENAME="Quartz.dll" INTERNAL_NAME="Quartz.dll" LEGAL_COPYRIGHT="Copyright (C) 1992-2001 Microsoft Corp." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0x13DDB2" LINKER_VERSION="0x50001" UPTO_BIN_FILE_VERSION="6.5.2600.5596" UPTO_BIN_PRODUCT_VERSION="6.5.2600.5596" LINK_DATE="05/07/2008 05:12:40" UPTO_LINK_DATE="05/07/2008 05:12:40" VER_LANGUAGE="English (United States) [0x409]" />
</EXE>

74902107   mov         edi,edi
74902109   push        ebp
7490210A   mov         ebp,esp
7490210C   push        ebx
7490210D   mov         eax,dword ptr [ebp+8]
74902110   mov         ebx,dword ptr [ebp+0Ch]
74902113   mov         ecx,dword ptr [ebp+10h]
74902116   mul         eax,ebx
74902118   mov         ebx,ecx
7490211A   shr         ebx,1
7490211C   add         eax,ebx
7490211E   adc         edx,0
->74902121   div         eax,ecx     <- this is where the program crashed
74902123   shld        edx,eax,10h
74902127   pop         ebx
74902128   pop         ebp
74902129   ret         0Ch

 

UPDATE: Microsoft has published the results of their investigation on this flaw and are asserting that it doesn't lead to code execution - http://blogs.technet.com/msrc/archive/2008/12/29/questions-about-vulnerability-claim-in-windows-media-player.aspx

The more interesting details are provided in this blog entry: http://blogs.technet.com/swi/archive/2008/12/29/windows-media-player-crash-not-exploitable-for-code-execution.aspx the post is short and sweet and you can read it yourself. Their assertion is that the flaw only causes WMP to crash and doesn't impact the system otherwise.

 

Keywords:
0 comment(s)
Diary Archives