Windows Media Player Integer Overflow
A vulnerability was reported on Windows Media Player claiming that using a specially crafted WAV, SND, or MIDI file can trigger an integer overflow and execute arbitrary code on the system.
One of our reader has tested the POC on a fully patched windows XP SP3 with both Media Player 9 and 11 and has shown to crash the application.
Some basic crash results with the latest Media Player 11 provided by our reader:
AppName: wmplayer.exe AppVer: 11.0.5721.5145 ModName: quartz.dll
ModVer: 6.5.2600.5596 Offset: 000f2121
Unhandled exeption in wmplayer.exe (QUARTZ.DLL):0xC0000095: Integer Overflow
FILE_DESCRIPTION="DirectShow Runtime."
<EXE NAME="quartz.dll" FILTER="GRABMI_FILTER_THISFILEONLY">
<MATCHING_FILE NAME="quartz.dll" SIZE="1288192" CHECKSUM="0x4569894" BIN_FILE_VERSION="6.5.2600.5596" BIN_PRODUCT_VERSION="6.5.2600.5596" PRODUCT_VERSION="6.05.2600.5596" FILE_DESCRIPTION="DirectShow Runtime." COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="DirectShow" FILE_VERSION="6.05.2600.5596" ORIGINAL_FILENAME="Quartz.dll" INTERNAL_NAME="Quartz.dll" LEGAL_COPYRIGHT="Copyright (C) 1992-2001 Microsoft Corp." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0x13DDB2" LINKER_VERSION="0x50001" UPTO_BIN_FILE_VERSION="6.5.2600.5596" UPTO_BIN_PRODUCT_VERSION="6.5.2600.5596" LINK_DATE="05/07/2008 05:12:40" UPTO_LINK_DATE="05/07/2008 05:12:40" VER_LANGUAGE="English (United States) [0x409]" />
</EXE>
74902107 mov edi,edi
74902109 push ebp
7490210A mov ebp,esp
7490210C push ebx
7490210D mov eax,dword ptr [ebp+8]
74902110 mov ebx,dword ptr [ebp+0Ch]
74902113 mov ecx,dword ptr [ebp+10h]
74902116 mul eax,ebx
74902118 mov ebx,ecx
7490211A shr ebx,1
7490211C add eax,ebx
7490211E adc edx,0
->74902121 div eax,ecx <- this is where the program crashed
74902123 shld edx,eax,10h
74902127 pop ebx
74902128 pop ebp
74902129 ret 0Ch
UPDATE: Microsoft has published the results of their investigation on this flaw and are asserting that it doesn't lead to code execution - http://blogs.technet.com/msrc/archive/2008/12/29/questions-about-vulnerability-claim-in-windows-media-player.aspx
The more interesting details are provided in this blog entry: http://blogs.technet.com/swi/archive/2008/12/29/windows-media-player-crash-not-exploitable-for-code-execution.aspx the post is short and sweet and you can read it yourself. Their assertion is that the flaw only causes WMP to crash and doesn't impact the system otherwise.