SANS ISC: InfoSec Handlers Diary Blog - SANS Internet Storm Center

• SANS Site Network
  • Current Site
  • SANS Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

InfoSec Handlers Diary Blog

A vulnerability was reported on Windows Media Player claiming that using a specially crafted WAV, SND, or MIDI file can trigger an integer overflow and execute arbitrary code on the system.

One of our reader has tested the POC on a fully patched windows XP SP3 with both Media Player 9 and 11 and has shown to crash the application.

Some basic crash results with the latest Media Player 11 provided by our reader:

AppName: wmplayer.exe    AppVer: 11.0.5721.5145  ModName: quartz.dll
ModVer: 6.5.2600.5596    Offset: 000f2121

Unhandled exeption in wmplayer.exe (QUARTZ.DLL):0xC0000095: Integer Overflow

FILE_DESCRIPTION="DirectShow Runtime."

<EXE NAME="quartz.dll" FILTER="GRABMI_FILTER_THISFILEONLY">
<MATCHING_FILE NAME="quartz.dll" SIZE="1288192" CHECKSUM="0x4569894" BIN_FILE_VERSION="6.5.2600.5596" BIN_PRODUCT_VERSION="6.5.2600.5596" PRODUCT_VERSION="6.05.2600.5596" FILE_DESCRIPTION="DirectShow Runtime." COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="DirectShow" FILE_VERSION="6.05.2600.5596" ORIGINAL_FILENAME="Quartz.dll" INTERNAL_NAME="Quartz.dll" LEGAL_COPYRIGHT="Copyright (C) 1992-2001 Microsoft Corp." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0x13DDB2" LINKER_VERSION="0x50001" UPTO_BIN_FILE_VERSION="6.5.2600.5596" UPTO_BIN_PRODUCT_VERSION="6.5.2600.5596" LINK_DATE="05/07/2008 05:12:40" UPTO_LINK_DATE="05/07/2008 05:12:40" VER_LANGUAGE="English (United States) [0x409]" />
</EXE>

74902107   mov         edi,edi
74902109   push        ebp
7490210A   mov         ebp,esp
7490210C   push        ebx
7490210D   mov         eax,dword ptr [ebp+8]
74902110   mov         ebx,dword ptr [ebp+0Ch]
74902113   mov         ecx,dword ptr [ebp+10h]
74902116   mul         eax,ebx
74902118   mov         ebx,ecx
7490211A   shr         ebx,1
7490211C   add         eax,ebx
7490211E   adc         edx,0
->74902121   div         eax,ecx     <- this is where the program crashed
74902123   shld        edx,eax,10h
74902127   pop         ebx
74902128   pop         ebp
74902129   ret         0Ch

UPDATE: Microsoft has published the results of their investigation on this flaw and are asserting that it doesn't lead to code execution - http://blogs.technet.com/msrc/archive/2008/12/29/questions-about-vulnerability-claim-in-windows-media-player.aspx

The more interesting details are provided in this blog entry: http://blogs.technet.com/swi/archive/2008/12/29/windows-media-player-crash-not-exploitable-for-code-execution.aspx the post is short and sweet and you can read it yourself. Their assertion is that the flaw only causes WMP to crash and doesn't impact the system otherwise.