Threat Level: green Handler on Duty: Richard Porter

SANS ISC InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Windows Media Player Integer Overflow

Published: 2008-12-27
Last Updated: 2008-12-29 22:51:51 UTC
by Koon Yaw Tan (Version: 2)
0 comment(s)

A vulnerability was reported on Windows Media Player claiming that using a specially crafted WAV, SND, or MIDI file can trigger an integer overflow and execute arbitrary code on the system.

One of our reader has tested the POC on a fully patched windows XP SP3 with both Media Player 9 and 11 and has shown to crash the application.

Some basic crash results with the latest Media Player 11 provided by our reader:

AppName: wmplayer.exe    AppVer: 11.0.5721.5145  ModName: quartz.dll
ModVer: 6.5.2600.5596    Offset: 000f2121

Unhandled exeption in wmplayer.exe (QUARTZ.DLL):0xC0000095: Integer Overflow

FILE_DESCRIPTION="DirectShow Runtime."

<MATCHING_FILE NAME="quartz.dll" SIZE="1288192" CHECKSUM="0x4569894" BIN_FILE_VERSION="6.5.2600.5596" BIN_PRODUCT_VERSION="6.5.2600.5596" PRODUCT_VERSION="6.05.2600.5596" FILE_DESCRIPTION="DirectShow Runtime." COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="DirectShow" FILE_VERSION="6.05.2600.5596" ORIGINAL_FILENAME="Quartz.dll" INTERNAL_NAME="Quartz.dll" LEGAL_COPYRIGHT="Copyright (C) 1992-2001 Microsoft Corp." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0x13DDB2" LINKER_VERSION="0x50001" UPTO_BIN_FILE_VERSION="6.5.2600.5596" UPTO_BIN_PRODUCT_VERSION="6.5.2600.5596" LINK_DATE="05/07/2008 05:12:40" UPTO_LINK_DATE="05/07/2008 05:12:40" VER_LANGUAGE="English (United States) [0x409]" />

74902107   mov         edi,edi
74902109   push        ebp
7490210A   mov         ebp,esp
7490210C   push        ebx
7490210D   mov         eax,dword ptr [ebp+8]
74902110   mov         ebx,dword ptr [ebp+0Ch]
74902113   mov         ecx,dword ptr [ebp+10h]
74902116   mul         eax,ebx
74902118   mov         ebx,ecx
7490211A   shr         ebx,1
7490211C   add         eax,ebx
7490211E   adc         edx,0
->74902121   div         eax,ecx     <- this is where the program crashed
74902123   shld        edx,eax,10h
74902127   pop         ebx
74902128   pop         ebp
74902129   ret         0Ch


UPDATE: Microsoft has published the results of their investigation on this flaw and are asserting that it doesn't lead to code execution -

The more interesting details are provided in this blog entry: the post is short and sweet and you can read it yourself. Their assertion is that the flaw only causes WMP to crash and doesn't impact the system otherwise.


0 comment(s)
Diary Archives