Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Windows Media Player Integer Overflow - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Windows Media Player Integer Overflow

A vulnerability was reported on Windows Media Player claiming that using a specially crafted WAV, SND, or MIDI file can trigger an integer overflow and execute arbitrary code on the system.

One of our reader has tested the POC on a fully patched windows XP SP3 with both Media Player 9 and 11 and has shown to crash the application.

Some basic crash results with the latest Media Player 11 provided by our reader:

AppName: wmplayer.exe    AppVer: 11.0.5721.5145  ModName: quartz.dll
ModVer: 6.5.2600.5596    Offset: 000f2121

Unhandled exeption in wmplayer.exe (QUARTZ.DLL):0xC0000095: Integer Overflow

FILE_DESCRIPTION="DirectShow Runtime."

<EXE NAME="quartz.dll" FILTER="GRABMI_FILTER_THISFILEONLY">
<MATCHING_FILE NAME="quartz.dll" SIZE="1288192" CHECKSUM="0x4569894" BIN_FILE_VERSION="6.5.2600.5596" BIN_PRODUCT_VERSION="6.5.2600.5596" PRODUCT_VERSION="6.05.2600.5596" FILE_DESCRIPTION="DirectShow Runtime." COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="DirectShow" FILE_VERSION="6.05.2600.5596" ORIGINAL_FILENAME="Quartz.dll" INTERNAL_NAME="Quartz.dll" LEGAL_COPYRIGHT="Copyright (C) 1992-2001 Microsoft Corp." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0x13DDB2" LINKER_VERSION="0x50001" UPTO_BIN_FILE_VERSION="6.5.2600.5596" UPTO_BIN_PRODUCT_VERSION="6.5.2600.5596" LINK_DATE="05/07/2008 05:12:40" UPTO_LINK_DATE="05/07/2008 05:12:40" VER_LANGUAGE="English (United States) [0x409]" />
</EXE>

74902107   mov         edi,edi
74902109   push        ebp
7490210A   mov         ebp,esp
7490210C   push        ebx
7490210D   mov         eax,dword ptr [ebp+8]
74902110   mov         ebx,dword ptr [ebp+0Ch]
74902113   mov         ecx,dword ptr [ebp+10h]
74902116   mul         eax,ebx
74902118   mov         ebx,ecx
7490211A   shr         ebx,1
7490211C   add         eax,ebx
7490211E   adc         edx,0
->74902121   div         eax,ecx     <- this is where the program crashed
74902123   shld        edx,eax,10h
74902127   pop         ebx
74902128   pop         ebp
74902129   ret         0Ch

Koon Yaw

68 Posts

Sign Up for Free or Log In to start participating in the conversation!