<<< Date Index >>>     <<< Thread Index >>>

DoS in Microsoft Media Player 11 on Win XP SP2



                        .---------------.
                       /     Advisory    \
-----------------------------------------------------------------.
                                                                 :
Affected         : Microsoft Media Player 11 on Win XP SP2       :
Type             : DIVISION by ZERO                              :
Result           : DoS                                           :
Remote           : YES                                           :
Date             : 2007-08-07                                    :
Author:          : Adonis, Abed                                  :
url              : http://www.safehack.com/exp/mp/mplayer11.txt  :
-----------------------------------------------------------------.

------------.
 Disclaimer  \
--------------`--------------------------------------------------.
This material is presented for informational and educational     :
purposes only. We do not accept any liability for anything anyone:
does with this information. So, don't shoot the messenger.       :
                                                                 :
Use a computer in a ways that ensure respect for your fellow.    :
-----------------------------------------------------------------.

--------------.
 Brief History \
----------------`------------------------------------------------.
A division by Zero lead to a denial of service on                :
Microsoft Windows Media Player version 11                        :
                                                                 :
If you open a specially crafted .au file in windows Media player :
you will crash the player with the following error.              :
                                                                 :
Exception number: c0000094 (divide by zero)                      :
                                                                 :
To see if you Windows Media Player is vulnerable you can use our :
.au generator coded in python, or you can download the POC file. :
                                                                 :
                                                                 :
Proof-of-Concept                                                 :
----------------                                                 :
                                                                 :
http://www.safehack.com/exp/mp/iapetus.py (python .au generator) :
http://www.safehack.com/exp/mp/iapetus.au (poc file)             :
                                                                 :
If you do not have python installed you can just use the poc file:
-----------------------------------------------------------------.

--------------.
 DEBUG DUMP    \
----------------`------------------------------------------------.

Application exception occurred:
        App: C:\Program Files\Windows Media Player\wmplayer.exe (pid=4972)
        When: 8/7/2007 - 19:50:13.051
        Exception number: c0000094 (divide by zero)

*----> System Information <----*
        Computer Name: --
        User Name: --
        Terminal Session Id: 0
        Number of Processors: 1
        Processor Type: x86 Family 15 Model 2 Stepping 4
        Windows Version: 5.1
        Current Build: 2600
        Service Pack: 2
        Current Type: Uniprocessor Free
        Registered Organization: Organization
        Registered Owner: Name



*----> State Dump for Thread Id 0x838 <----*

eax=ffffffff ebx=010a82b0 ecx=00000000 edx=00000000 esi=ffffffff edi=000fe3a2
eip=748fe598 esp=01c8f0c0 ebp=01c8f154 iopl=0         nv up ei pl zr na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246

function: quartz
        748fe581 b708             mov     bh,0x8
        748fe583 c1ea02           shr     edx,0x2
        748fe586 3bd1             cmp     edx,ecx
        748fe588 7702             ja      quartz+0xee58c (748fe58c)
        748fe58a 8bd1             mov     edx,ecx
        748fe58c 0fb708           movzx   ecx,word ptr [eax]
        748fe58f 56               push    esi
        748fe590 8d740aff         lea     esi,[edx+ecx-0x1]
        748fe594 8bc6             mov     eax,esi
        748fe596 33d2             xor     edx,edx
FAULT ->748fe598 f7f1             div     ecx        <- FAULT
        748fe59a 8bc6             mov     eax,esi
        748fe59c 5e               pop     esi
        748fe59d 2bc2             sub     eax,edx
        748fe59f c3               ret
        748fe5a0 90               nop
        748fe5a1 90               nop
        748fe5a2 90               nop
        748fe5a3 90               nop
        748fe5a4 90               nop
        748fe5a5 8bff             mov     edi,edi


-------------.
 The Solution \
---------------`-------------------------------------------------.
                                                                 :
Wait for a patch from Microsoft                                  :
-----------------------------------------------------------------.