DoS in Microsoft Media Player 11 on Win XP SP2

2007.08.10
Credit: Adonis, Abed
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2007-4288
CWE: CWE-Other


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Partial

.---------------. / Advisory -----------------------------------------------------------------. : Affected : Microsoft Media Player 11 on Win XP SP2 : Type : DIVISION by ZERO : Result : DoS : Remote : YES : Date : 2007-08-07 : Author: : Adonis, Abed : url : http://www.safehack.com/exp/mp/mplayer11.txt : -----------------------------------------------------------------. ------------. Disclaimer --------------`--------------------------------------------------. This material is presented for informational and educational : purposes only. We do not accept any liability for anything anyone: does with this information. So, don't shoot the messenger. : : Use a computer in a ways that ensure respect for your fellow. : -----------------------------------------------------------------. --------------. Brief History ----------------`------------------------------------------------. A division by Zero lead to a denial of service on : Microsoft Windows Media Player version 11 : : If you open a specially crafted .au file in windows Media player : you will crash the player with the following error. : : Exception number: c0000094 (divide by zero) : : To see if you Windows Media Player is vulnerable you can use our : .au generator coded in python, or you can download the POC file. : : : Proof-of-Concept : ---------------- : : http://www.safehack.com/exp/mp/iapetus.py (python .au generator) : http://www.safehack.com/exp/mp/iapetus.au (poc file) : : If you do not have python installed you can just use the poc file: -----------------------------------------------------------------. --------------. DEBUG DUMP ----------------`------------------------------------------------. Application exception occurred: App: C:Program FilesWindows Media Playerwmplayer.exe (pid=4972) When: 8/7/2007 - 19:50:13.051 Exception number: c0000094 (divide by zero) *----> System Information <----* Computer Name: -- User Name: -- Terminal Session Id: 0 Number of Processors: 1 Processor Type: x86 Family 15 Model 2 Stepping 4 Windows Version: 5.1 Current Build: 2600 Service Pack: 2 Current Type: Uniprocessor Free Registered Organization: Organization Registered Owner: Name *----> State Dump for Thread Id 0x838 <----* eax=ffffffff ebx=010a82b0 ecx=00000000 edx=00000000 esi=ffffffff edi=000fe3a2 eip=748fe598 esp=01c8f0c0 ebp=01c8f154 iopl=0 nv up ei pl zr na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 function: quartz 748fe581 b708 mov bh,0x8 748fe583 c1ea02 shr edx,0x2 748fe586 3bd1 cmp edx,ecx 748fe588 7702 ja quartz+0xee58c (748fe58c) 748fe58a 8bd1 mov edx,ecx 748fe58c 0fb708 movzx ecx,word ptr [eax] 748fe58f 56 push esi 748fe590 8d740aff lea esi,[edx+ecx-0x1] 748fe594 8bc6 mov eax,esi 748fe596 33d2 xor edx,edx FAULT ->748fe598 f7f1 div ecx <- FAULT 748fe59a 8bc6 mov eax,esi 748fe59c 5e pop esi 748fe59d 2bc2 sub eax,edx 748fe59f c3 ret 748fe5a0 90 nop 748fe5a1 90 nop 748fe5a2 90 nop 748fe5a3 90 nop 748fe5a4 90 nop 748fe5a5 8bff mov edi,edi -------------. The Solution ---------------`-------------------------------------------------. : Wait for a patch from Microsoft : -----------------------------------------------------------------.


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top