lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <cacf93c50910140348o6610f500ob0578e2453435be5@mail.gmail.com>
Date: Wed, 14 Oct 2009 12:48:54 +0200
From: Ivan Fratric <ifsecure@...il.com>
To: bugtraq@...urityfocus.com
Subject: Windows Media Audio Voice remote code execution

There is a vulnerability in Windows Media Audio Voice decoder
distributed with Windows Media Player that allows remote code
execution by opening a specially crafted web page.

###################
#The vulnerability#
###################

The cause of the vulnerability is a bound checking error in the code
used to decompress Windows Media Audio Voice compressed audio files
(located in wmspdmod.dll). Namely, the vulnerability is caused by not
properly sanitizing the audio sample rate information contained in the
.wma voice file.
The maximum allowed sample rate for .wma voice files is 22050 Hz.
However, it can be set as high as 96000 Hz (the maximum for any .wma
file) without being rejected.
By setting the sample rate in .wma voice file between 22050 Hz and
96000 Hz, the attacker can corrupt memory on stack or (indirectly) on
heap of the vulnerable process.

############
#The impact#
############

This vulnerability can be used to achieve remote code execution by
tricking the victim into opening an attacker-controlled web page. This
can be done by specifying a malformed .wma file as a webpage
background sound (bgsound tags) or by embedding windows media player
in a web page (embed tags). This attack works with multiple browsers
(tested on Internet Explorer 6, Internet Explorer 7 and Mozilla
Firefox 2 under Windows XP, other browsers and Windows version are
affected as well).

#####
#PoC#
#####

Due to the spread and the impact of the vulnerability, exploiting
details will not be released at this time.

############
#References#
############

http://ifsec.blogspot.com/2009/10/windows-media-audio-voice-remote-code.html
http://www.zerodayinitiative.com/advisories/ZDI-09-069/
http://www.microsoft.com/technet/security/bulletin/ms09-051.mspx
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0555

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ