lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <SNT105-W209E500E18B1AA6A488DF3F8390@phx.gbl> Date: Thu, 4 Mar 2010 09:07:37 -0800 From: Matthew Bergin <matt.bergin@...mail.com> To: <full-disclosure@...ts.grok.org.uk> Subject: Orb v2.0.01.0049-V2.54.0018 DirectShow Filter Integer Division By Zero ------------------------------------------- Orb v2.0.01.0049-V2.54.0018 DirectShow Filter Integer Division By Zero Remote DOS Discovered by: Matthew Bergin ------------------------------------------- Timeline: Discovery * 2/20/2010 Reported * 2/22/2010 Response * 2/22/2010 Additional Info Sent * 2/23/2010 Response * 2/23/2010 Response * 2/26/2010Crash Confirmed * 3/03/2010 Patch date: Approx. 2 weeks Expected: 3/19/2010 Affected File: aac_parser.ax Description: When Orb is first installed it registers several Direct Show filters with the system. When registered these filters are then called whenever a file which has a dependency on such a required filter is accessed. By specially crafting specific headers embedded into an mp3 file we can create a direct code path to code which is vulnerable to a integer division by zero. This vulnerability can be triggered remotely be embedding the crafted mp3 file into HTML. It is also not dependent on a certain media player. Attached is a PoC (Proof-Of-Concept) I wrote for this specific bug. Also included is a Rebuild file for IDA Pro examining the crash. _________________________________________________________________ Hotmail: Powerful Free email with security by Microsoft. http://clk.atdmt.com/GBL/go/201469230/direct/01/ Content of type "text/html" skipped Download attachment "aac_parser_int_div_by_0_orb.zip" of type "application/x-zip" (144109 bytes) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists