| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 4 Apr 2011 14:16:33 +0530 From: fb1h2s Hack 2 Secure <fb1h2s@...il.com> To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com, bugs@...uritytracker.com, vuln@...unia.com, secalert@...urityreason.com, news@...uriteam.com, vuln@...urity.nnov.ru, moderators@...db.org Subject: Microsoft Windows shmedia.dll Division By Zero, Explore.exe DOS exploit . Title :Microsoft Windows shmedia.dll Division By Zero, Explore.exe DOS exploit . Version :( Checked on XP SP All Versions ) Discovery : http://Garage4Hackers.com, http://www.fb1h2s.com Author : FB1H2S aka Rahul Sasi[ Garage4Hackers.com ] Twitter : @fb1h2s Bug Information: Class :Division By Zero Impact : Could cause a Crash for explorer.exe when tried to be viewed, listed using Windows Explorer. Vendor : http://www.microsoft.com Security Impact : Nil DOS Impact : High Remotely : Yes [Webdev] Locally : Yes Crash File : Attached Bug Details: The shmedia.dll module, serves as shell media extension for Windows, which provides statistics and thumbnails for media files. The dll has also got the ablity to acts as media file property extractor of the Windows shell(explorer.exe) to extract custom attribute information from audio, video, midi, and video thumbnail files including MPEG, MPE, MPG, ASF, ASX, AVI, and WMV. The shmedia.dll application calculates the bit-rate of the file and creates a thumbnail preview for the Properties.So when a user open a folder containing AVI,MPEG file extensions the Shmedia.dll loaded with explorer.exe will automatically calculat the files details and make a preview of the properties. A Div by Zero bug is found when shmedia.dll handles malformed AVI file which when viewed or explored produces a crash. No user triggering is required except dragging the mouse pointer on top of files. Currently it is just (a fun bug ) with causes just DOS condition. The only issue would be as all applications uses windows file explorer to open a file (File + Open) all applications would would crash when attempting to open this file. Technical Details: The GetAViInfo is responsible for reading the file information , a prilimanary check is done to verify the AVI file headers to ensure the presence of right AVI headders. If returend true will move on to the file size bit rate calculation and all. ############################################################################### shmedia!GetAviInfo: 5cad6f8e 8bff mov edi,edi 5cad6f90 55 push ebp 5cad6f91 8bec mov ebp,esp 5cad6f93 53 push ebx 5cad6f94 56 push esi 5cad6f95 57 push edi 5cad6f96 ff7508 push dword ptr [ebp+8] 5cad6f99 bbffff0080 mov ebx,8000FFFFh 5cad6f9e e803f5ffff call shmedia!_ValidAviHeaderInfo (5cad64a6) 5cad6fa3 85c0 test eax,eax Get AVI info function is responsible for calculating the file size and AVI files bit rate ########################################################################################## 5cad6fa5 7463 je shmedia!GetAviInfo+0x7c (5cad700a) 5cad6fa7 33ff xor edi,edi 5cad6fa9 57 push edi 5cad6faa 6880000000 push offset <Unloaded_hext.dll>+0x7f (00000080) 5cad6faf 6a03 push 3 5cad6fb1 57 push edi 5cad6fb2 6a01 push 1 5cad6fb4 6800000080 push 80000000h 5cad6fb9 ff7508 push dword ptr [ebp+8] 5cad6fbc ff154c10ad5c call dword ptr [shmedia!_imp__CreateFileW (5cad104c)] 5cad6fc2 8bf0 mov esi,eax 5cad6fc4 83feff cmp esi,0FFFFFFFFh 5cad6fc7 7518 jne shmedia!GetAviInfo+0x53 (5cad6fe1) 5cad6fc9 ff157810ad5c call dword ptr [shmedia!_imp__GetLastError (5cad1078)] 5cad6fcf 3bc7 cmp eax,edi 5cad6fd1 7437 je shmedia!GetAviInfo+0x7c (5cad700a) 5cad6fd3 7e37 jle shmedia!GetAviInfo+0x7e (5cad700c) 5cad6fd5 25ffff0000 and eax,offset <Unloaded_hext.dll>+0xfffe (0000ffff) 5cad6fda 0d00000780 or eax,80070000h 5cad6fdf eb2b jmp shmedia!GetAviInfo+0x7e (5cad700c) 5cad6fe1 57 push edi 5cad6fe2 56 push esi 5cad6fe3 ff15ac10ad5c call dword ptr [shmedia!_imp__GetFileSize (5cad10ac)] 5cad6fe9 56 push esi Once AVI file size is determined the function will move on and read the AVI data streams ######################################################################################### 5cad6fd5 25ffff0000 and eax,offset <Unloaded_hext.dll>+0xfffe (0000ffff) 5cad6fda 0d00000780 or eax,80070000h 5cad6fdf eb2b jmp shmedia!GetAviInfo+0x7e (5cad700c) 5cad6fe1 57 push edi 5cad6fe2 56 push esi 5cad6fe3 ff15ac10ad5c call dword ptr [shmedia!_imp__GetFileSize (5cad10ac)] 5cad6fe9 56 push esi ######################################################################### 5cad6ffb ff7508 push dword ptr [ebp+8] # 5cad6ffe e8cffbffff call shmedia!ReadAviStreams (5cad6bd2) # Our crash file contains Null butes which would be feteched. 5cad7003 8bd8 mov ebx,eax # 5cad7005 e85c3e0000 call shmedia!AVIFileExit (5cadae66) # 5cad700a 8bc3 mov eax,ebx # ######################################################################### Division by Zero error occours here. When the Null bytes from the stack are loaded on to registers. ######################################################################################################### shmedia!_aulldiv: 5cadac40 53 push ebx 5cadac41 56 push esi 5cadac42 8b442418 mov eax,dword ptr [esp+18h] 5cadac46 0bc0 or eax,eax 5cadac48 7518 jne shmedia!_aulldiv+0x22 (5cadac62) 5cadac4a 8b4c2414 mov ecx,dword ptr [esp+14h] -------------------> Data from the stack got from the file, null 5cadac4e 8b442410 mov eax,dword ptr [esp+10h] -------------------> Stack data, 5cadac52 33d2 xor edx,edx 5cadac54 f7f1 div eax,ecx -----------------------------> Division by Zero Error eax=0000001e ebx=03cc0054 ecx=00000000 edx=00000000 esi=01c6eb64 edi=00000000 eip=5cadac54 esp=01c6e6e8 ebp=01c6eb08 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 shmedia!_aulldiv+0x14: Possible Attack Vector: It is possible for an attacker to load few number of the crash files into a pendrive and make the pendrive unusable, when tried to view file pendrive contents will crash the user's explorer. Recomendations: Quick Fix A quick fix to this would be the unregister shmedia.dll till a patch is issued. Regsvr32 /u shmedia.dll -- Rahul Sasi aka Fb1h2s Info Security Consultant www.fb1h2s.com wwww.garage4hackers.com www.garage4hackers.com/blog.php?8-Fb1h2s-blog -- Rahul Sasi aka Fb1h2s Info Security Consultant 07738222968 09320233681 www.fb1h2s.com wwww.garage4hackers.com www.garage4hackers.com/blog.php?8-Fb1h2s-blog Content of type "text/html" skipped Download attachment "Shmedia_division_by_zero_DOS_explorer.rar" of type "application/rar" (2854 bytes) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists