Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:22634
HistoryOct 14, 2009 - 12:00 a.m.

Windows Media Audio Voice remote code execution

2009-10-1400:00:00
vulners.com
10

There is a vulnerability in Windows Media Audio Voice decoder
distributed with Windows Media Player that allows remote code
execution by opening a specially crafted web page.

###################
#The vulnerability#
###################

The cause of the vulnerability is a bound checking error in the code
used to decompress Windows Media Audio Voice compressed audio files
(located in wmspdmod.dll). Namely, the vulnerability is caused by not
properly sanitizing the audio sample rate information contained in the
.wma voice file.
The maximum allowed sample rate for .wma voice files is 22050 Hz.
However, it can be set as high as 96000 Hz (the maximum for any .wma
file) without being rejected.
By setting the sample rate in .wma voice file between 22050 Hz and
96000 Hz, the attacker can corrupt memory on stack or (indirectly) on
heap of the vulnerable process.

############
#The impact#
############

This vulnerability can be used to achieve remote code execution by
tricking the victim into opening an attacker-controlled web page. This
can be done by specifying a malformed .wma file as a webpage
background sound (bgsound tags) or by embedding windows media player
in a web page (embed tags). This attack works with multiple browsers
(tested on Internet Explorer 6, Internet Explorer 7 and Mozilla
Firefox 2 under Windows XP, other browsers and Windows version are
affected as well).

#PoC#

Due to the spread and the impact of the vulnerability, exploiting
details will not be released at this time.

############
#References#
############

http://ifsec.blogspot.com/2009/10/windows-media-audio-voice-remote-code.html
http://www.zerodayinitiative.com/advisories/ZDI-09-069/
http://www.microsoft.com/technet/security/bulletin/ms09-051.mspx
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0555