Wednesday, October 14, 2009

Windows Media Audio Voice remote code execution

There is a vulnerability in Windows Media Audio Voice decoder distributed with Windows Media Player that allows remote code execution by opening a specially crafted web page.

The vulnerability

The cause of the vulnerability is a bound checking error in the code used to decompress Windows Media Audio Voice compressed audio files (located in wmspdmod.dll). Namely, the vulnerability is caused by not properly sanitizing the audio sample rate information contained in the .wma voice file.The maximum allowed sample rate for .wma voie files is 22050 Hz. However, it can be set as high as 96000 Hz (the maximum for any .wma file) without being rejected.By setting the sample rate in .wma voice file between 22050 Hz and 96000 Hz, the attacker can corrupt memory on stack or (indirectly) on heap of the vulnerable process.

Impact

This vulnerability can be used to achieve remote code execution by tricking the victim into opening an attacker-controlled web page. This can be done by specifying a malformed .wma file as a webpage background sound (bgsound tags) or by embedding windows media player in a web page (embed tags). This attack works with multiple browsers (tested on Internet Explorer 6, Internet Explorer 7 and Mozilla Firefox 2 under Windows XP, other browsers and Windows version are affected as well).

PoC

Due to the spread and the impact of the vulnerability, exploiting details will not be released at this time.

References

http://www.zerodayinitiative.com/advisories/ZDI-09-069/
http://www.microsoft.com/technet/security/bulletin/ms09-051.mspx
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0555

No comments: