[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Microsoft Windows shmedia.dll Division By Zero, Explore.exe DOS exploit .

To: full-disclosure@xxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx, bugs@xxxxxxxxxxxxxxxxxxx, vuln@xxxxxxxxxxx, secalert@xxxxxxxxxxxxxxxxxx, news@xxxxxxxxxxxxxx, vuln@xxxxxxxxxxxxxxxx, moderators@xxxxxxxxx
Subject: [Full-disclosure] Microsoft Windows shmedia.dll Division By Zero, Explore.exe DOS exploit .
From: fb1h2s Hack 2 Secure <fb1h2s@xxxxxxxxx>
Date: Mon, 4 Apr 2011 14:16:33 +0530

Title              :Microsoft Windows shmedia.dll Division By Zero,
Explore.exe DOS exploit .
Version          :( Checked on XP SP All Versions )
Discovery        : http://Garage4Hackers.com, http://www.fb1h2s.com
Author             : FB1H2S aka Rahul Sasi[ Garage4Hackers.com ]
Twitter         : @fb1h2s


Bug Information:

Class              :Division By Zero
Impact              : Could cause a Crash for explorer.exe when tried to be
viewed, listed using Windows Explorer.
Vendor              : http://www.microsoft.com
Security Impact : Nil
DOS Impact        : High
Remotely          : Yes [Webdev]
Locally         : Yes
Crash File        : Attached

Bug Details:

The shmedia.dll module, serves as shell media extension for Windows, which
provides statistics and thumbnails for media files. The dll has also got the
ablity to acts as media file property extractor of the Windows
shell(explorer.exe) to extract custom attribute information from audio,
video, midi, and video thumbnail files including MPEG, MPE, MPG, ASF, ASX,
AVI, and WMV.

The shmedia.dll application calculates the bit-rate of the file and creates
a thumbnail preview for the Properties.So when a user open a folder
containing AVI,MPEG file extensions the Shmedia.dll loaded with explorer.exe
will automatically calculat the files details and make a preview of the
properties.

A Div by Zero bug is found when shmedia.dll handles malformed AVI file which
when viewed or explored produces a crash. No user triggering is required
except dragging the mouse pointer on top of files. Currently it is just (a
fun bug ) with causes just DOS condition. The only issue would be as all
applications uses windows file explorer to open a file (File + Open) all
applications would would crash when attempting to open this file.

Technical Details:
The GetAViInfo is responsible for reading the file information , a
prilimanary check is done to verify the AVI file headers to ensure the
presence of
right AVI headders. If returend true will move on to the file size bit rate
calculation and all.

###############################################################################
shmedia!GetAviInfo:
5cad6f8e 8bff            mov     edi,edi
5cad6f90 55              push    ebp
5cad6f91 8bec            mov     ebp,esp
5cad6f93 53              push    ebx
5cad6f94 56              push    esi
5cad6f95 57              push    edi
5cad6f96 ff7508          push    dword ptr [ebp+8]
5cad6f99 bbffff0080      mov     ebx,8000FFFFh
5cad6f9e e803f5ffff      call    shmedia!_ValidAviHeaderInfo (5cad64a6)
5cad6fa3 85c0            test    eax,eax


Get AVI info function is responsible for calculating the file size and AVI
files bit rate
##########################################################################################
5cad6fa5 7463            je      shmedia!GetAviInfo+0x7c (5cad700a)
5cad6fa7 33ff            xor     edi,edi
5cad6fa9 57              push    edi
5cad6faa 6880000000      push    offset <Unloaded_hext.dll>+0x7f (00000080)
5cad6faf 6a03            push    3
5cad6fb1 57              push    edi
5cad6fb2 6a01            push    1
5cad6fb4 6800000080      push    80000000h
5cad6fb9 ff7508          push    dword ptr [ebp+8]
5cad6fbc ff154c10ad5c    call    dword ptr [shmedia!_imp__CreateFileW
(5cad104c)]
5cad6fc2 8bf0            mov     esi,eax
5cad6fc4 83feff          cmp     esi,0FFFFFFFFh
5cad6fc7 7518            jne     shmedia!GetAviInfo+0x53 (5cad6fe1)
5cad6fc9 ff157810ad5c    call    dword ptr [shmedia!_imp__GetLastError
(5cad1078)]
5cad6fcf 3bc7            cmp     eax,edi
5cad6fd1 7437            je      shmedia!GetAviInfo+0x7c (5cad700a)
5cad6fd3 7e37            jle     shmedia!GetAviInfo+0x7e (5cad700c)
5cad6fd5 25ffff0000      and     eax,offset <Unloaded_hext.dll>+0xfffe
(0000ffff)
5cad6fda 0d00000780      or      eax,80070000h
5cad6fdf eb2b            jmp     shmedia!GetAviInfo+0x7e (5cad700c)
5cad6fe1 57              push    edi
5cad6fe2 56              push    esi
5cad6fe3 ff15ac10ad5c    call    dword ptr [shmedia!_imp__GetFileSize
(5cad10ac)]
5cad6fe9 56              push    esi

Once AVI file size is determined the function will move on and read the AVI
data streams
#########################################################################################
5cad6fd5 25ffff0000      and     eax,offset <Unloaded_hext.dll>+0xfffe
(0000ffff)
5cad6fda 0d00000780      or      eax,80070000h
5cad6fdf eb2b            jmp     shmedia!GetAviInfo+0x7e (5cad700c)
5cad6fe1 57              push    edi
5cad6fe2 56              push    esi
5cad6fe3 ff15ac10ad5c    call    dword ptr [shmedia!_imp__GetFileSize
(5cad10ac)]
5cad6fe9 56              push    esi

#########################################################################
5cad6ffb ff7508          push    dword ptr [ebp+8]                        #
5cad6ffe e8cffbffff      call    shmedia!ReadAviStreams (5cad6bd2)        #
Our crash file contains Null butes which would be feteched.
5cad7003 8bd8            mov     ebx,eax                                #
5cad7005 e85c3e0000      call    shmedia!AVIFileExit (5cadae66)            #
5cad700a 8bc3            mov     eax,ebx                                #
#########################################################################

Division by Zero error occours here. When the Null bytes from the stack are
loaded on to registers.
#########################################################################################################
shmedia!_aulldiv:
5cadac40 53              push    ebx
5cadac41 56              push    esi
5cadac42 8b442418        mov     eax,dword ptr
[esp+18h]
5cadac46 0bc0            or      eax,eax
5cadac48 7518            jne     shmedia!_aulldiv+0x22 (5cadac62)
5cadac4a 8b4c2414        mov     ecx,dword ptr [esp+14h]
-------------------> Data from the stack got from the file, null
5cadac4e 8b442410        mov     eax,dword ptr [esp+10h]
-------------------> Stack data,
5cadac52 33d2            xor     edx,edx
5cadac54 f7f1            div     eax,ecx
-----------------------------> Division by Zero Error

eax=0000001e ebx=03cc0054 ecx=00000000 edx=00000000 esi=01c6eb64
edi=00000000
eip=5cadac54 esp=01c6e6e8 ebp=01c6eb08 iopl=0         nv up ei pl zr na pe
nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000
efl=00010246
shmedia!_aulldiv+0x14:

Possible Attack Vector:

It is possible for an attacker to load few number of the crash files into a
pendrive and make the pendrive unusable, when tried to view file pendrive
contents will crash the user's explorer.


Recomendations: Quick Fix

A quick fix to this would be the unregister shmedia.dll till a patch is
issued.
 Regsvr32 /u shmedia.dll
-- 
Rahul Sasi aka Fb1h2s
Info Security Consultant


www.fb1h2s.com
wwww.garage4hackers.com
www.garage4hackers.com/blog.php?8-Fb1h2s-blog




-- 
Rahul Sasi aka Fb1h2s
Info Security Consultant

07738222968
09320233681
www.fb1h2s.com
wwww.garage4hackers.com
www.garage4hackers.com/blog.php?8-Fb1h2s-blog

Attachment: Shmedia_division_by_zero_DOS_explorer.rar
Description: application/rar

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] ZDI-11-116: Novell File Reporter Agent XML Parsing Remote Code Execution Vulnerability
Next by Date: [Full-disclosure] [USN-1102-1] tiff vulnerability
Previous by thread: [Full-disclosure] ZDI-11-116: Novell File Reporter Agent XML Parsing Remote Code Execution Vulnerability
Next by thread: [Full-disclosure] [USN-1102-1] tiff vulnerability
Index(es):
- Date
- Thread