[Full-disclosure] Orb v2.0.01.0049-V2.54.0018 DirectShow Filter Integer Division By Zero
Matthew Bergin
matt.bergin at hotmail.com
Thu Mar 4 17:07:37 GMT 2010
-------------------------------------------
Orb
v2.0.01.0049-V2.54.0018
DirectShow Filter
Integer Division By Zero Remote DOS
Discovered by:
Matthew Bergin
-------------------------------------------
Timeline:
Discovery * 2/20/2010
Reported * 2/22/2010
Response * 2/22/2010
Additional Info Sent * 2/23/2010
Response *
2/23/2010
Response *
2/26/2010Crash Confirmed * 3/03/2010
Patch date: Approx. 2 weeks
Expected: 3/19/2010
Affected File:
aac_parser.ax
Description:
When Orb is first installed it registers
several Direct Show filters with the system. When registered these filters are
then called whenever a file which has a dependency on such a required filter is
accessed. By specially crafting specific headers embedded into an mp3 file we
can create a direct code path to code which is vulnerable to a integer division
by zero. This vulnerability can be triggered remotely be embedding the crafted
mp3 file into HTML. It is also not dependent on a certain media player.
Attached is a PoC (Proof-Of-Concept) I wrote for this specific bug. Also
included is a Rebuild file for IDA Pro examining the crash.
_________________________________________________________________
Hotmail: Powerful Free email with security by Microsoft.
http://clk.atdmt.com/GBL/go/201469230/direct/01/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20100304/0b47eef8/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: aac_parser_int_div_by_0_orb.zip
Type: application/x-zip
Size: 144109 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20100304/0b47eef8/attachment-0001.bin
Full-Disclosure is hosted and sponsored by Secunia.