Windows Media Player crash not exploitable for code execution

On Christmas Day, the MSRC opened a case tracking a Bugtraq-posted POC describing a “malformed WAV,SND,MID file which can lead to a remote integer overflow”. By Saturday evening, we saw reputable internet sources claiming this bug could lead to executing arbitrary code on the system.

We investigated right away and found that this bug cannot be leveraged for arbitrary code execution.

Let’s take a closer look to understand why.

The POC is a MIDI file handled by quartz.dll, a core component of the DirectShow framework. We have blogged previously about this component here. WAV,SND, and MID file extensions are all handled by quartz.dll which explains the finder’s statement about the exception being hit when parsing any of those 3 file types.

This particular crash is an unhandled CPU exception when executing a div instruction. When the processor executes a “div reg” instruction, it does this:

EAX = (EDX:EAX)/reg

If the result cannot fit on a 32 bit register it generates a CPU exception. This one is not handled by quartz.dll. There is no memory corruption here and the value does not appear to be used for any memory allocation. Rather, the operation is calculating a value related to the rate at which the media is to be played.

We found this already through our internal fuzzing efforts. It was correctly triaged at the time as a reliability issue with no security risk to customers.  We do like to get these reliability issues fixed in a future service pack or a future version of the platform whenever possible.  This particular bug, for example, has already been fixed in Windows Server 2003 Service Pack 2.

 Christopher Budd has also posted to the MSRC blog about this issue.

Jonathan Ness and Fermin J. Serna, SVRD Bloggers

*Posting is provided “AS IS” with no warranties, and confers no rights.*