Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security VulnWatch
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[VulnWatch] Windows Multimedia mmioRead Denial of Service Vulnerability

from [Michał Majchrowicz] Network Security [Permanent Link]
Subject: [VulnWatch] Windows Multimedia mmioRead Denial of Service Vulnerability
Date: Sun, 11 Mar 2007 01:22:20 +0100 
It is possible to create specialy malformed audio file that will cause DoS
in application,
that uses winmm.dll library to access media files. According to MSDN:


The mmioRead function reads a specified number of bytes from a file opened
by using the mmioOpen function.  LONG mmioRead(
 HMMIO hmmio,
 HPSTR pch,
 LONG cch
);


Parameters

hmmio

File handle of the file to be read.

pch

Pointer to a buffer to contain the data read from the file.

cch

Number of bytes to read from the file.

Return Values

Returns the number of bytes actually read. If the end of the file has been
reached and no more bytes can be read, the return value is 0. If there is an
error reading from the file, the return value is - 1.

As we can see when we pass to big in cch parameter the function should
return -1. This is not what happens. When pussing very large value for
instance 0xFFFFFFFF the function mmioRead enters endless loop. A Proof of
Concept WAVE file has been created and it's available at:
http://sectroyer.110mb.com/mmio_die.wav. When this file is opened by
application SndRec32 it will cause 100% CPU consumption.
Michael Majchrowicz.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [VulnWatch] Windows Multimedia mmioRead Denial of Service Vulnerability, Michał Majchrowicz <=
Previous by Date:  Re: [Full-disclosure] Php Nuke POST XSS on steroids, Paul Laudanski
Next by Date:  [VulnWatch] Unrarlib 0.4.0 (urarlib_get) Local buffer overflow, starcadi
Previous by Thread:  [Full-disclosure] Php Nuke POST XSS on steroids, ascii
Next by Thread:  [VulnWatch] Unrarlib 0.4.0 (urarlib_get) Local buffer overflow, starcadi
Indexes:  [Date] [Thread] [Top] [All Lists]