The shmedia.dll module, serves as shell media extension for Windows, which provides statistics and thumbnails for media files. The dll has also got the ability to acts as media file property extractor of the Windows shell(explorer.exe) to extract custom attribute information from audio, video, midi, and video thumbnail files including MPEG, MPE, MPG, ASF, ASX, AVI, and WMV.
The shmedia.dll application calculates the bit-rate of the file and creates a thumbnail preview for the Properties. So when a user open a folder containing AVI,MPEG file extensions the Shmedia.dll loaded with explorer.exe will automatically calculate the files details and make a preview of the properties.
A Div by Zero bug is found when shmedia.dll handles malformed AVI file which when viewed or explored produces a crash. No user triggering is required except dragging the mouse pointer on top of files. Currently it is just (a fun bug ) with causes just DOS condition. The only issue would be as all applications uses windows file explorer to open a file (File + Open) all applications would be crash when attempting to open this file.
Technical Details:
The GetAViInfo is responsible for reading the file information , a primarily check is done to verify the AVI file headers to ensure the presence of right AVI headers. If returned true will move on to the file size bit rate calculation and all.
shmedia!GetAviInfo:
5cad6f8e 8bff mov edi,edi 5cad6f90 55 push ebp
5cad6f91 8bec mov ebp,esp
5cad6f93 53 push ebx
5cad6f94 56 push esi
5cad6f95 57 push edi
5cad6f96 ff7508 push dword ptr [ebp+8]
5cad6f99 bbffff0080 mov ebx,8000FFFFh 5cad6f9e e803f5ffff call shmedia!_ValidAviHeaderInfo (5cad64a6)
5cad6fa3 85c0 test eax,eax
Get AVI info function is responsible for calculating the file size and AVI files bit rate
5cad6fa5 7463 je shmedia!GetAviInfo+0x7c (5cad700a)
5cad6fa7 33ff xor edi,edi
5cad6fa9 57 push edi
5cad6faa 6880000000 push offset +0x7f (00000080) 5cad6faf 6a03 push 3
5cad6fb1 57 push edi
5cad6fb2 6a01 push 1
5cad6fb4 6800000080 push 80000000h
5cad6fb9 ff7508 push dword ptr [ebp+8] 5cad6fbc ff154c10ad5c call dword ptr [shmedia!_imp__CreateFileW (5cad104c)]
5cad6fc2 8bf0 mov esi,eax
5cad6fc4 83feff cmp esi,0FFFFFFFFh
5cad6fc7 7518 jne shmedia!GetAviInfo+0x53 (5cad6fe1)
5cad6fc9 ff157810ad5c call dword ptr [shmedia!_imp__GetLastError (5cad1078)] 5cad6fcf 3bc7 cmp eax,edi
5cad6fd1 7437 je shmedia!GetAviInfo+0x7c (5cad700a)
5cad6fd3 7e37 jle shmedia!GetAviInfo+0x7e (5cad700c)
5cad6fd5 25ffff0000 and eax,offset +0xfffe
(0000ffff)
5cad6fda 0d00000780 or eax,80070000h 5cad6fdf eb2b jmp shmedia!GetAviInfo+0x7e (5cad700c)
5cad6fe1 57 push edi
5cad6fe2 56 push esi
5cad6fe3 ff15ac10ad5c call dword ptr [shmedia!_imp__GetFileSize (5cad10ac)]
5cad6fe9 56 push esi
Once AVI file size is determined the function will move on and read the AVI data streams
5cad6fd5 25ffff0000 and eax,offset +0xfffe
(0000ffff)
5cad6fda 0d00000780 or eax,80070000h 5cad6fdf eb2b jmp shmedia!GetAviInfo+0x7e (5cad700c)
5cad6fe1 57 push edi
5cad6fe2 56 push esi
5cad6fe3 ff15ac10ad5c call dword ptr [shmedia!_imp__GetFileSize (5cad10ac)]
5cad6fe9 56 push esi
5cad6ffb ff7508 push dword ptr [ebp+8] # 5cad6ffe e8cffbffff call shmedia!ReadAviStreams (5cad6bd2)
# Our crash file contains Null butes which would be feteched.
5cad7003 8bd8 mov ebx,eax #
5cad7005 e85c3e0000 call shmedia!AVIFileExit (5cadae66) # 5cad700a 8bc3 mov eax,ebx #
Division by Zero error occurs here. When the Null bytes from the stack are loaded on to registers.
shmedia!_aulldiv:
5cadac40 53 push ebx
5cadac41 56 push esi
5cadac42 8b442418 mov eax,dword ptr [esp+18h]
5cadac46 0bc0 or eax,eax
5cadac48 7518 jne shmedia!_aulldiv+0x22 (5cadac62) 5cadac4a 8b4c2414 mov ecx,dword ptr [esp+14h]
-------------------> Data from the stack got from the file, null
5cadac4e 8b442410 mov eax,dword ptr [esp+10h]
-------------------> Stack data,
5cadac52 33d2 xor edx,edx
5cadac54 f7f1 div eax,ecx
-----------------------------> Division by Zero Error
eax=0000001e ebx=03cc0054 ecx=00000000 edx=00000000 esi=01c6eb64 edi=00000000
eip=5cadac54 esp=01c6e6e8 ebp=01c6eb08 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
shmedia!_aulldiv+0x14:
Possible Attack Vector:
It is possible for an attacker to load few number of the crash files into a pen drive and make the pen drive unusable, when tried to view file pen drive contents will crash the user's explorer.
The information has been provided by Rahul Sasi .
The shmedia.dll application calculates the bit-rate of the file and creates a thumbnail preview for the Properties. So when a user open a folder containing AVI,MPEG file extensions the Shmedia.dll loaded with explorer.exe will automatically calculate the files details and make a preview of the properties.
A Div by Zero bug is found when shmedia.dll handles malformed AVI file which when viewed or explored produces a crash. No user triggering is required except dragging the mouse pointer on top of files. Currently it is just (a fun bug ) with causes just DOS condition. The only issue would be as all applications uses windows file explorer to open a file (File + Open) all applications would be crash when attempting to open this file.
Technical Details:
The GetAViInfo is responsible for reading the file information , a primarily check is done to verify the AVI file headers to ensure the presence of right AVI headers. If returned true will move on to the file size bit rate calculation and all.
shmedia!GetAviInfo:
5cad6f8e 8bff mov edi,edi 5cad6f90 55 push ebp
5cad6f91 8bec mov ebp,esp
5cad6f93 53 push ebx
5cad6f94 56 push esi
5cad6f95 57 push edi
5cad6f96 ff7508 push dword ptr [ebp+8]
5cad6f99 bbffff0080 mov ebx,8000FFFFh 5cad6f9e e803f5ffff call shmedia!_ValidAviHeaderInfo (5cad64a6)
5cad6fa3 85c0 test eax,eax
Get AVI info function is responsible for calculating the file size and AVI files bit rate
5cad6fa5 7463 je shmedia!GetAviInfo+0x7c (5cad700a)
5cad6fa7 33ff xor edi,edi
5cad6fa9 57 push edi
5cad6faa 6880000000 push offset +0x7f (00000080) 5cad6faf 6a03 push 3
5cad6fb1 57 push edi
5cad6fb2 6a01 push 1
5cad6fb4 6800000080 push 80000000h
5cad6fb9 ff7508 push dword ptr [ebp+8] 5cad6fbc ff154c10ad5c call dword ptr [shmedia!_imp__CreateFileW (5cad104c)]
5cad6fc2 8bf0 mov esi,eax
5cad6fc4 83feff cmp esi,0FFFFFFFFh
5cad6fc7 7518 jne shmedia!GetAviInfo+0x53 (5cad6fe1)
5cad6fc9 ff157810ad5c call dword ptr [shmedia!_imp__GetLastError (5cad1078)] 5cad6fcf 3bc7 cmp eax,edi
5cad6fd1 7437 je shmedia!GetAviInfo+0x7c (5cad700a)
5cad6fd3 7e37 jle shmedia!GetAviInfo+0x7e (5cad700c)
5cad6fd5 25ffff0000 and eax,offset +0xfffe
(0000ffff)
5cad6fda 0d00000780 or eax,80070000h 5cad6fdf eb2b jmp shmedia!GetAviInfo+0x7e (5cad700c)
5cad6fe1 57 push edi
5cad6fe2 56 push esi
5cad6fe3 ff15ac10ad5c call dword ptr [shmedia!_imp__GetFileSize (5cad10ac)]
5cad6fe9 56 push esi
Once AVI file size is determined the function will move on and read the AVI data streams
5cad6fd5 25ffff0000 and eax,offset +0xfffe
(0000ffff)
5cad6fda 0d00000780 or eax,80070000h 5cad6fdf eb2b jmp shmedia!GetAviInfo+0x7e (5cad700c)
5cad6fe1 57 push edi
5cad6fe2 56 push esi
5cad6fe3 ff15ac10ad5c call dword ptr [shmedia!_imp__GetFileSize (5cad10ac)]
5cad6fe9 56 push esi
5cad6ffb ff7508 push dword ptr [ebp+8] # 5cad6ffe e8cffbffff call shmedia!ReadAviStreams (5cad6bd2)
# Our crash file contains Null butes which would be feteched.
5cad7003 8bd8 mov ebx,eax #
5cad7005 e85c3e0000 call shmedia!AVIFileExit (5cadae66) # 5cad700a 8bc3 mov eax,ebx #
Division by Zero error occurs here. When the Null bytes from the stack are loaded on to registers.
shmedia!_aulldiv:
5cadac40 53 push ebx
5cadac41 56 push esi
5cadac42 8b442418 mov eax,dword ptr [esp+18h]
5cadac46 0bc0 or eax,eax
5cadac48 7518 jne shmedia!_aulldiv+0x22 (5cadac62) 5cadac4a 8b4c2414 mov ecx,dword ptr [esp+14h]
-------------------> Data from the stack got from the file, null
5cadac4e 8b442410 mov eax,dword ptr [esp+10h]
-------------------> Stack data,
5cadac52 33d2 xor edx,edx
5cadac54 f7f1 div eax,ecx
-----------------------------> Division by Zero Error
eax=0000001e ebx=03cc0054 ecx=00000000 edx=00000000 esi=01c6eb64 edi=00000000
eip=5cadac54 esp=01c6e6e8 ebp=01c6eb08 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
shmedia!_aulldiv+0x14:
Possible Attack Vector:
It is possible for an attacker to load few number of the crash files into a pen drive and make the pen drive unusable, when tried to view file pen drive contents will crash the user's explorer.
The information has been provided by Rahul Sasi .
0 comments:
Post a Comment