MS Media Player Memory Corruption (April 16, 2010)


Windows Media Player (WMP) is a digital media player and media library application developed by Microsoft. The player is capable of playing audio, video, viewing images among other media related functions. Windows Media Player can be instantiated by web pages through a scriptable ActiveX control. The “WMPlayer.OCX” control is supplied by the wmp.dll library. The control can be instantiated by its name or the corresponding CLSID: 6BF52A52-394A-11D3-B153-00C04F79FAA6.

The player is capable of playing media files encoded with numerous encoding schemes. This is facilitated by pluggable codecs. A codec is a computer program capable of encoding and decoding a digital data stream. When a media file is opened by the application, Windows Media Player will attempt to decode it with an installed codec. If the required codec is already installed on the host then it is used to process the file. In cases where the file is encoded with a codec that is not available on the host, Windows Media Player will perform an asynchronous network request to Microsoft to attempt to locate the proper codec.

A vulnerability exists in Windows Media Player due to a use-after-free flaw when opening certain media files. When the player is processing a media file for which no codec is available on the host, an asynchronous connection to Microsoft is made. If, during that time, the ActiveX control is destroyed by use of scripting, the memory for the associated object is internally freed. In such a case, after the asynchronous call returns, the process will call a function on the freed object potentially resulting in diverting the flow of the process to injected malicious code.

An attacker could exploit this vulnerability by persuading a target user to visit a maliciously crafted web page. Exploiting this vulnerability for code execution is not a trivial task. In cases of an unsuccessful attacks, the browser may terminate abnormally.

SonicWALL has released an IPS signature to block and detect a known exploit targeting this vulnerability. The following signature has been released to address this issue:

  • 5111 – Windows Media Player Remote Code Execution PoC (MS10-027)

It should be noted that in addition to this signature, SonicWALL has numerous IPS signature subsets which detect and block commonly used shellcode, heap sprays and general exploitation attempts that target vulnerabilities of this type.

This vulnerability has been assigned CVE-2010-0268 by mitre.
The vendor has released an advisory addressing this issue.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.