UMPlayer Insecure Library Loading (Nov 9, 2012)

By

Ori Rejwan UMPlayer a multimedia player available for Microsoft Windows, Apple Mac OS/X, and GNU/Linux operating systems. With built-in Audio and Video codecs, UMPlayer can handle various media formats.

Windows applications can control the location from which a DLL is loaded by specifying a full path, using DLL redirection, or by using a manifest. If none of these methods are used, the system searches for the DLL in the following order if SafeDllSearchMode is enabled:

    1. The directory from which the application loaded.
    2. The system directory.
    3. The 16-bit system directory.
    4. The Windows directory.
    5. The current directory.
    6. The directories that are listed in the PATH environment variable.

A code execution vulnerability exists in UMPlayer for Windows. When a .mp3 or .mp4 file is loaded into UMPlayer, it tries to dynamically load a library file wintab32.dll. A vulnerable UMPlayer will try to load wintab32.dll from “current directory.” An attacker can place a malicious library named wintab32.dll in the same directory as the .mp3 or .mp4 file. When a victim accesses the .mp3 or .mp4 using SMB or WebDAV protocol, the malicious wintab32.dll will be loaded by UMPlayer. Successful exploitation of this flaw allows arbitrary command execution in the security context of the logged-in user.

Dell SonicWALL has released signatures to detect and block specific exploitation attempts targeting this vulnerability. The signatures are listed below:

  • IPS sid:5726 “Binary Planting Attack 2”
  • IPS sid:9218 “wintab32.dll Insecure Library Loading 2”
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.