Vulnerable Systems:
* Microsoft Windows Explorer.exe
The shmedia.dll module, serves as shell media extension for Windows, which provides statistics and thumbnails for media files. The dll has also got the ablity to acts as media file property extractor of the Windows shell(explorer.exe) to extract custom attribute information from audio, video, midi, and video thumbnail files including MPEG, MPE, MPG, ASF, ASX, AVI, and WMV.
The shmedia.dll application calculates the bit-rate of the file and creates a thumbnail preview for the Properties.So when a user open a folder containing AVI,MPEG file extensions the Shmedia.dll loaded with explorer.exe will automatically calculat the files details and make a preview of the properties.
A Div by Zero bug is found when shmedia.dll handles malformed AVI file which when viewed or explored produces a crash. No user triggering is required except dragging the mouse pointer on top of files. Currently it is just (a fun bug ) with causes just DOS condition. The only issue would be as all applications uses windows file explorer to open a file (File + Open) all applications would would crash when attempting to open this file.
Technical Details:
The GetAViInfo is responsible for reading the file information , a prilimanary check is done to verify the AVI file headers to ensure the presence of right AVI headders. If returend true will move on to the file size bit rate calculation and all.
Division by Zero error occours here. When the Null bytes from the stack are loaded on to registers.
shmedia!_aulldiv:
5cadac40 53 push ebx
5cadac41 56 push esi
5cadac42 8b442418 mov eax,dword ptr [esp+18h]
5cadac46 0bc0 or eax,eax
5cadac48 7518 jne shmedia!_aulldiv+0x22 (5cadac62) 5cadac4a 8b4c2414 mov ecx,dword ptr [esp+14h]
-------------------> Data from the stack got from the file, null
5cadac4e 8b442410 mov eax,dword ptr [esp+10h]
-------------------> Stack data,
5cadac52 33d2 xor edx,edx
5cadac54 f7f1 div eax,ecx
-----------------------------> Division by Zero Error
eax=0000001e ebx=03cc0054 ecx=00000000 edx=00000000 esi=01c6eb64 edi=00000000
eip=5cadac54 esp=01c6e6e8 ebp=01c6eb08 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
shmedia!_aulldiv+0x14:
Possible Attack Vector:
It is possible for an attacker to load few number of the crash files into a pendrive and make the pendrive unusable, when tried to view file pendrive contents will crash the user's explorer.
Patch Availability:
A quick fix to this would be the unregister shmedia.dll till a patch is issued.
Regsvr32 /u shmedia.dll
