Orb Integer Division by Zero Vulnerability

vendor:

Orb

by:

Unknown

7,5

CVSS

HIGH

Integer Division by Zero

369

CWE

Product Name: Orb

Affected Version From: Unknown

Affected Version To: Unknown

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2010

Orb Integer Division by Zero Vulnerability

When Orb is first installed it registers several Direct Show filters with the system. When registered these filters are then called whenever a file which has a dependency on such a required filter is accessed. By specially crafting specific headers embedded into an mp3 file, a direct code path to code which is vulnerable to a integer division by zero can be triggered remotely by embedding the crafted mp3 file into HTML. It is also not dependent on a certain media player.

Mitigation:

Upgrade to the latest version of Orb.

Source

Exploit-DB raw data:

When Orb is first installed it registers several Direct Show filters with the system. When registered these filters are then called whenever a file which has a dependency on such a required filter is accessed. By specially crafting specific headers embedded into an mp3 file we can create a direct code path to code which is vulnerable to a integer division by zero. This vulnerability can be triggered remotely be embedding the crafted mp3 file into HTML. It is also not dependent on a certain media player. Attached is a PoC (Proof-Of-Concept) I wrote for this specific bug. Also included is a Rebuild file for IDA Pro examining the crash.

Download POC:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/33707.zip (aac_parser_int_div_by_0_orb.zip)

Timeline:

Discovery * 2/20/2010
Reported * 2/22/2010
Response * 2/22/2010
Additional Info Sent * 2/23/2010
Response * 2/23/2010
Response * 2/26/2010

Crash Confirmed * 3/03/2010

Patch date: Approx. 2 weeks
Expected: 3/19/2010