Orb v2.0.01.0049-V2.54.0018 DirectShow DOS
Posted on 04 March 2010
========================================== Orb v2.0.01.0049-V2.54.0018 DirectShow DOS ========================================== When Orb is first installed it registers several Direct Show filters with the system. When registered these filters are then called whenever a file which has a dependency on such a required filter is accessed. By specially crafting specific headers embedded into an mp3 file we can create a direct code path to code which is vulnerable to a integer division by zero. This vulnerability can be triggered remotely be embedding the crafted mp3 file into HTML. It is also not dependent on a certain media player. Attached is a PoC (Proof-Of-Concept) I wrote for this specific bug. Also included is a Rebuild file for IDA Pro examining the crash. Download POC: http://www.inj3ct0r.com/sploits/11172.zip Timeline: Discovery * 2/20/2010 Reported * 2/22/2010 Response * 2/22/2010 Additional Info Sent * 2/23/2010 Response * 2/23/2010 Response * 2/26/2010 Crash Confirmed * 3/03/2010 Patch date: Approx. 2 weeks Expected: 3/19/2010 # ~ - [ [ : Inj3ct0r : ] ]