MS Media Player Memory Corruption

April 16, 2010

Windows Media Player (WMP) is a digital media player and media library application developed by Microsoft. The player is capable of playing audio, video, viewing images among other media related functions. Windows Media Player can be instantiated by web pages through a scriptable ActiveX control. The "WMPlayer.OCX" control is supplied by the wmp.dll library. The control can be instantiated by its name or the corresponding CLSID: 6BF52A52-394A-11D3-B153-00C04F79FAA6.

The player is capable of playing media files encoded with numerous encoding schemes. This is facilitated by pluggable codecs. A codec is a computer program capable of encoding and decoding a digital data stream. When a media file is opened by the application, Windows Media Player will attempt to decode it with an installed codec. If the required codec is already installed on the host then it is used to process the file. In cases where the file is encoded with a codec that is not available on the host, Windows Media Player will perform an asynchronous network request to Microsoft to attempt to locate the proper codec.

A vulnerability exists in Windows Media Player due to a use-after-free flaw when opening certain media files. When the player is processing a media file for which no codec is available on the host, an asynchronous connection to Microsoft is made. If, during that time, the ActiveX control is destroyed by use of scripting, the memory for the associated object is internally freed. In such a case, after the asynchronous call returns, the process will call a function on the freed object potentially resulting in diverting the flow of the process to injected malicious code.

An attacker could exploit this vulnerability by persuading a target user to visit a maliciously crafted web page. Exploiting this vulnerability for code execution is not a trivial task. In cases of an unsuccessful attacks, the browser may terminate abnormally.

SonicWALL has released an IPS signature to block and detect a known exploit targeting this vulnerability. The following signature has been released to address this issue:

  • 5111 - Windows Media Player Remote Code Execution PoC (MS10-027)

It should be noted that in addition to this signature, SonicWALL has numerous IPS signature subsets which detect and block commonly used shellcode, heap sprays and general exploitation attempts that target vulnerabilities of this type.

This vulnerability has been assigned CVE-2010-0268 by mitre.
The vendor has released an advisory addressing this issue.