UMPlayer Insecure Library Loading

November 9, 2012

Ori Rejwan UMPlayer a multimedia player available for Microsoft Windows, Apple Mac OS/X, and GNU/Linux operating systems. With built-in Audio and Video codecs, UMPlayer can handle various media formats.

Windows applications can control the location from which a DLL is loaded by specifying a full path, using DLL redirection, or by using a manifest. If none of these methods are used, the system searches for the DLL in the following order if SafeDllSearchMode is enabled:

    1. The directory from which the application loaded.
    2. The system directory.
    3. The 16-bit system directory.
    4. The Windows directory.
    5. The current directory.
    6. The directories that are listed in the PATH environment variable.

A code execution vulnerability exists in UMPlayer for Windows. When a .mp3 or .mp4 file is loaded into UMPlayer, it tries to dynamically load a library file wintab32.dll. A vulnerable UMPlayer will try to load wintab32.dll from "current directory." An attacker can place a malicious library named wintab32.dll in the same directory as the .mp3 or .mp4 file. When a victim accesses the .mp3 or .mp4 using SMB or WebDAV protocol, the malicious wintab32.dll will be loaded by UMPlayer. Successful exploitation of this flaw allows arbitrary command execution in the security context of the logged-in user.

Dell SonicWALL has released signatures to detect and block specific exploitation attempts targeting this vulnerability. The signatures are listed below:

  • IPS sid:5726 "Binary Planting Attack 2"
  • IPS sid:9218 "wintab32.dll Insecure Library Loading 2"