[VulnWatch] Windows Multimedia mmioRead Denial of Service Vulnerability
- From: "Michał Majchrowicz" <mmajchrowicz@xxxxxxxxx>
- Date: Sun, 11 Mar 2007 01:22:20 +0100
It is possible to create specialy malformed audio file that will cause DoS
that uses winmm.dll library to access media files. According to MSDN:
The mmioRead function reads a specified number of bytes from a file opened
by using the mmioOpen function. LONG mmioRead(
File handle of the file to be read.
Pointer to a buffer to contain the data read from the file.
Number of bytes to read from the file.
Returns the number of bytes actually read. If the end of the file has been
reached and no more bytes can be read, the return value is 0. If there is an
error reading from the file, the return value is - 1.
As we can see when we pass to big in cch parameter the function should
return -1. This is not what happens. When pussing very large value for
instance 0xFFFFFFFF the function mmioRead enters endless loop. A Proof of
Concept WAVE file has been created and it's available at:
http://sectroyer.110mb.com/mmio_die.wav. When this file is opened by
application SndRec32 it will cause 100% CPU consumption.