Media Player Classic 6.4.9.1 (iacenc.dll) DLL Hijacking Exploit

2010-08-26T00:00:00
ID ZSL-2010-4956
Type zeroscience
Reporter Gjoko Krstic
Modified 2010-08-26T00:00:00

Description

Title: Media Player Classic 6.4.9.1 (iacenc.dll) DLL Hijacking Exploit
Advisory ID: ZSL-2010-4956
Type: Local/Remote
Impact: System Access
Risk: (4/5)
Release Date: 26.08.2010

Summary

Media Player Classic (MPC) is a compact media player for 32-bit Microsoft Windows. The application mimics the look and feel of the old, lightweight Windows Media Player 6.4 but integrates most options and features found in modern media players. It and its forks are standard media players in the K-Lite Codec Pack and the Combined Community Codec Pack.

Description

Media Player Classic suffers from a dll hijacking vulnerability that enables the attacker to execute arbitrary code on a local level. The vulnerable extensions are .mka, .ra and .ram thru iacenc.dll library.

Vendor

Gabest - <http://sourceforge.net/projects/guliverkli>

Affected Version

6.4.9.1 (revision 73)

Tested On

Microsoft Windows XP Professional SP3 (English)

Vendor Status

N/A

PoC

mplayerc_dll.c

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] <http://www.exploit-db.com/exploits/14788>
[2] <http://www.packetstormsecurity.org/filedesc/mplayerc_dll.txt.html>
[3] <http://secunia.com/advisories/41114/>
[4] <http://securityreason.com/exploitalert/8772>
[5] <http://www.vupen.com/english/advisories/2010/2190>
[6] <http://www.corelan.be:8800/index.php/2010/08/25/dll-hijacking-kb-2269637-the-unofficial-list/>
[7] <http://www.exploit-db.com/dll-hijacking-vulnerable-applications/>
[8] <http://osvdb.org/show/osvdb/67551>
[9] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-3138>
[10] <http://www.securityfocus.com/bid/42730>
[11] <http://osvdb.org/67588>
[12] <http://www.net-security.org/vuln.php?id=14726>
[13] <http://technet.microsoft.com/en-us/security/bulletin/ms12-014>
[14] <http://blogs.technet.com/b/srd/archive/2012/02/14/ms12-014-indeo-a-blast-from-the-past.aspx>

Changelog

[26.08.2010] - Initial release
[27.08.2010] - Added reference [1], [2], [3], [4], [5], [6] and [7]
[28.08.2010] - Added reference [8]
[31.08.2010] - Added reference [9]
[13.11.2010] - Added reference [10] and [11]
[18.02.2011] - Added reference [12]
[13.08.2013] - Added reference [13] and [14]

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: lab@zeroscience.mk

                                        
                                            &lt;html&gt;&lt;head&gt;&lt;title&gt;403 Nothing to see.&lt;/title&gt;
&lt;link rel="Shortcut Icon" href="favicon.ico" type="image/x-icon"&gt;
&lt;style type="text/css"&gt;
&lt;!--
body {
	background-color: #000;
}
body,td,th {
	font-family: Verdana, Geneva, sans-serif;
}
a:link {
	color: #008FEF;
	text-decoration: none;
}
a:visited {
	color: #008FEF;
	text-decoration: none;
}
a:hover {
	text-decoration: underline;
	color: #666;
}
a:active {
	text-decoration: none;
}
--&gt;
&lt;/style&gt;
&lt;/head&gt;
&lt;body bgcolor=black&gt;
&lt;center&gt;
&lt;font color="#7E88A3" size="2"&gt;
&lt;br /&gt;&lt;br /&gt;
&lt;h1&gt;403 Nothing to see.&lt;/h1&gt;

You do not have the powah for this request /403.shtml&lt;br /&gt;&lt;br /&gt;
&lt;font size="2"&gt;&lt;a href="https://www.zeroscience.mk"&gt;https://www.zeroscience.mk&lt;/a&gt;&lt;/font&gt;
&lt;/font&gt;&lt;/center&gt;
&lt;/body&gt;&lt;/html&gt;