PCM 0day (Divide by Zero)

The debate about the term “zero days” is not directly related to this PCM vulnerability I am about to reveal, but as this vulnerability is not publicly documented, as far as I know, I will call it a 0day.

The vulnerability allows you to crash the mplay32.exe – that for some reason is still shipped with Windows up to version 2003, maybe also Vista, can someone confirm? – this low-quality and feature-lacking (software-wise) player contains a problem where a malformed PCM file can cause it to crash as it tries to divide one number by zero.
00000000 52 49 46 46 24 00 00 1a 57 41 56 45 66 6d 74 20
|RIFF$…WAVEfmt |
00000010 10 00 00 00 01 00 02 00 44 ac 00 00 88 58 01 00
|……..D….X..|
00000020 00 00 10 00 64 61 74 61 00 00 00 1a 00 00 24 17
|….data……$.|
00000030 1e f3 3c 13 3c 14 16 f9 18 f9 34 e7 23 a6 3c f2
|..< .<.....4.#.<.|
00000040 24 f2 11 ce 1a 0d
|$.....|
Is this vulnerability interesting? not really - mplay32.exe is no longer the default player - unless you are still in the stone-age (i.e. have never upgraded your system or Internet Explorer) - and it allows you to do nothing but crash the player.

If someone can find out more about this issue, I will be happy to hear.

BTW: This PCM vulnerability was discovered by beSTORM’s PCM (WAV) fuzzing module – which was launched against mplay32.exe

Share
  • Rob Nicholls

    Vista doesn’t come with mplay32.exe. Also, mplayer2.exe is a copy of wmplayer.exe (i.e. they’re both WMP 11, the legacy applications have been discarded).