AVIPreview 0.26 Alpha - Denial of Service Vulnerability
fuzzing, security, blackbox, tests, AVIPreview.exe, DoS, AVI
AVIPreview 0.26 Alpha - Denial of Service Vulnerability
FMA-2011-005
AVIPreview
0.26
n/a
AVIPreview.exe
0.26
399AB43EDD26C655D0876DC5DDCAA3A7
Windows XP SP3 Home Edition
Windows XP SP3 Professional Edition
Windows7 SP1 Home Premium
2011.03.15
n/a
2012.04.12
Denial of Service vulnerability.
DoS
AVIPreview does not properly validate address of data buffer. Denial of Service is caused by attempt to read dword value from dereferenced null pointer. Exception is not handled by application and leads to its crash.
Access violation exception raised during dereferencing null pointer.
00405B28 8BEC MOV EBP,ESP
00405B2A 83EC 24 SUB ESP,24
00405B2D 894D F0 MOV DWORD PTR SS:[EBP-10],ECX
00405B30 C745 F4 FFFFFFF>MOV DWORD PTR SS:[EBP-C],-1
00405B37 C745 FC 2100000>MOV DWORD PTR SS:[EBP-4],21
00405B3E C705 B8B14100 F>MOV DWORD PTR DS:[41B1B8],-1
00405B48 C705 BCB14100 F>MOV DWORD PTR DS:[41B1BC],-1
00405B52 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10] ; [0x00CEFC88] = 0x0041b0f8 => .data section buffer
00405B55 83C0 48 ADD EAX,48
00405B58 50 PUSH EAX ; push buffer address
00405B59 8B0D E0B14100 MOV ECX,DWORD PTR DS:[41B1E0] ; hardcoded buffer address
00405B5F 8B11 MOV EDX,DWORD PTR DS:[ECX] ; if we force ECX to point to our AVI file or buffor which we can control
00405B61 A1 E0B14100 MOV EAX,DWORD PTR DS:[41B1E0] ; hardcoded buffer address
00405B66 50 PUSH EAX
00405B67 FF52 30 CALL DWORD PTR DS:[EDX+30] ; then we have LCE here
image01s.png
100
64
image01.png
Access violation exception in AVIPreview.exe module.
Access violation exception in AVIPreview.exe module.