It is possible to create specialy malformed audio file that will cause DoS in application, that uses winmm.dll library to access media files. According to MSDN: The mmioRead function reads a specified number of bytes from a file opened by using the mmioOpen function. LONG mmioRead( HMMIO hmmio, HPSTR pch, LONG cch ); Parameters hmmio File handle of the file to be read. pch Pointer to a buffer to contain the data read from the file. cch Number of bytes to read from the file. Return Values Returns the number of bytes actually read. If the end of the file has been reached and no more bytes can be read, the return value is 0. If there is an error reading from the file, the return value is - 1. As we can see when we pass to big in cch parameter the function should return -1. This is not what happens. When pussing very large value for instance 0xFFFFFFFF the function mmioRead enters endless loop. A Proof of Concept WAVE file has been created and it's available at: http://sectroyer.110mb.com/mmio_die.wav. When this file is opened by application SndRec32 it will cause 100% CPU consumption. Michael Majchrowicz.
This archive was generated by hypermail 2.1.3 : Mon Mar 12 2007 - 14:01:59 PST