Name of Vulnerability: Creative Zen Vision M MediaExplorer 5.X COM Buffer Overflow Vulnerability Release Date: 09/17/2007 Severity Rating: Moderate Impact: Medium From Where: From Local only Solution Status: This is a bug in drag and drop event handling. This is rated important and impacts all Operating Systems. As a workaround, you can disable WebDAV Component to eliminate vulnerability until patch is applied from vendor. OS Affected: Creative Vision M MediaExplorer 5.20.12 Windows 2000 Professional SP4 Windows 2000 Server SP4 Windows XP Professional SP1 Windows XP Professional SP2 Windows Server 2003 for Small Business Server Gold Windows Server 2003, Enterprise Edition Gold Windows Server 2003, Standard Edition Gold Windows Server 2003, Web Edition Gold Windows Server 2003 for Small Business Server SP1 Windows Server 2003, Enterprise Edition SP1 Windows Server 2003, Standard Edition SP1 Windows Server 2003, Web Edition SP1 Description of Vulnerability: Creative Technologies “Zen Vision M Media Explorer” is use to explore files which is audio or video files or picture files. While transferring Picture files where Zen Vision M can able to store both vector and bitmap-format graphical data in memory or in disk files. The vector data stored in WMF/jpg/BMP files is described as Microsoft Windows Graphics Device Interface (GDI) commands. In this environment these commands are interpreted and played back on an output device using the Windows API PlayMetaFile() function. Bitmap data stored in a WMF file may be stored in the form of a Microsoft Device Dependent Bitmap (DDB), or Device Independent Bitmap (DIB). Crafted .WMF file or .JPG File or BMP file causes Explorer.exe to use 100% of CPU and can cause the system to hang until the MediaExplorer.exe process is killed. DETAILS: A bug in MediaExplorer.exe allows crafted WMF file or JPG file to hang the system and cause 100% of CPU usage. Put the file in an arbitrary folder (be sure that the file has .wmf or .JPG or .BMP extension). Open that folder with Zen Vision M’s MediaExplorer, and just move mouse over malformed file. CPU usage will rise to 100%, and stay that way. During this condition you can work with explorer, but it will be unstable. It doesn't help if you close all MediaExplorer session, you must restart MediaExplorer.exe, and only then CPU usage will get down to normal. Mouse over and Double Click with the mouse will cause the same effect in MediaExplorer.exe. Proof of Concept: 00000000 :D7 CD C6 9A 00 00 00 00 - 00 00 A1 21 EC 29 EC 09 00000010 :00 00 00 00 B0 56 01 00 - 09 00 00 03 0E 00 00 00 00000020 :01 00 05 00 00 00 00 00 - 00 00 00 00 0B 02 00 00 00000030 :00 00 In order to use this hex dump, save the content into a file with .WMF or .JPG or .BMP extension and try to execute it using MediaExplorer.exe. Provided and Discovered by: TaMbArUS (tambarus@gmail.com) Any Other Reference: N.A.