Media Player Classic 6.4.9.1 (iacenc.dll) DLL Hijacking Exploit

Title: Media Player Classic 6.4.9.1 (iacenc.dll) DLL Hijacking Exploit
Advisory ID: ZSL-2010-4956
Type: Local/Remote
Impact: System Access
Risk: (4/5)
Release Date: 26.08.2010
Summary
Media Player Classic (MPC) is a compact media player for 32-bit Microsoft Windows. The application mimics the look and feel of the old, lightweight Windows Media Player 6.4 but integrates most options and features found in modern media players. It and its forks are standard media players in the K-Lite Codec Pack and the Combined Community Codec Pack.
Description
Media Player Classic suffers from a dll hijacking vulnerability that enables the attacker to execute arbitrary code on a local level. The vulnerable extensions are .mka, .ra and .ram thru iacenc.dll library.
Vendor
Gabest - http://sourceforge.net/projects/guliverkli
Affected Version
6.4.9.1 (revision 73)
Tested On
Microsoft Windows XP Professional SP3 (English)
Vendor Status
N/A
PoC
mplayerc_dll.c
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://www.exploit-db.com/exploits/14788
[2] http://www.packetstormsecurity.org/filedesc/mplayerc_dll.txt.html
[3] http://secunia.com/advisories/41114/
[4] http://securityreason.com/exploitalert/8772
[5] http://www.vupen.com/english/advisories/2010/2190
[6] http://www.corelan.be:8800/index.php/2010/08/25/dll-hijacking-kb-2269637-the-unofficial-list/
[7] http://www.exploit-db.com/dll-hijacking-vulnerable-applications/
[8] http://osvdb.org/show/osvdb/67551
[9] http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-3138
[10] http://www.securityfocus.com/bid/42730
[11] http://osvdb.org/67588
[12] http://www.net-security.org/vuln.php?id=14726
[13] http://technet.microsoft.com/en-us/security/bulletin/ms12-014
[14] http://blogs.technet.com/b/srd/archive/2012/02/14/ms12-014-indeo-a-blast-from-the-past.aspx
Changelog
[26.08.2010] - Initial release
[27.08.2010] - Added reference [1], [2], [3], [4], [5], [6] and [7]
[28.08.2010] - Added reference [8]
[31.08.2010] - Added reference [9]
[13.11.2010] - Added reference [10] and [11]
[18.02.2011] - Added reference [12]
[13.08.2013] - Added reference [13] and [14]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk