CVE-2013-7185

Vulnerability

PotPlayer version 1.5.40688 contains a memory corruption vulnerability in its handling of malformed .avi files. The flaw resides in the parsing routine within PotPlayer.dll. When the application opens a crafted .avi file via the Open URL feature or directly, it processes malformed RIFF headers containing manipulated stream data, causing an access violation due to a NULL pointer dereference [1].

Exploitation

An attacker can exploit this vulnerability remotely by hosting the malicious .avi file on a web server and enticing the user to open it (e.g., Right Click on PotPlayer Screen -> Open -> Open URL... and entering http://evil/PotPlayer.avi) [1]. No authentication is required; the victim only needs to use PotPlayer to open the crafted file. The exploit triggers a write to address edi=0x00000000 via movdqa xmmword ptr [edi],xmm0, causing a first-chance access violation [1].

Impact

Successful exploitation results in memory corruption, leading to a denial-of-service (application crash). Although the exploit code provided is a proof-of-concept that only demonstrates a crash, the nature of the corruption (writing controlled data to a null pointer) may allow an attacker to achieve arbitrary code execution with the privileges of the user running PotPlayer [1].

Mitigation

As of December 2013, the vendor did not release a patched version for this specific issue. The exploit notes that this version (1.5.40688) and probably older versions are affected [1]. Users should upgrade to a newer version of PotPlayer if available, or consider using alternative media players. No official workaround or KEV listing has been published.