| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 25 Nov 2008 09:41:00 +0700 From: Nam Nguyen <namn@...emoon.com.vn> To: "svrt" <svrt@...v.com.vn> Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com Subject: Re: [SVRT-05-08] Critical BoF vulnerability found in ffdshow affecting all internet browsers (SVRT-Bkis) The report is for ffdshow, but the referred URL is to ffdshow-tryout. I wonder if they are the same. Cheers Nam On Mon, 24 Nov 2008 15:17:05 +0700 "svrt" <svrt@...v.com.vn> wrote: > 1. General Information > > ffdshow is a DirectShow filter and VFW codec for many audio and video > formats, such as DivX, Xvid and H.264. It is the most popular audio and > video decoder on Windows. Besides a stand-alone setup package, ffdshow is > often included in almost all codec pack software such as K-lite Codec Pack, > XP Codec Pack, Vista Codec Package, Codec Pack All in one,. > > In Oct 2008, SVRT-Bkis has detected a serious buffer overflow vulnerability > in ffdshow which affects all available internet browsers. Taking advantage > of the flaw, hackers can perform remote attack, inject viruses, steal > sensitive information and even take control of the victim's system. > > Since ffdshow is an open source software (can be found at > http://sourceforge.net/projects/ffdshow-tryout), we have contacted the > developing team and they have patched the vulnerability in the latest > version of ffdshow. > > Details : http://security.bkis.vn/?p=277 > SVRT Advisory : SVRT-05-08 > Initial vendor notification : 13-11-2008 > Release Date : 24-11-2008 > Update Date : 24-11-2008 > Discovered by : SVRT-Bkis > Security Rating : Critical > Impact Remote : Code Execution > Affected Software : ffdshow (< rev2347 20081123) > > 2. Technique Description > > The flaw occurs when ffdshow works with a media stream (e.g. > http://[website]/test.avi). On parsing an overly long link, ffdshow would > encounter a buffer overflow error as the memory is not allocated and > controlled well. > > ffdshow is in fact a codec component for decoding multimedia formats so it > must be used via some media player; the default program is Windows Media > Player (wmp). Due to this reason, all internet browsers that support wmp > plug-in are influenced by this vulnerability, such as Internet Explorer, > Firefox, Opera, Chrome... > > In order to exploit, hackers trick users into visiting a website containing > malicious code. If successful, malicious code would be executed without any > users' further interaction. Hackers can then take complete control of the > system. > > 3. Solution > > As for the seriousness of the vulnerability, it has been patched in the > latest version of ffdshow by the developing team of the software. Bkis > Internetwork Security Center highly recommends that users should update > ffdshow to the latest version here: > http://sourceforge.net/project/showfiles.php?group_id=173941&package_id=199416&release_id=439904 > > At the moment, there are a lot of software packages packing ffdshow that > haven't been updated. On account of this, users should also update the > ffdshow latest versions: > - K-Lite Codec Pack (lastest version). > - XP Codec Pack (lastest version). > - Vista Codec Package (lastest version). > - Codec Pack All in one (lastest version). > - Storm Codec Pack (lastest version). > - And many other software Codec packages using ffdshow. > > In addition, software producers that make use of ffdshow in their products > should also update these products with the latest version of ffdshow. > > 4. Credits > Thanks Nguyen Anh Tai for working with SVRT-Bkis. > > ---------------------------------------------------------------- > Bach Khoa Internetwork Security Center (BKIS) > Hanoi University of Technology (Vietnam) > > Email : svrt@...v.com.vn > Website : www.bkav.com.vn > WebBlog : security.bkis.vn > Our PGP : http://security.bkis.vn/policy/pgp/SVRT-Bkis.gpg > ---------------------------------------------------------------- > > > > -- Nam _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists