[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20081125094100.b8587e07.namn@bluemoon.com.vn>
Date: Tue, 25 Nov 2008 09:41:00 +0700
From: Nam Nguyen <namn@...emoon.com.vn>
To: "svrt" <svrt@...v.com.vn>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Re: [SVRT-05-08] Critical BoF vulnerability found
in ffdshow affecting all internet browsers (SVRT-Bkis)
The report is for ffdshow, but the referred URL is to ffdshow-tryout. I wonder if they are the same.
Cheers
Nam
On Mon, 24 Nov 2008 15:17:05 +0700
"svrt" <svrt@...v.com.vn> wrote:
> 1. General Information
>
> ffdshow is a DirectShow filter and VFW codec for many audio and video
> formats, such as DivX, Xvid and H.264. It is the most popular audio and
> video decoder on Windows. Besides a stand-alone setup package, ffdshow is
> often included in almost all codec pack software such as K-lite Codec Pack,
> XP Codec Pack, Vista Codec Package, Codec Pack All in one,.
>
> In Oct 2008, SVRT-Bkis has detected a serious buffer overflow vulnerability
> in ffdshow which affects all available internet browsers. Taking advantage
> of the flaw, hackers can perform remote attack, inject viruses, steal
> sensitive information and even take control of the victim's system.
>
> Since ffdshow is an open source software (can be found at
> http://sourceforge.net/projects/ffdshow-tryout), we have contacted the
> developing team and they have patched the vulnerability in the latest
> version of ffdshow.
>
> Details : http://security.bkis.vn/?p=277
> SVRT Advisory : SVRT-05-08
> Initial vendor notification : 13-11-2008
> Release Date : 24-11-2008
> Update Date : 24-11-2008
> Discovered by : SVRT-Bkis
> Security Rating : Critical
> Impact Remote : Code Execution
> Affected Software : ffdshow (< rev2347 20081123)
>
> 2. Technique Description
>
> The flaw occurs when ffdshow works with a media stream (e.g.
> http://[website]/test.avi). On parsing an overly long link, ffdshow would
> encounter a buffer overflow error as the memory is not allocated and
> controlled well.
>
> ffdshow is in fact a codec component for decoding multimedia formats so it
> must be used via some media player; the default program is Windows Media
> Player (wmp). Due to this reason, all internet browsers that support wmp
> plug-in are influenced by this vulnerability, such as Internet Explorer,
> Firefox, Opera, Chrome...
>
> In order to exploit, hackers trick users into visiting a website containing
> malicious code. If successful, malicious code would be executed without any
> users' further interaction. Hackers can then take complete control of the
> system.
>
> 3. Solution
>
> As for the seriousness of the vulnerability, it has been patched in the
> latest version of ffdshow by the developing team of the software. Bkis
> Internetwork Security Center highly recommends that users should update
> ffdshow to the latest version here:
> http://sourceforge.net/project/showfiles.php?group_id=173941&package_id=199416&release_id=439904
>
> At the moment, there are a lot of software packages packing ffdshow that
> haven't been updated. On account of this, users should also update the
> ffdshow latest versions:
> - K-Lite Codec Pack (lastest version).
> - XP Codec Pack (lastest version).
> - Vista Codec Package (lastest version).
> - Codec Pack All in one (lastest version).
> - Storm Codec Pack (lastest version).
> - And many other software Codec packages using ffdshow.
>
> In addition, software producers that make use of ffdshow in their products
> should also update these products with the latest version of ffdshow.
>
> 4. Credits
> Thanks Nguyen Anh Tai for working with SVRT-Bkis.
>
> ----------------------------------------------------------------
> Bach Khoa Internetwork Security Center (BKIS)
> Hanoi University of Technology (Vietnam)
>
> Email : svrt@...v.com.vn
> Website : www.bkav.com.vn
> WebBlog : security.bkis.vn
> Our PGP : http://security.bkis.vn/policy/pgp/SVRT-Bkis.gpg
> ----------------------------------------------------------------
>
>
>
>
--
Nam
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists