ffdshow URL链接缓冲区溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1184537 漏洞类型 缓冲区溢出
发布时间 2008-11-24 更新时间 2008-12-31
CVE编号 CVE-2008-5381 CNNVD-ID CNNVD-200812-111
漏洞平台 N/A CVSS评分 9.3
|漏洞来源
https://www.securityfocus.com/bid/32438
https://cxsecurity.com/issue/WLB-2008120094
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200812-111
|漏洞详情
FFDShow是支持多种视频文件格式的全能解码、编码器。ffdshow在解析媒体流(如http://[website]/test.avi)时存在缓冲区溢出漏洞。如果用户受骗访问了恶意网站并解析了超长媒体链接的话,就可能触发这个溢出,导致执行任意指令。ffdshow是用于解码多媒体的codec组件,必须结合媒体播放器才能使用,默认为WindowsMediaPlayer。因此,所有支持WindowsMediaPlayer的浏览器都受这个漏洞影响,包括InternetExplorer、Firefox、Opera、Chrome等。
|漏洞EXP
1. General Information

ffdshow is a DirectShow filter and VFW codec for many audio and video 
formats, such as DivX, Xvid and H.264. It is the most popular audio and 
video decoder on Windows. Besides a stand-alone setup package, ffdshow is 
often included in almost all codec pack software such as K-lite Codec Pack, 
XP Codec Pack, Vista Codec Package, Codec Pack All in one,.

In Oct 2008, SVRT-Bkis has detected a serious buffer overflow vulnerability 
in ffdshow which affects all available internet browsers. Taking advantage 
of the flaw, hackers can perform remote attack, inject viruses, steal 
sensitive information and even take control of the victim's system.

Since ffdshow is an open source software (can be found at 
http://sourceforge.net/projects/ffdshow-tryout), we have contacted the 
developing team and they have patched the vulnerability in the latest 
version of ffdshow.

Details : http://security.bkis.vn/?p=277
SVRT Advisory  : SVRT-05-08
Initial vendor notification :  13-11-2008
Release Date : 24-11-2008
Update Date  : 24-11-2008
Discovered by : SVRT-Bkis
Security Rating :  Critical
Impact  Remote : Code Execution
Affected Software : ffdshow  (< rev2347 20081123)

2. Technique Description

The flaw occurs when ffdshow works with a media stream (e.g. 
http://[website]/test.avi). On parsing an overly long link, ffdshow would 
encounter a buffer overflow error as the memory is not allocated and 
controlled well.

ffdshow is in fact a codec component for decoding multimedia formats so it 
must be used via some media player; the default program is Windows Media 
Player (wmp). Due to this reason, all internet browsers that support wmp 
plug-in are influenced by this vulnerability, such as Internet Explorer, 
Firefox, Opera, Chrome...

In order to exploit, hackers trick users into visiting a website containing 
malicious code. If successful, malicious code would be executed without any 
users' further interaction. Hackers can then take complete control of the 
system.

3. Solution

As for the seriousness of the vulnerability, it has been patched in the 
latest version of ffdshow by the developing team of the software. Bkis 
Internetwork Security Center highly recommends that users should update 
ffdshow to the latest version here: 
http://sourceforge.net/project/showfiles.php?group_id=173941&package_id=
199416&release_id=439904

At the moment, there are a lot of software packages packing ffdshow that 
haven't been updated. On account of this, users should also update the 
ffdshow latest versions:
- K-Lite Codec Pack (lastest version).
- XP Codec Pack (lastest version).
- Vista Codec Package (lastest version).
- Codec Pack All in one (lastest version).
- Storm Codec Pack (lastest version).
- And many other software Codec packages using ffdshow.

In addition, software producers that make use of ffdshow in their products 
should also update these products with the latest version of ffdshow.

4. Credits
Thanks Nguyen Anh Tai for working with SVRT-Bkis.

----------------------------------------------------------------
Bach Khoa Internetwork Security Center (BKIS)
Hanoi University of Technology (Vietnam)

Email : svrt (at) bkav.com (dot) vn [email concealed]
Website : www.bkav.com.vn
WebBlog : security.bkis.vn
Our PGP : http://security.bkis.vn/policy/pgp/SVRT-Bkis.gpg
----------------------------------------------------------------
|受影响的产品
ffdshow ffdshow rev2322_20081114
|参考资料

来源:XF
名称:ffdshow-url-bo(46810)
链接:http://xforce.iss.net/xforce/xfdb/46810
来源:BID
名称:32438
链接:http://www.securityfocus.com/bid/32438
来源:BUGTRAQ
名称:20081124[SVRT-05-08]CriticalBoFvulnerabilityfoundinffdshowaffectingallinternetbrowsers(SVRT-Bkis)
链接:http://www.securityfocus.com/archive/1/archive/1/498585/100/0/threaded
来源:VUPEN
名称:ADV-2008-3249
链接:http://www.frsirt.com/english/advisories/2008/3249
来源:SREASON
名称:4697
链接:http://securityreason.com/securityalert/4697
来源:MISC
链接:http://security.bkis.vn/?p=277
来源:SECUNIA
名称:32881
链接:http://secunia.com/advisories/32881
来源:SECUNIA
名称:32846
链接:http://secunia.com/advisories/32846