Bugtraq mailing list archives

Re: [SVRT-05-08] Critical BoF vulnerability found in ffdshow affecting all internet browsers (SVRT-Bkis)

From: "svrt" <svrt () bkav com vn>
Date: Wed, 26 Nov 2008 09:25:33 +0700

Hi,

To Nguyen Nam : You can see details inhttp://sourceforge.net/forum/forum.php?forum_id=597807

Besides, K-lite Codec Pack that contains the fixed version of ffdshow havebeen released today (11-26-2008).



Thanks,
SVRT-Bkis

----------------------------------------------------------------
Bach Khoa Internetwork Security Center (BKIS)
Hanoi University of Technology (Vietnam)

Email : svrt () bkav com vn
Website : www.bkav.com.vn
WebBlog : security.bkis.vn
Our PGP : http://security.bkis.vn/policy/pgp/SVRT-Bkis.gpg

--------------------------------------------------------------------- Original Message -----From: "Nam Nguyen" <namn () bluemoon com vn>

To: "svrt" <svrt () bkav com vn>
Cc: <bugtraq () securityfocus com>; <full-disclosure () lists grok org uk>
Sent: Tuesday, November 25, 2008 9:41 AM

Subject: Re: [SVRT-05-08] Critical BoF vulnerability found in ffdshowaffecting all internet browsers (SVRT-Bkis)

The report is for ffdshow, but the referred URL is to ffdshow-tryout. I
wonder if they are the same.

Cheers
Nam

On Mon, 24 Nov 2008 15:17:05 +0700
"svrt" <svrt () bkav com vn> wrote:

1. General Information

ffdshow is a DirectShow filter and VFW codec for many audio and video
formats, such as DivX, Xvid and H.264. It is the most popular audio and
video decoder on Windows. Besides a stand-alone setup package, ffdshow is
often included in almost all codec pack software such as K-lite Codec

Pack,

XP Codec Pack, Vista Codec Package, Codec Pack All in one,.

In Oct 2008, SVRT-Bkis has detected a serious buffer overflow

vulnerability

in ffdshow which affects all available internet browsers. Takingadvantage

of the flaw, hackers can perform remote attack, inject viruses, steal
sensitive information and even take control of the victim's system.

Since ffdshow is an open source software (can be found at
http://sourceforge.net/projects/ffdshow-tryout), we have contacted the
developing team and they have patched the vulnerability in the latest
version of ffdshow.

Details : http://security.bkis.vn/?p=277
SVRT Advisory  : SVRT-05-08
Initial vendor notification :  13-11-2008
Release Date : 24-11-2008
Update Date  : 24-11-2008
Discovered by : SVRT-Bkis
Security Rating :  Critical
Impact  Remote : Code Execution
Affected Software : ffdshow  (< rev2347 20081123)

2. Technique Description

The flaw occurs when ffdshow works with a media stream (e.g.
http://[website]/test.avi). On parsing an overly long link, ffdshow would
encounter a buffer overflow error as the memory is not allocated and
controlled well.

ffdshow is in fact a codec component for decoding multimedia formats soit

must be used via some media player; the default program is Windows Media
Player (wmp). Due to this reason, all internet browsers that support wmp
plug-in are influenced by this vulnerability, such as Internet Explorer,
Firefox, Opera, Chrome...

In order to exploit, hackers trick users into visiting a website

containing

malicious code. If successful, malicious code would be executed without

any

users' further interaction. Hackers can then take complete control of the
system.

3. Solution

As for the seriousness of the vulnerability, it has been patched in the
latest version of ffdshow by the developing team of the software. Bkis
Internetwork Security Center highly recommends that users should update
ffdshow to the latest version here:

http://sourceforge.net/project/showfiles.php?group_id=173941&package_id=199416&release_id=439904


At the moment, there are a lot of software packages packing ffdshow that
haven't been updated. On account of this, users should also update the
ffdshow latest versions:
- K-Lite Codec Pack (lastest version).
- XP Codec Pack (lastest version).
- Vista Codec Package (lastest version).
- Codec Pack All in one (lastest version).
- Storm Codec Pack (lastest version).
- And many other software Codec packages using ffdshow.

In addition, software producers that make use of ffdshow in theirproducts

should also update these products with the latest version of ffdshow.

4. Credits
Thanks Nguyen Anh Tai for working with SVRT-Bkis.

----------------------------------------------------------------
Bach Khoa Internetwork Security Center (BKIS)
Hanoi University of Technology (Vietnam)

Email : svrt () bkav com vn
Website : www.bkav.com.vn
WebBlog : security.bkis.vn
Our PGP : http://security.bkis.vn/policy/pgp/SVRT-Bkis.gpg

----------------------------------------------------------------



--
Nam

Current thread:

[SVRT-05-08] Critical BoF vulnerability found in ffdshow affecting all internet browsers (SVRT-Bkis) svrt (Nov 24)
- Re: [SVRT-05-08] Critical BoF vulnerability found in ffdshow affecting all internet browsers (SVRT-Bkis) Eygene Ryabinkin (Nov 25)
- Re: [SVRT-05-08] Critical BoF vulnerability found in ffdshow affecting all internet browsers (SVRT-Bkis) Nam Nguyen (Nov 25)
  - Re: [SVRT-05-08] Critical BoF vulnerability found in ffdshow affecting all internet browsers (SVRT-Bkis) svrt (Nov 26)