<<< Date Index >>>     <<< Thread Index >>>

Re: [SVRT-05-08] Critical BoF vulnerability found in ffdshow affecting all internet browsers (SVRT-Bkis)

The report is for ffdshow, but the referred URL is to ffdshow-tryout. I wonder 
if they are the same.

Cheers
Nam

On Mon, 24 Nov 2008 15:17:05 +0700
"svrt" <svrt@xxxxxxxxxxx> wrote:

> 1. General Information
> 
> ffdshow is a DirectShow filter and VFW codec for many audio and video 
> formats, such as DivX, Xvid and H.264. It is the most popular audio and 
> video decoder on Windows. Besides a stand-alone setup package, ffdshow is 
> often included in almost all codec pack software such as K-lite Codec Pack, 
> XP Codec Pack, Vista Codec Package, Codec Pack All in one,.
> 
> In Oct 2008, SVRT-Bkis has detected a serious buffer overflow vulnerability 
> in ffdshow which affects all available internet browsers. Taking advantage 
> of the flaw, hackers can perform remote attack, inject viruses, steal 
> sensitive information and even take control of the victim's system.
> 
> Since ffdshow is an open source software (can be found at 
> http://sourceforge.net/projects/ffdshow-tryout), we have contacted the 
> developing team and they have patched the vulnerability in the latest 
> version of ffdshow.
> 
> Details : http://security.bkis.vn/?p=277
> SVRT Advisory  : SVRT-05-08
> Initial vendor notification :  13-11-2008
> Release Date : 24-11-2008
> Update Date  : 24-11-2008
> Discovered by : SVRT-Bkis
> Security Rating :  Critical
> Impact  Remote : Code Execution
> Affected Software : ffdshow  (< rev2347 20081123)
> 
> 2. Technique Description
> 
> The flaw occurs when ffdshow works with a media stream (e.g. 
> http://[website]/test.avi). On parsing an overly long link, ffdshow would 
> encounter a buffer overflow error as the memory is not allocated and 
> controlled well.
> 
> ffdshow is in fact a codec component for decoding multimedia formats so it 
> must be used via some media player; the default program is Windows Media 
> Player (wmp). Due to this reason, all internet browsers that support wmp 
> plug-in are influenced by this vulnerability, such as Internet Explorer, 
> Firefox, Opera, Chrome...
> 
> In order to exploit, hackers trick users into visiting a website containing 
> malicious code. If successful, malicious code would be executed without any 
> users' further interaction. Hackers can then take complete control of the 
> system.
> 
> 3. Solution
> 
> As for the seriousness of the vulnerability, it has been patched in the 
> latest version of ffdshow by the developing team of the software. Bkis 
> Internetwork Security Center highly recommends that users should update 
> ffdshow to the latest version here: 
> http://sourceforge.net/project/showfiles.php?group_id=173941&package_id=199416&release_id=439904
> 
> At the moment, there are a lot of software packages packing ffdshow that 
> haven't been updated. On account of this, users should also update the 
> ffdshow latest versions:
> - K-Lite Codec Pack (lastest version).
> - XP Codec Pack (lastest version).
> - Vista Codec Package (lastest version).
> - Codec Pack All in one (lastest version).
> - Storm Codec Pack (lastest version).
> - And many other software Codec packages using ffdshow.
> 
> In addition, software producers that make use of ffdshow in their products 
> should also update these products with the latest version of ffdshow.
> 
> 4. Credits
> Thanks Nguyen Anh Tai for working with SVRT-Bkis.
> 
> ----------------------------------------------------------------
> Bach Khoa Internetwork Security Center (BKIS)
> Hanoi University of Technology (Vietnam)
> 
> Email : svrt@xxxxxxxxxxx
> Website : www.bkav.com.vn
> WebBlog : security.bkis.vn
> Our PGP : http://security.bkis.vn/policy/pgp/SVRT-Bkis.gpg
> ---------------------------------------------------------------- 
> 
> 
> 
> 


-- 
Nam