Nov 24 2008
Critical BoF vulnerability found in ffdshow affecting all internet browsers
General Information
ffdshow is a DirectShow filter and VFW codec for many audio and video formats, such as DivX, Xvid and H.264. It is the most popular audio and video decoder on Windows. Besides a stand-alone setup package, ffdshow is often included in almost all codec pack software such as K-lite Codec Pack, XP Codec Pack, Vista Codec Package, Codec Pack All in one,…
In Oct 2008, SVRT-Bkis has detected a serious buffer overflow vulnerability in ffdshow which affects all available internet browsers. Taking advantage of the flaw, hackers can perform remote attack, inject viruses, steal sensitive information and even take control of the victim’s system.
Since ffdshow is an open source software (can be found at http://sourceforge.net/projects/ffdshow-tryout), we have contacted the developing team and they have patched the vulnerability in the latest version of ffdshow.
|
Details |
|
|
SVRT Advisory |
SVRT-05-08 |
|
CVE reference |
|
|
Initial vendor notification |
13-11-2008 |
|
Release Date |
24-11-2008 |
|
Update Date |
26-11-2008 |
|
Discovered by |
SVRT-Bkis |
|
Attack Type |
Buffer Overflow |
|
Security Rating |
Critical |
|
Impact |
Remote Code Execution |
|
Affected Software |
ffdshow (< rev2347 20081123) |
Technique Description
The flaw occurs when ffdshow works with a media stream (e.g. http://[website]/test.avi). On parsing an overly long link, ffdshow would encounter a buffer overflow error as the memory is not allocated and controlled well.
ffdshow is in fact a codec component for decoding multimedia formats so it must be used via some media player; the default program is Windows Media Player (wmp). Due to this reason, all internet browsers that support wmp plug-in are influenced by this vulnerability, such as Internet Explorer, Firefox, Opera, Chrome…
In order to exploit, hackers trick users into visiting a website containing malicious code. If successful, malicious code would be executed without any users’ further interaction. Hackers can then take complete control of the system.
Solution
As for the seriousness of the vulnerability, it has been patched in the latest version of ffdshow by the developing team of the software. Bkis Internetwork Security Center highly recommends that users should update ffdshow to the latest version here: ffdshow
At the moment, there are a lot of software packages packing ffdshow that haven’t been updated. On account of this, users should also update the ffdshow latest versions:
- K-Lite Codec Pack (latest version).
- XP Codec Pack (latest version).
- Vista Codec Package (latest version).
- Codec Pack All in one (latest version).
- Storm Codec Pack (latest version).
- And many other software Codec packages using ffdshow.
In addition, software producers that make use of ffdshow in their products should also update these products with the latest version of ffdshow.
Credits
Thanks Nguyen Anh Tai for working with SVRT-Bkis.
SVRT-Bkis
Latest Advisories
Hi,
I crafted a html file to invoke avi:
but the IE did not crashed, I have no idea about that, would you mind point where I am wrong?
Thanks
Solo
I have figured it out, thx all the same:)
Hey Solo can you contact me at sinfullmaster@gmail.com?
[...] kutatók távoli kódfuttatásra alkalmas puffer túlcsordulásos hibát találtak az ffdshow kodekben, amelyet több népszerű Windowsos kodek csomag, és a Windows Media Player is [...]
[...] pameta saiti uz kādu drošības blogu kurā aprakstīta nopietna video dekodera ffdshow ievainojamība, kas ļauj attālināti palaist [...]