AVI file
Remote exploitation of a heap corruption vulnerability in Microsoft
Corp.'s Indeo32 Codec could allow an attacker to execute arbitrary code
in the context of the affected user.
This vulnerability especially exists in Indeo32 codec ir32_32.dll. The
Indeo32 codec uses the "IV32" FourCC code inside an AVI file. When this
FourCC code is specified in the "strf" chunk in a AVI file, it tells the
movie player to decode the movie stream using Indeo32 codec. When
malformed data is supplied in the Indeo stream, heap corruption can
happen, which results in an exploitable condition.
# Tested on Windows 7 and Winamp v5.571(x86)
# This bug is informed to Nullsoft and was fixed long back.
# The status can be found at http://forums.winamp.com/showthread.php?s=&threadid=316000
# This code works on Python 3.0. To make it work on <3.0 remove braces in print
print("\n***Winamp v5.571 malicious AVI file handling DoS Vulnerability***\n")
try:
open('winampcrash.avi', 'w')
print ("Creating malicious AVI file . . . \n")
print ("Successfully created Zero size AVI file\n")
Secunia Research has discovered two vulnerabilities in Winamp, which
can be exploited by malicious people to compromise a user's system.
1) An integer overflow error in the in_avi.dll plugin when allocating
memory using the number of streams header value can be exploited to
cause a heap-based buffer overflow via a specially crafted AVI file.
2) An integer overflow error in the in_avi.dll plugin when allocating
memory using the RIFF INFO chunk's size value can be exploited to
cause a heap-based buffer overflow via a specially crafted AVI file.
#!/usr/local/bin/perl
#
# Application : Nokia Multimedia Player
# Version : v 1.1
# Bug : Local (.AVI File) Null Dereference Pointer Exploit
# Exploit Method : Local
# Author : Null Area Security
# Zigma [zigmatn @ gmail.com]
# IRC : irc://irc.nullarea.org/#nullarea
# Home : http://NullArea.NET
Remote exploitation of a heap-based buffer overflow vulnerability in
VMware Inc.'s movie decoder allows attackers to execute arbitrary code.
This vulnerability exists due to a lack of input validation when
processing certain specially crafted Audio-Video Interleave (AVI)
files. During processing, a heap buffer will be allocated based on one
part of the AVI file data. However, the amount of data copied into that
buffer is calculated based on a different part of the file. This leads
to an exploitable heap-based buffer overflow condition.
The vulnerability is caused by a boundary error in vmnc.dll when
processing HexTile encoded video chunks and can be exploited to cause
a heap-based buffer overflow.
Successful exploitation may allow execution of arbitrary code by
tricking a user into opening a specially crafted AVI file.
======================================================================
5) Solution
Update to version 6.5.4 build 246459.
FFmpeg 0.5 allows remote attackers to cause a denial of service (hang)
via a crafted file that triggers an infinite loop. (CVE-2009-4636)
The av_rescale_rnd function in the AVI demuxer in FFmpeg 0.5 allows
remote attackers to cause a denial of service (crash) via a crafted
AVI file that triggers a divide-by-zero error. (CVE-2009-4639)
Array index error in vorbis_dec.c in FFmpeg 0.5 allows remote
attackers to cause a denial of service and possibly execute arbitrary
code via a crafted Vorbis file that triggers an out-of-bounds
read. (CVE-2009-4640)
FFmpeg 0.5 allows remote attackers to cause a denial of service (hang)
via a crafted file that triggers an infinite loop. (CVE-2009-4636)
The av_rescale_rnd function in the AVI demuxer in FFmpeg 0.5 allows
remote attackers to cause a denial of service (crash) via a crafted
AVI file that triggers a divide-by-zero error. (CVE-2009-4639)
Array index error in vorbis_dec.c in FFmpeg 0.5 allows remote
attackers to cause a denial of service and possibly execute arbitrary
code via a crafted Vorbis file that triggers an out-of-bounds
read. (CVE-2009-4640)
to process a pointer for a video structure, leading to a stack-based
buffer overflow. (CVE-2009-4635)
The av_rescale_rnd function in the AVI demuxer in FFmpeg 0.5 allows
remote attackers to cause a denial of service (crash) via a crafted
AVI file that triggers a divide-by-zero error. (CVE-2009-4639)
Array index error in vorbis_dec.c in FFmpeg 0.5 allows remote
attackers to cause a denial of service and possibly execute arbitrary
code via a crafted Vorbis file that triggers an out-of-bounds
read. (CVE-2009-4640)
which can be exploited by malicious people to compromise a user's
system.
The vulnerability is caused by an error in the processing of MS ADPCM
encoded audio data. This can be exploited to cause a heap-based buffer
overflow via a specially crafted AVI file.
Successful exploitation may allow execution of arbitrary code.
======================================================================
5) Solution
CAL-20070912-1 Multiple vendor produce handling AVI file vulnerabilities
Code Audit Labs (http://www.vulnhunt.com) Code Audit for some popular
media player and discovered some vulnerabilities.
one heap overflow was discovered in MPlayer.
one heap overflow and one integer overflow were discovered in media
player classic(mpc) and other produces base on mpc like mympc and
StormPlayer).
FFmpeg 0.5 allows remote attackers to cause a denial of service (hang)
via a crafted file that triggers an infinite loop. (CVE-2009-4636)
The av_rescale_rnd function in the AVI demuxer in FFmpeg 0.5 allows
remote attackers to cause a denial of service (crash) via a crafted
AVI file that triggers a divide-by-zero error. (CVE-2009-4639)
Array index error in vorbis_dec.c in FFmpeg 0.5 allows remote
attackers to cause a denial of service and possibly execute arbitrary
code via a crafted Vorbis file that triggers an out-of-bounds
read. (CVE-2009-4640)
through vulnerable installations of Microsoft Internet Explorer. User
interaction is required to exploit this vulnerability in that the target
must visit a malicious page.
The specific flaw exists within the Microsoft Animation ActiveX control
MSCOMCT2.OCX. When parsing a malformed AVI file through this control an
exploitable heap corruption can occur. As the AVI file can be loaded
over a UNC path this issue is remotely exploitable and can result in
arbitrary code execution under the context of the current user.
-- Vendor Response:
Problem Description:
A heap-based buffer overflow was found in MPlayer's AVI handling
that could allow a remote attacker to cause a denial of service or
possibly execute arbitrary code via a crafted .avi file.
Updated packages have been patched to prevent this issue.
_______________________________________________________________________
References:
The vulnerabilities are caused by two integer truncation errors in
vmnc.dll when processing HexTile encoded video chunks and can be
exploited to cause heap-based buffer overflows.
Successful exploitation may allow execution of arbitrary code by
tricking a user into opening a specially crafted AVI file.
======================================================================
5) Solution
Update to version 6.5.4 build 246459.
#
# usage:
# - download the latest 3ivx codec from here:
# hxxp://www.3ivx.com/codec/3ivx_MPEG-4_501_trial_win.exe
#
# - play the AVI file with COWON Media Center
#
# Maybe I will add more vulnerable apps if I have time.
# SYS 49152
#
# gforce(put the @ here)operamail(put the . here)com
to process a pointer for a video structure, leading to a stack-based
buffer overflow. (CVE-2009-4635)
The av_rescale_rnd function in the AVI demuxer in FFmpeg 0.5 allows
remote attackers to cause a denial of service (crash) via a crafted
AVI file that triggers a divide-by-zero error. (CVE-2009-4639)
And several additional vulnerabilites originally discovered by Google
Chrome developers were also fixed with this advisory.
The updated packages have been patched to correct these issues.
|
