Microsoft Video Control Buffer Overflow (July 7, 2009)
SonicWALL UTM Research team is tracking a new 0-day exploit within the msVidCtl component of Microsoft DirectShow that is actively being exploited through drive-by attacks using thousands of newly compromised web sites.
Microsoft DirectShow is a multimedia framework and API; it is the replacement for Microsoft’s earlier “Video for Windows” technology. DirectShow provides a common interface for media across many programming languages, and is an extensible, filter-based framework that can render or record media files on demand. Microsoft DirectShow exposes a number of ActiveX controls for developers. The binary code of these ActiveX controls are encapsulated in dynamic link library msvidctl.dll. These ActiveX controls were not intended to be exposed for the purposes of web development, however, a user can force to load it in an HTML document. A stack buffer overflow vulnerability exists in ProgramID “BDATuner.MPEG2TuneRequest” and ClassID “0955AC62-BF2E-4CBA-A2B9-A63F772D46CF”, which is hosted by msvidctl.dll. Specifically, the application extracts a 4-byte integer value at file offset 0x06 of a GIF image; the application then uses it as the Data Size to copy file data to a stack buffer without performing boundary checks. Opening a specially crafted GIF file in the ActiveX control will overflow the stack buffer, potentially ovewriting critical process data such as function return addresses and SEH pointers. Remote attackers could exploit this vulnerability by enticing a target user to visit a maliciously crafted webpage. Successful exploitation would lead to arbitrary code execution in the security context of the logged in user, or terminate the application resulting in a Denial of Service condition. The other CLSIDs and ProgramIDs that are hosted by library msvidctl.dll might be vulnerable as well. SonicWALL has released several GAV and IPS signatures to detect and prevent specific exploitation attempts targeting this vulnerability. The signatures are listed bellow: GAV:- 37926 – DirectShow_Msvidctl (Exploit)
- 3015 – MS Video (msvidctl.dll) ActiveX Control Instantiation 1
- 3016 – MS Video (msvidctl.dll) ActiveX Control Instantiation 2
- 3017 – MS Video (msvidctl.dll) ActiveX Control Instantiation 3
- 3018 – MS Video (msvidctl.dll) ActiveX Control Instantiation 4
- 3020 – MS Video (msvidctl.dll) ActiveX Control Instantiation 5
- 3031 – MS Video (msvidctl.dll) ActiveX Control Instantiation 6
- 3032 – MS Video (msvidctl.dll) ActiveX Control Instantiation 7
- 3034 – MS Video (msvidctl.dll) ActiveX Control Instantiation 8
- 3035 – MS Video (msvidctl.dll) ActiveX Control Instantiation 9
- 3036 – MS Video (msvidctl.dll) ActiveX Control Instantiation 10
- 3038 – MS Video (msvidctl.dll) ActiveX Control Instantiation 11
- 3047 – MS Video (msvidctl.dll) ActiveX Control Instantiation 12
- 3053 – MS Video (msvidctl.dll) ActiveX Control Instantiation 13
- 3055 – MS Video (msvidctl.dll) ActiveX Control Instantiation 14
- 3056 – MS Video (msvidctl.dll) ActiveX Control Instantiation 15
- 3060 – MS Video (msvidctl.dll) ActiveX Control Instantiation 16
- 3061 – MS Video (msvidctl.dll) ActiveX Control Instantiation 17
- 3062 – MS Video (msvidctl.dll) ActiveX Control Instantiation 18
- 3063 – MS Video (msvidctl.dll) ActiveX Control Instantiation 19
- 3064 – MS Video (msvidctl.dll) ActiveX Control Instantiation 20
- 3065 – MS Video (msvidctl.dll) ActiveX Control Instantiation 21
- 3068 – MS Video (msvidctl.dll) ActiveX Control Instantiation 22
- 3074 – MS Video (msvidctl.dll) ActiveX Control Instantiation 23
Some of the domains that are exploiting the new IE-0day as well as secondary domains that are hosting potentially malicious binaries utilized in these attacks are listed below. DO NOT VISIT THEM!
- vip762.3322.org
- 3b3.org
- www.27pay.com
- www.hao-duo.com
- dump.vicp.cc
- 64tianwang.com
- webxue38.3322.org
- 556622.3322.org
- jfg1.3322.org
- df56y.3322.org
- javazhu.3322.org
- 8dfgdsgh.3322.org
- ceewe3w2.cn
- js.tongji.linezing.com
- h65uj.8866.org
- 45hrtt.8866.org
- 8oy4t.8866.org
- www.mjbox.com
- 2wdqwdqw.cn
- www.vbsjs.cn
- cdew32dsw.cn
- qvod.y2y2dfa.cn
- kan31ni.cn
- www.duiguide.us
- gkiot.cn
- www.carloon.cn
- movie.wildmansai.com
- www.7iai.cn
- www.jazzhigh.com
- www.netcode.com
- 6ik76.8866.org
- 76ith.8866.org
- qd334t.8866.org
- u5hjt.8866.org
- vpsvip.com
- x16ake8.6600.org
- www.huimzhe.cn
- www.hostts.cn
- ucqh.6600.org
- qitamove.kmip.net
- news.85580000.com
- guama.9966.org
- dx123.9966.org
- ds355.8866.org
- dnf.17xj.cn
- dasda11d.cn
- d212dddw.cn
- ckt5.cn
- ccfsdee32.cn
- aaa.6sys6.cn
- 9owe2211.cn
- 8man7.3322.org
- 6gerere3e.cn
- 66yttrre.cn
- 45hrtt.8866.org
- tongji520.com
- www.google-cdma.com
See Internet Stom Center blog entry for up-to-date list.
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.
