67551 : Microsoft Windows Indeo Codec (ac25_32.ax) Path Subversion Arbitrary DLL Injection Code Execution
Printer | http://osvdb.org/67551 | Email This | Edit Vulnerability

Views This Week	Views All Time	Added to OSVDB	Last Modified	Modified (since 2008)	Percent Complete
27	1403	over 2 years ago	10 months ago	14 times	100%

Timeline

Disclosure Date
2010-08-25

Description

The Indeo codec (ac25_32.ax) which is used in multiple media players, such as BS.Player and Media Player Classic, is prone to a flaw in the way it loads dynamic-link libraries (e.g., iacenc.dll). The program uses a fixed path to look for specific files or libraries. This path includes directories that may not be trusted or under user control. By placing a custom version of the file or library in the path, the program will load it before the legitimate version. This allows an attacker to inject custom code that will be run with the privilege of the program or user executing the program. This can be done by tricking a user into opening a .mka, .ra or .ram file from the local file system or a USB drive in some cases. This attack can be leveraged remotely in some cases by placing the malicious file or library on a network share or extracted archive downloaded from a remote source.

Classification

Location: Local / Remote
Attack Type: Other
Impact: Loss of Integrity
Solution: Solution Unknown
Exploit: Exploit Public
Disclosure: Uncoordinated Disclosure

Solution

OSVDB is not aware of a solution for this vulnerability.

Products

Microsoft Corporation	Windows XP	SP3
Microsoft Corporation	iac25_32.ax	2.0.5.53

Gabest

Media Player Classic

6.4.9.1

AB Team Ltd.

BS.Player

Unspecified

References

Security Tracker: 1026683
Exploit Database: 14765 14788
CVE ID: 2010-3138 (see also: NVD)
Microsoft Knowledge Base Article: 2264107
Secunia Advisory ID: 41114
Bugtraq ID: 42730
Related OSVDB ID: 67588
OVAL ID: 7132
VUPEN Advisory: ADV-2010-2190
Vendor Specific News/Changelog Entry: http://blogs.technet.com/b/msrc/archive/2010/08/31/update-on-security-advisory-2269673.aspx
Other Advisory URL: http://securityreason.com/exploitalert/8772
http://www.corelan.be:8800/index.php/2010/08/25/dll-hijacking-kb-2269637-the-unofficial-list/
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4956.php
Vendor Specific Advisory URL: http://www.microsoft.com/technet/security/advisory/2269637.mspx
Packet Storm: http://www.packetstormsecurity.org/filedesc/mplayerc_dll.txt.html
News Article: http://www.scmagazineus.com/dll-hijacking-issue-prompts-microsoft-advisory-tool/article/177419/
http://www.scmagazineus.com/microsoft-releases-new-tool-to-defend-against-dll-attack/article/178065/
http://www.theregister.co.uk/2010/08/20/windows_code_execution_vuln/
http://www.theregister.co.uk/2010/08/24/windows_dll_casualties/

Credit

Gjoko Krstic - Zero Science Lab

CVSSv2 Score

CVSSv2 Base Score = 9.3
Source: nvd.nist.gov | Generated: 2010-08-30 | Disagree?

Comments

Add Comment Hide Add Comment

No Comments.

The database information may change without any notice. Use of the information constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the copyright holder or distributor (OSVDB or OSF) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.