Microsoft Video Control Buffer Overflow

July 7, 2009

SonicWALL UTM Research team is tracking a new 0-day exploit within the msVidCtl component of Microsoft DirectShow that is actively being exploited through drive-by attacks using thousands of newly compromised web sites.

Microsoft DirectShow is a multimedia framework and API; it is the replacement for Microsoft's earlier "Video for Windows" technology. DirectShow provides a common interface for media across many programming languages, and is an extensible, filter-based framework that can render or record media files on demand.

Microsoft DirectShow exposes a number of ActiveX controls for developers. The binary code of these ActiveX controls are encapsulated in dynamic link library msvidctl.dll. These ActiveX controls were not intended to be exposed for the purposes of web development, however, a user can force to load it in an HTML document.

A stack buffer overflow vulnerability exists in ProgramID "BDATuner.MPEG2TuneRequest" and ClassID "0955AC62-BF2E-4CBA-A2B9-A63F772D46CF", which is hosted by msvidctl.dll. Specifically, the application extracts a 4-byte integer value at file offset 0x06 of a GIF image; the application then uses it as the Data Size to copy file data to a stack buffer without performing boundary checks. Opening a specially crafted GIF file in the ActiveX control will overflow the stack buffer, potentially ovewriting critical process data such as function return addresses and SEH pointers.

Remote attackers could exploit this vulnerability by enticing a target user to visit a maliciously crafted webpage. Successful exploitation would lead to arbitrary code execution in the security context of the logged in user, or terminate the application resulting in a Denial of Service condition. The other CLSIDs and ProgramIDs that are hosted by library msvidctl.dll might be vulnerable as well.

SonicWALL has released several GAV and IPS signatures to detect and prevent specific exploitation attempts targeting this vulnerability. The signatures are listed bellow:

GAV:

  • 37926 - DirectShow_Msvidctl (Exploit)

screenshot

IPS:

  • 3015 - MS Video (msvidctl.dll) ActiveX Control Instantiation 1
  • 3016 - MS Video (msvidctl.dll) ActiveX Control Instantiation 2
  • 3017 - MS Video (msvidctl.dll) ActiveX Control Instantiation 3
  • 3018 - MS Video (msvidctl.dll) ActiveX Control Instantiation 4
  • 3020 - MS Video (msvidctl.dll) ActiveX Control Instantiation 5
  • 3031 - MS Video (msvidctl.dll) ActiveX Control Instantiation 6
  • 3032 - MS Video (msvidctl.dll) ActiveX Control Instantiation 7
  • 3034 - MS Video (msvidctl.dll) ActiveX Control Instantiation 8
  • 3035 - MS Video (msvidctl.dll) ActiveX Control Instantiation 9
  • 3036 - MS Video (msvidctl.dll) ActiveX Control Instantiation 10
  • 3038 - MS Video (msvidctl.dll) ActiveX Control Instantiation 11
  • 3047 - MS Video (msvidctl.dll) ActiveX Control Instantiation 12
  • 3053 - MS Video (msvidctl.dll) ActiveX Control Instantiation 13
  • 3055 - MS Video (msvidctl.dll) ActiveX Control Instantiation 14
  • 3056 - MS Video (msvidctl.dll) ActiveX Control Instantiation 15
  • 3060 - MS Video (msvidctl.dll) ActiveX Control Instantiation 16
  • 3061 - MS Video (msvidctl.dll) ActiveX Control Instantiation 17
  • 3062 - MS Video (msvidctl.dll) ActiveX Control Instantiation 18
  • 3063 - MS Video (msvidctl.dll) ActiveX Control Instantiation 19
  • 3064 - MS Video (msvidctl.dll) ActiveX Control Instantiation 20
  • 3065 - MS Video (msvidctl.dll) ActiveX Control Instantiation 21
  • 3068 - MS Video (msvidctl.dll) ActiveX Control Instantiation 22
  • 3074 - MS Video (msvidctl.dll) ActiveX Control Instantiation 23

Some of the domains that are exploiting the new IE-0day as well as secondary domains that are hosting potentially malicious binaries utilized in these attacks are listed below. DO NOT VISIT THEM!

  • vip762.3322.org
  • 3b3.org
  • www.27pay.com
  • www.hao-duo.com
  • dump.vicp.cc
  • 64tianwang.com
  • webxue38.3322.org
  • 556622.3322.org
  • jfg1.3322.org
  • df56y.3322.org
  • javazhu.3322.org
  • 8dfgdsgh.3322.org
  • ceewe3w2.cn
  • js.tongji.linezing.com
  • h65uj.8866.org
  • 45hrtt.8866.org
  • 8oy4t.8866.org
  • www.mjbox.com
  • 2wdqwdqw.cn
  • www.vbsjs.cn
  • cdew32dsw.cn
  • qvod.y2y2dfa.cn
  • kan31ni.cn
  • www.duiguide.us
  • gkiot.cn
  • www.carloon.cn
  • movie.wildmansai.com
  • www.7iai.cn
  • www.jazzhigh.com
  • www.netcode.com
  • 6ik76.8866.org
  • 76ith.8866.org
  • qd334t.8866.org
  • u5hjt.8866.org
  • vpsvip.com
  • x16ake8.6600.org
  • www.huimzhe.cn
  • www.hostts.cn
  • ucqh.6600.org
  • qitamove.kmip.net
  • news.85580000.com
  • guama.9966.org
  • dx123.9966.org
  • ds355.8866.org
  • dnf.17xj.cn
  • dasda11d.cn
  • d212dddw.cn
  • ckt5.cn
  • ccfsdee32.cn
  • aaa.6sys6.cn
  • 9owe2211.cn
  • 8man7.3322.org
  • 6gerere3e.cn
  • 66yttrre.cn
  • 45hrtt.8866.org
  • tongji520.com
  • www.google-cdma.com

See Internet Stom Center blog entry for up-to-date list.