Cloth Baidu video remote code execution vulnerability-vulnerability warning-the black bar safety net

ID MYHACK58:62201131364
Type myhack58
Reporter 佚名
Modified 2011-07-28T00:00:00


Baidu video is a good Media Player software, which in many detail aspects of the process of humanization, however, the developers release the software, not the software used in a special library file to eliminate, resulting in the Baidu video player can take the opportunity to realize the remote execution of arbitrary code.

The library file name“log.dll”that speculation should be with the debugging nature of the logging interface, the file with any format of media file placed in the same directory, when the users use Baidu video to play Media Files,“log.dll”the file will be loaded simultaneously, if the file for the malicious attacker to develop, then it will directly cause the user's system is under attack. To this end, a malicious attacker can exploit this vulnerability, a remote share with“log.dll”and the Media Files folder, and convince a user to visit, and ultimately achieve a remote invasion of the user system.

Repair method:

Code reject the law or the local setting method

Finally, Baidu official reply is: thanks for the submission. Developer feedback is not so serious. We repair as soon as possible.