ID FFDSHOW_REMOTE_BUFFER_OVERFLOW.NASL Type nessus Reporter This script is Copyright (C) 2008-2018 Tenable Network Security, Inc. Modified 2021-01-02T00:00:00
Description
ffdshow, a DirectShow filter and VFW codec for multiple audio and
video formats, is installed on the remote host.
ffdshow is available as a standalone package but is typically bundled
with third-party codec software such as K-lite Codec Pack, XP Codec
Pack, Vista Codec Package and Codec Pack All-in-one.
The installed version fails to perform sufficient boundary checks
while processing very long URLs. By tricking a user into clicking on a
specially crafted stream, it may be possible to execute arbitrary code
on the remote system subject to the user's privileges.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(34969);
script_version("1.13");
script_cvs_date("Date: 2018/11/15 20:50:26");
script_cve_id("CVE-2008-5381");
script_bugtraq_id(32438);
script_xref(name:"Secunia", value:"32846");
script_name(english:"Ffdshow < rev2347_20081123 Remote Buffer Overflow");
script_summary(english:"Checks version of ffdshow.ax");
script_set_attribute(attribute:"synopsis", value:
"The remote Windows host has an application that is affected by a
remote buffer overflow vulnerability.");
script_set_attribute(attribute:"description", value:
"ffdshow, a DirectShow filter and VFW codec for multiple audio and
video formats, is installed on the remote host.
ffdshow is available as a standalone package but is typically bundled
with third-party codec software such as K-lite Codec Pack, XP Codec
Pack, Vista Codec Package and Codec Pack All-in-one.
The installed version fails to perform sufficient boundary checks
while processing very long URLs. By tricking a user into clicking on a
specially crafted stream, it may be possible to execute arbitrary code
on the remote system subject to the user's privileges.");
# http://web.archive.org/web/20081222053727/http://security.bkis.vn/?p=277
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ce9f055b");
script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2008/Nov/540" );
script_set_attribute(attribute:"solution", value:"Upgrade to ffdshow rev2347_20081123 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploit_framework_core", value:"true");
script_cwe_id(119);
script_set_attribute(attribute:"plugin_publication_date", value:"2008/11/26");
script_set_attribute(attribute:"plugin_type", value:"local");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Windows");
script_copyright(english:"This script is Copyright (C) 2008-2018 Tenable Network Security, Inc.");
script_dependencies("smb_hotfixes.nasl");
script_require_keys("SMB/Registry/Enumerated");
script_require_ports(139, 445);
exit(0);
}
include("global_settings.inc");
include("smb_func.inc");
include("audit.inc");
if (!get_kb_item("SMB/Registry/Enumerated")) exit(0);
# Figure out where the installer recorded information about it.
list = get_kb_list("SMB/Registry/HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Uninstall/*/DisplayName");
if (isnull(list)) exit(0);
installstring = NULL;
foreach name (keys(list))
{
prod = list[name];
if (prod && "ffdshow" >< prod)
{
installstring = ereg_replace(pattern:"^SMB\/Registry\/HKLM\/(SOFTWARE\/Microsoft\/Windows\/CurrentVersion\/Uninstall\/.+)\/DisplayName$", replace:"\1", string:name);
installstring = str_replace(find:"/", replace:"\", string:installstring);
break;
}
}
# Get the install path
name = kb_smb_name();
port = kb_smb_transport();
login = kb_smb_login();
pass = kb_smb_password();
domain = kb_smb_domain();
#if (!get_port_state(port)) exit(0);
#soc = open_sock_tcp(port);
#if (!soc) exit(0);
#session_init(socket:soc, hostname:name);
if (!smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');
rc = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$");
if (rc != 1)
{
NetUseDel();
exit(0);
}
hklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);
if (isnull(hklm))
{
NetUseDel();
exit(0);
}
disp_name = NULL;
path = NULL;
# First look at the CLSID.
key = "SOFTWARE\Classes\CLSID\{007FC171-01AA-4B3A-B2DB-062DEE815A1E}\InprocServer321";
key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
if (!isnull(key_h))
{
value = RegQueryValue(handle:key_h, item:NULL);
if (!isnull(value)) path = value[1];
RegCloseKey(handle:key_h);
}
if(isnull(path))
{
# If we don't find it, look at uninstall keys.
key = installstring;
key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
if (!isnull(key_h))
{
# If ffdshow is installed...
item = RegQueryValue(handle:key_h, item:"InstallLocation");
if (!isnull(item))
path = item[1];
item = RegQueryValue(handle:key_h, item:"DisplayName");
if (!isnull(item))
disp_name = item[1];
RegCloseKey(handle:key_h);
}
}
RegCloseKey(handle:hklm);
if (!path)
{
NetUseDel();
exit(0);
}
share = ereg_replace(pattern:"^([A-Za-z]):.*", replace:"\1$", string:path);
if("ffdshow.ax" >< path)
ax = ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1", string:path);
else
ax = ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1\ffdshow.ax", string:path);
NetUseDel(close:FALSE);
rc = NetUseAdd(login:login, password:pass, domain:domain, share:share);
if (rc != 1)
{
NetUseDel();
exit(0);
}
fh = CreateFile(file:ax,
desired_access:GENERIC_READ,
file_attributes:FILE_ATTRIBUTE_NORMAL,
share_mode:FILE_SHARE_READ,
create_disposition:OPEN_EXISTING);
ver = NULL;
if (!isnull(fh))
{
ver = GetFileVersion(handle:fh);
CloseFile(handle:fh);
}
NetUseDel();
if (!isnull(ver))
{
for (i=0; i<max_index(ver); i++)
ver[i] = int(ver[i]);
fix = split("1.0.5.2338", sep:'.', keep:FALSE);
for (i=0; i<max_index(fix); i++)
fix[i] = int(fix[i]);
for (i=0; i<max_index(ver); i++)
if ((ver[i] < fix[i]))
{
if (report_verbosity && ereg(pattern:"^ffdshow \[rev [0-9]+\] \[[0-9]+\-[0-9]+\-[0-9]+\]$",string:disp_name))
{
v = eregmatch(pattern:"^ffdshow \[rev ([0-9]+)\] \[([0-9]+)\-([0-9]+)\-([0-9]+)\]$",string:disp_name);
disp_name = string("ffdshow rev",v[1],"_",v[2],v[3],v[4]);
report = string(
"\n",
disp_name, " is installed on the remote host.\n"
);
security_hole(port:port, extra:report);
}
else security_hole(port);
break;
}
else if (ver[i] > fix[i])
break;
}
{"id": "FFDSHOW_REMOTE_BUFFER_OVERFLOW.NASL", "bulletinFamily": "scanner", "title": "Ffdshow < rev2347_20081123 Remote Buffer Overflow", "description": "ffdshow, a DirectShow filter and VFW codec for multiple audio and\nvideo formats, is installed on the remote host.\n\nffdshow is available as a standalone package but is typically bundled\nwith third-party codec software such as K-lite Codec Pack, XP Codec\nPack, Vista Codec Package and Codec Pack All-in-one.\n\nThe installed version fails to perform sufficient boundary checks\nwhile processing very long URLs. By tricking a user into clicking on a\nspecially crafted stream, it may be possible to execute arbitrary code\non the remote system subject to the user's privileges.", "published": "2008-11-26T00:00:00", "modified": "2021-01-02T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "https://www.tenable.com/plugins/nessus/34969", "reporter": "This script is Copyright (C) 2008-2018 Tenable Network Security, Inc.", "references": ["http://www.nessus.org/u?ce9f055b", "https://seclists.org/fulldisclosure/2008/Nov/540"], "cvelist": ["CVE-2008-5381"], "type": "nessus", "lastseen": "2021-01-01T02:33:26", "edition": 24, "viewCount": 7, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2008-5381"]}, {"type": "saint", "idList": ["SAINT:C1C1F2A4EC78FAFEF3334684366E61EE", "SAINT:BF29AC1232D818A97F84B3840B4E6BAF", "SAINT:0071D347B925ADB78BCA421D0BD297FF"]}], "modified": "2021-01-01T02:33:26", "rev": 2}, "score": {"value": 7.7, "vector": "NONE", "modified": "2021-01-01T02:33:26", "rev": 2}, "vulnersScore": 7.7}, "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(34969);\n script_version(\"1.13\");\n script_cvs_date(\"Date: 2018/11/15 20:50:26\");\n\n script_cve_id(\"CVE-2008-5381\");\n script_bugtraq_id(32438);\n script_xref(name:\"Secunia\", value:\"32846\");\n\n script_name(english:\"Ffdshow < rev2347_20081123 Remote Buffer Overflow\");\n script_summary(english:\"Checks version of ffdshow.ax\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host has an application that is affected by a\nremote buffer overflow vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"ffdshow, a DirectShow filter and VFW codec for multiple audio and\nvideo formats, is installed on the remote host.\n\nffdshow is available as a standalone package but is typically bundled\nwith third-party codec software such as K-lite Codec Pack, XP Codec\nPack, Vista Codec Package and Codec Pack All-in-one.\n\nThe installed version fails to perform sufficient boundary checks\nwhile processing very long URLs. By tricking a user into clicking on a\nspecially crafted stream, it may be possible to execute arbitrary code\non the remote system subject to the user's privileges.\");\n # http://web.archive.org/web/20081222053727/http://security.bkis.vn/?p=277\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ce9f055b\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/fulldisclosure/2008/Nov/540\" );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to ffdshow rev2347_20081123 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_cwe_id(119);\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2008/11/26\");\n\nscript_set_attribute(attribute:\"plugin_type\", value:\"local\");\nscript_end_attributes();\n\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2008-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"audit.inc\");\n\nif (!get_kb_item(\"SMB/Registry/Enumerated\")) exit(0);\n\n# Figure out where the installer recorded information about it.\n\nlist = get_kb_list(\"SMB/Registry/HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Uninstall/*/DisplayName\");\nif (isnull(list)) exit(0);\n\ninstallstring = NULL;\nforeach name (keys(list))\n{\n prod = list[name];\n if (prod && \"ffdshow\" >< prod)\n {\n installstring = ereg_replace(pattern:\"^SMB\\/Registry\\/HKLM\\/(SOFTWARE\\/Microsoft\\/Windows\\/CurrentVersion\\/Uninstall\\/.+)\\/DisplayName$\", replace:\"\\1\", string:name);\n installstring = str_replace(find:\"/\", replace:\"\\\", string:installstring);\n break;\n }\n}\n\n# Get the install path\n\nname = kb_smb_name();\nport = kb_smb_transport();\nlogin = kb_smb_login();\npass = kb_smb_password();\ndomain = kb_smb_domain();\n\n#if (!get_port_state(port)) exit(0);\n\n#soc = open_sock_tcp(port);\n#if (!soc) exit(0);\n\n#session_init(socket:soc, hostname:name);\nif (!smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');\n\nrc = NetUseAdd(login:login, password:pass, domain:domain, share:\"IPC$\");\nif (rc != 1)\n{\n NetUseDel();\n exit(0);\n}\n\nhklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);\nif (isnull(hklm))\n{\n NetUseDel();\n exit(0);\n}\n\ndisp_name = NULL;\npath = NULL;\n\n# First look at the CLSID.\nkey = \"SOFTWARE\\Classes\\CLSID\\{007FC171-01AA-4B3A-B2DB-062DEE815A1E}\\InprocServer321\";\nkey_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);\nif (!isnull(key_h))\n{\n value = RegQueryValue(handle:key_h, item:NULL);\n if (!isnull(value)) path = value[1];\n\n RegCloseKey(handle:key_h);\n}\n\nif(isnull(path))\n{\n # If we don't find it, look at uninstall keys.\n\n key = installstring;\n\n key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);\n if (!isnull(key_h))\n {\n # If ffdshow is installed...\n item = RegQueryValue(handle:key_h, item:\"InstallLocation\");\n if (!isnull(item))\n path = item[1];\n\n item = RegQueryValue(handle:key_h, item:\"DisplayName\");\n if (!isnull(item))\n disp_name = item[1];\n\n RegCloseKey(handle:key_h);\n }\n}\n\nRegCloseKey(handle:hklm);\n\nif (!path)\n{\n NetUseDel();\n exit(0);\n}\n\nshare = ereg_replace(pattern:\"^([A-Za-z]):.*\", replace:\"\\1$\", string:path);\n\nif(\"ffdshow.ax\" >< path)\nax = ereg_replace(pattern:\"^[A-Za-z]:(.*)\", replace:\"\\1\", string:path);\nelse\nax = ereg_replace(pattern:\"^[A-Za-z]:(.*)\", replace:\"\\1\\ffdshow.ax\", string:path);\n\nNetUseDel(close:FALSE);\n\nrc = NetUseAdd(login:login, password:pass, domain:domain, share:share);\nif (rc != 1)\n{\n NetUseDel();\n exit(0);\n}\n\nfh = CreateFile(file:ax,\n\tdesired_access:GENERIC_READ,\n\tfile_attributes:FILE_ATTRIBUTE_NORMAL,\n\tshare_mode:FILE_SHARE_READ,\n\tcreate_disposition:OPEN_EXISTING);\n\nver = NULL;\nif (!isnull(fh))\n{\n ver = GetFileVersion(handle:fh);\n CloseFile(handle:fh);\n}\n\nNetUseDel();\n\nif (!isnull(ver))\n{\n for (i=0; i<max_index(ver); i++)\n ver[i] = int(ver[i]);\n\n fix = split(\"1.0.5.2338\", sep:'.', keep:FALSE);\n for (i=0; i<max_index(fix); i++)\n fix[i] = int(fix[i]);\n\n for (i=0; i<max_index(ver); i++)\n if ((ver[i] < fix[i]))\n {\n if (report_verbosity && ereg(pattern:\"^ffdshow \\[rev [0-9]+\\] \\[[0-9]+\\-[0-9]+\\-[0-9]+\\]$\",string:disp_name))\n {\n v = eregmatch(pattern:\"^ffdshow \\[rev ([0-9]+)\\] \\[([0-9]+)\\-([0-9]+)\\-([0-9]+)\\]$\",string:disp_name);\n disp_name = string(\"ffdshow rev\",v[1],\"_\",v[2],v[3],v[4]);\n\n report = string(\n \"\\n\",\n disp_name, \" is installed on the remote host.\\n\"\n );\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n break;\n }\n else if (ver[i] > fix[i])\n break;\n}\n", "naslFamily": "Windows", "pluginID": "34969", "cpe": [], "scheme": null}
{"cve": [{"lastseen": "2020-10-03T11:51:04", "description": "Buffer overflow in the URL processing in ffdshow (aka ffdshow-tryout) before SVN revision 2347 allows remote attackers to execute arbitrary code via a long URL.", "edition": 3, "cvss3": {}, "published": "2008-12-09T00:30:00", "title": "CVE-2008-5381", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-5381"], "modified": "2018-10-11T20:55:00", "cpe": ["cpe:/a:ffdshow-tryout:ffdshow:*"], "id": "CVE-2008-5381", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5381", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:ffdshow-tryout:ffdshow:*:*:*:*:*:*:*:*"]}], "saint": [{"lastseen": "2019-06-04T23:19:35", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-5381"], "description": "Added: 03/25/2009 \nCVE: [CVE-2008-5381](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5381>) \nBID: [32438](<http://www.securityfocus.com/bid/32438>) \nOSVDB: [50064](<http://www.osvdb.org/50064>) \n\n\n### Background\n\n[ffdshow tryouts](<http://ffdshow-tryout.sourceforge.net/>) (also known just as ffdshow) is an audio and video decoder for Windows. \n\n### Problem\n\nA buffer overflow vulnerability allows command execution when a user opens a media stream with a long, specially crafted URL link. \n\n### Resolution\n\n[Upgrade](<http://sourceforge.net/project/showfiles.php?group_id=173941&package_id=199416&release_id=439904>) to the latest version of ffdshow. \n\n### References\n\n<http://archives.neohapsis.com/archives/bugtraq/2008-11/0182.html> \n\n\n### Limitations\n\nExploit works on ffdshow rev2322 and requires a user to load the exploit page in a web browser. \n\n### Platforms\n\nWindows \n \n\n", "edition": 4, "modified": "2009-03-25T00:00:00", "published": "2009-03-25T00:00:00", "id": "SAINT:0071D347B925ADB78BCA421D0BD297FF", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/ffdshow_url", "title": "ffdshow URL link buffer overflow", "type": "saint", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T17:19:48", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-5381"], "edition": 2, "description": "Added: 03/25/2009 \nCVE: [CVE-2008-5381](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5381>) \nBID: [32438](<http://www.securityfocus.com/bid/32438>) \nOSVDB: [50064](<http://www.osvdb.org/50064>) \n\n\n### Background\n\n[ffdshow tryouts](<http://ffdshow-tryout.sourceforge.net/>) (also known just as ffdshow) is an audio and video decoder for Windows. \n\n### Problem\n\nA buffer overflow vulnerability allows command execution when a user opens a media stream with a long, specially crafted URL link. \n\n### Resolution\n\n[Upgrade](<http://sourceforge.net/project/showfiles.php?group_id=173941&package_id=199416&release_id=439904>) to the latest version of ffdshow. \n\n### References\n\n<http://archives.neohapsis.com/archives/bugtraq/2008-11/0182.html> \n\n\n### Limitations\n\nExploit works on ffdshow rev2322 and requires a user to load the exploit page in a web browser. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2009-03-25T00:00:00", "published": "2009-03-25T00:00:00", "id": "SAINT:BF29AC1232D818A97F84B3840B4E6BAF", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/ffdshow_url", "type": "saint", "title": "ffdshow URL link buffer overflow", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2016-10-03T15:01:55", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-5381"], "description": "Added: 03/25/2009 \nCVE: [CVE-2008-5381](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5381>) \nBID: [32438](<http://www.securityfocus.com/bid/32438>) \nOSVDB: [50064](<http://www.osvdb.org/50064>) \n\n\n### Background\n\n[ffdshow tryouts](<http://ffdshow-tryout.sourceforge.net/>) (also known just as ffdshow) is an audio and video decoder for Windows. \n\n### Problem\n\nA buffer overflow vulnerability allows command execution when a user opens a media stream with a long, specially crafted URL link. \n\n### Resolution\n\n[Upgrade](<http://sourceforge.net/project/showfiles.php?group_id=173941&package_id=199416&release_id=439904>) to the latest version of ffdshow. \n\n### References\n\n<http://archives.neohapsis.com/archives/bugtraq/2008-11/0182.html> \n\n\n### Limitations\n\nExploit works on ffdshow rev2322 and requires a user to load the exploit page in a web browser. \n\n### Platforms\n\nWindows \n \n\n", "edition": 1, "modified": "2009-03-25T00:00:00", "published": "2009-03-25T00:00:00", "id": "SAINT:C1C1F2A4EC78FAFEF3334684366E61EE", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/ffdshow_url", "type": "saint", "title": "ffdshow URL link buffer overflow", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
