navigation bar left navigation bar right

Secunia CSI7
navigation left tab About us navigation right tab
navigation left tab Careers navigation right tab
navigation left tab Memberships navigation right tab
navigation left tab Newsroom navigation right tab
navigation left tab Contact us navigation right tab

Monthly Binary Analysis Update (June)

Get this blog as an RSS Feed
It's again that time of the month where I have to write a terribly interesting blog about the most important vulnerabilities reported last month and analysed by the Secunia Binary Analysis team.
13:53 CET on the 14th July 2009
Entry written by Carsten Eiram.

It's again that time of the month where I have to write a terribly interesting blog about the most important vulnerabilities reported last month and analysed by the Secunia Binary Analysis team.

In June, the Secunia Binary Analysis team issued 29 BAs and the following are some of the most interesting:

VLC Media Player SMB Input Module Buffer Overflow (SA35558)
VLC is a open source media player that is getting more and more popular. While looking over the GIT changelogs, a Secunia security specialist noticed a brief, but interesting, entry in the GIT changelog: "Fix a segfault (buffer overflow for win32 only)".

After having analysed the change, it was clear that this was not just some boring client application crash, but a stack-based buffer overflow vulnerability with code execution potential. After quickly publishing an advisory, it was passed to the BA team for analysis where it was analysed and documented in depth.

The vulnerability is straight-forward to exploit in a reliable manner by supplying an overly long "smb://" URI e.g. in a playlist file.

Microsoft DirectShow QuickTime Content Parsing Vulnerability (SA35268 / CVE-2009-1537)
What's a good BA month without a 0-day vulnerability?

This month, it was delivered by Microsoft's DirectShow run-time (quartz.dll), which implements support for various formats, including QuickTime content. An error in the parsing of said format allows writing a single NULL-byte to an arbitrary memory location. This is sufficient to allow arbitrary code execution if a user e.g. opens an AVI file containing QuickTime content via Windows Media Player.

In Microsoft's security bulletin advance notification for July, it is mentioned that a DirectX vulnerability will be fixed. Hopefully, that security bulletin will cover this vulnerability. In the meantime, the vulnerability remains unpatched so it's important that security vendors and companies developing their own IDS/IPS signatures have some solid detection mechanisms in place.

Windows Print Spooler Data Structure Parsing Vulnerability (SA35365 / CVE-2009-0228)
One of the many vulnerabilities fixed by Microsoft this month was in the Windows Print Spooler service, which is responsible for handling RPC requests sent to the Windows spool subsystem. The vulnerability is caused by a boundary error when processing certain RPC requests and can be exploited to cause a stack-based buffer overflow, allowing execution of arbitrary code.

The vulnerability is especially critical for Windows 2000 systems as the Print Spooler Service is listed in the "NullSessionPipes" registry key. This allows anonymous connections to the service, which means that the vulnerability can be exploited without any authentication and user interaction (i.e. wormable).

Customers can find information in the BA on how to create a solid detection rule. A reliable, working exploit for the vulnerability is also provided for testing purposes.

Multiple vulnerabilities were also analysed in Microsoft Excel, Apple QuickTime, and Adobe Reader/Acrobat this month, but these won't be covered here. Our Binary Analysis page has a bit more information and customers with access to our Secunia Binary Analysis web-interface can naturally obtain more information there.

That wraps it up for this month.

Stay secure,

Carsten Eiram,
Chief Security Specialist

Discuss this blog entry
A new thread in our forum is created. Activate the thread by commenting/discussing below.
Subject: Monthly Binary Analysis Update (June)
No posts yet


You must be logged in to post a comment.

 Products Solutions Customers Partner Resources Company
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
Technology Partners
 About us

Secunia is a member of FIRST Secunia is a member of EDUcause Secunia is a member of The Open Group Secunia is a member of FS-ISAC
Secunia © 2002-2015 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability - Disclaimer
follow Secunia on Facebook follow Secunia on Twitter follow Secunia on LinkedIn follow Secunia on YouTube follow Secunia Xing follow Secunias RSS feed follow Secunia on Google+