application movie file buffer overflow (Codec_Range_Error)

About this signature or vulnerability

Proventia Desktop, Proventia Network IPS, IBM Security Server Protection for Windows, Proventia Network IDS, Proventia-G 1.1 and earlier, Proventia Network MFS, RealSecure Network, RealSecure Server Sensor, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware:

This signature detects an out-of-range value in a video codec data stream that could cause vulnerable applications to crash. A remote attacker could exploit this vulnerability with a specially crafted file containing code to execute on the victim's computer.


False positives

Proventia Desktop, Proventia Network IPS, IBM Security Server Protection for Windows, Proventia Network IDS, Proventia-G 1.1 and earlier, Proventia Network MFS, RealSecure Network, RealSecure Server Sensor, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware: To precisely determine an exploit would require the intrusion detection device to render the video data stream in real time. An inclusive algorithm is in place that will catch exploits but will occasionally trigger on inoffensive data patterns within the video stream.

Default risk level

High risk vulnerability  High

Sensors that have this signature

Proventia Desktop: 2390, Proventia Network IPS: XPU 29.050, IBM Security Server Protection for Windows: 2.0.300.2390, IBM Security Server Protection for Windows: 1.0.914.2390, IBM Security Server Protection for Windows: 2.1.14.2400, Proventia Network IDS: XPU 29.050, Proventia-G 1.1 and earlier: XPU 29.050, Proventia Network MFS: XPU 29.050, RealSecure Network: XPU 29.050, RealSecure Server Sensor: XPU 29.050, Proventia Server IPS for Linux technology: 29.050, Virtual Server Protection for Vmware: 1.0

Systems affected

IBM AIX, WindRiver BSDOS, Linux Kernel, Sun Solaris, Microsoft Windows, Data General DG/UX, SCO SCO Unix, Compaq Tru64, Xvid Xvid: 1.1.2, Xvid Xvid: 1.1.3, Xvid Xvid: 1.2.1

Type

Unauthorized Access Attempt

Vulnerability description

Xvid is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the decoder_iframe(), decoder_pframe(), and decoder_bframe() functions in the video compression codec. By persuading a victim to open a specially-crafted movie file containing macroblock values, a remote attacker could overflow a buffer to corrupt memory and execute arbitrary code on the system.

How to remove this vulnerability

Upgrade to the latest version of Xvid (1.2.2 or later), available from the Xvid Web site. See References.

References

Xvid Web site
Xvid.org: Xvid 1.2.2 released
http://www.xvid.org/News.64.0.html?&cHash=0170b4e439&tx_ttnews[backPid]=64&tx_ttnews[tt_news]=7

Xvid CVS Repository
Diff of /xvidcore/src/decoder.c
http://cvs.xvid.org/cvs/viewvc.cgi/xvidcore/src/decoder.c?r1=1.80&r2=1.81

ISS X-Force
application movie file buffer overflow
http://www.iss.net/security_center/static/44654.php

CVE
CVE-2009-0893
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0893