The 3ivx high performance MPEG-4 audio/video codec (MP4) for Microsoft Windows is vulnerable to stack overflow, with shellcode proof of concept published by SYS 49152 (a C64 nostalgic like me, undoubtedly).
Surely affected versions are 4.5.1, quite widespread, and the latest 5.0.1.

The most likely exploitation scenario involves user downloading a movie clip in MP4 format from an untrusted source (did you say p0rn?) and consuming it through a media player which relies on the 3ivx codec (the PoC above exploits Media Player Classic, for instance).
Notice that the file name extension doesn’t need to be “.mp4″, as mp4 streams can be wrapped inside container formats such as ASF or AVI.
Of course, if the vulnerable media player installed also its own browser plugin, you can be owned instantly just stumbling upon an untrusted web page, unless you already took proper countermeasures.

How to protect yourself

  1. Open your Windows Control Panel.
  2. Select Add or Remove Programs.
  3. Locate the 3ivx D4 entry, select it and click the Remove button.
  4. Optionally, if you couldn’t locate any 3ivx D4 item, check if you’ve got
    3ivx.dll

    and/or

    3ivxVfWCode.dll

    in your

    %WinDir%\System32\

    folder; if you can find these files, delete or rename them.

If you still need to play MP4 files and you find your system can’t do it anymore, you may want to install the excellent open source VLC Media Player, which uses a different codec.

Slop… er… happy surfing ;)

3 Responses to “Pornowned! (3ivx MP4 Codec Stack Overflow)”

  1. #1 SYS 49152 says:

    hi
    I’m SYS 49152

    wtf I didn’t notice that changing the extension still works ..
    :)

  2. #2 MadMen says:

    A better way to protect yourself in 3 steps:

    1º Format pc

    2º Install Linux! ( or mac)

    3º Start using a real OS

  3. #3 WYSIRWYGOAGD says:

    WYSIRWYGOAGD, What you see is roughly what you’ll get, on a good day.

    The stupid lamers who are doing this will reap what they sow someday, we don’t forget.
    My answer to this thread is to use ” Ubuntu”.

Bad Behavior has blocked 35729 access attempts in the last 7 days.