Archive for December 9th, 2007

The 3ivx high performance MPEG-4 audio/video codec (MP4) for Microsoft Windows is vulnerable to stack overflow, with shellcode proof of concept published by SYS 49152 (a C64 nostalgic like me, undoubtedly).
Surely affected versions are 4.5.1, quite widespread, and the latest 5.0.1.

The most likely exploitation scenario involves user downloading a movie clip in MP4 format from an untrusted source (did you say p0rn?) and consuming it through a media player which relies on the 3ivx codec (the PoC above exploits Media Player Classic, for instance).
Notice that the file name extension doesn't need to be ".mp4", as mp4 streams can be wrapped inside container formats such as ASF or AVI.
Of course, if the vulnerable media player installed also its own browser plugin, you can be owned instantly just stumbling upon an untrusted web page, unless you already took proper countermeasures.

How to protect yourself

  1. Open your Windows Control Panel.
  2. Select Add or Remove Programs.
  3. Locate the 3ivx D4 entry, select it and click the Remove button.
  4. Optionally, if you couldn't locate any 3ivx D4 item, check if you've got
    3ivx.dll

    and/or

    3ivxVfWCode.dll

    in your

    %WinDir%\System32\

    folder; if you can find these files, delete or rename them.

If you still need to play MP4 files and you find your system can't do it anymore, you may want to install the excellent open source VLC Media Player, which uses a different codec.

Slop... er... happy surfing ;)

Bad Behavior has blocked 2239 access attempts in the last 7 days.