Microsoft Windows Cinepak Codec code execution (AVI_Cinepak_Codec_Exec)

About this signature or vulnerability

Proventia Network IPS, Proventia Desktop, RealSecure Server Sensor, RealSecure Network, Proventia Network IDS, Proventia-G 1.1 and earlier, Proventia Network MFS, IBM Security Server Protection for Windows, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware:

This signature detects AVI/RIFF files with specially crafted Cinepak movie data that can allow remote code execution.


Default risk level

High risk vulnerability  High

Sensors that have this signature

Proventia Network IPS: XPU 30.080, Proventia Desktop: 2550, RealSecure Server Sensor: XPU 30.080, RealSecure Network: XPU 30.080, Proventia Network IDS: XPU 30.080, Proventia-G 1.1 and earlier: XPU 30.080, Proventia Network MFS: XPU 30.080, IBM Security Server Protection for Windows: 2.1.14.2550, Proventia Server IPS for Linux technology: 30.080, Virtual Server Protection for Vmware: XPU 30.080

Systems affected

Microsoft Windows XP: SP2 x64 Professional, Microsoft Windows Vista: SP1, Microsoft Windows Vista: SP1 x64, Microsoft Windows XP: SP3, Microsoft Windows Vista: SP2 x64, Microsoft Windows Vista: SP2, Microsoft Windows 7: x64, Microsoft Windows 7: x32

Type

Unauthorized Access Attempt

Vulnerability description

Microsoft Windows could allow a remote attacker to execute arbitrary code on the system, caused by the improper handling of format files by Cinepak Codec. By persuading a victim to open a specially-crafted media file, a remote attacker could exploit this vulnerability to execute arbitrary code on the system with the privileges of the victim.

How to remove this vulnerability

Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS10-055. See References.

References

Microsoft Security Bulletin MS10-055
Vulnerability in Cinepak Codec Could Allow Remote Code Execution (982665)
http://www.microsoft.com/technet/security/bulletin/ms10-055.mspx

IBM Internet Security Systems Protection Alert
Microsoft Windows Cinepak Codec Remote Code Execution
http://www.iss.net/threats/375.html

ZDI-10-148
Microsoft Cinepak Codec CVDecompress Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-148/

Offensive Security Exploit Database [09-26-2010]
MOAUB #26 - Microsoft Cinepak Codec CVDecompress Heap Overflow
http://www.exploit-db.com/exploits/15112/

Offensive Security Exploit Database [09-27-2010]
MOAUB #27 - Microsoft Internet Explorer MSHTML Findtext Processing Issue
http://www.exploit-db.com/exploits/15122/

ISS X-Force
Microsoft Windows Cinepak Codec code execution
http://www.iss.net/security_center/static/60687.php

CVE
CVE-2010-2553
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2553