Vulnerabilities > CVE-2009-1537 - Remote Code Execution vulnerability in Microsoft DirectX DirectShow QuickTime Video

CVSS 9.3 - CRITICAL

Attack vector

NETWORK

Attack complexity

MEDIUM

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

microsoft

critical

nessus

NVD

Published: 2009-05-29

Updated: 2018-10-12

Summary

Unspecified vulnerability in the QuickTime Movie Parser Filter in quartz.dll in DirectShow in Microsoft DirectX 7.0 through 9.0c on Windows 2000 SP4, Windows XP SP2 and SP3, and Windows Server 2003 SP2 allows remote attackers to execute arbitrary code via a crafted QuickTime media file, as exploited in the wild in May 2009, aka "DirectX NULL Byte Overwrite Vulnerability." Per: http://www.microsoft.com/technet/security/advisory/971778.mspx "Microsoft is aware of limited, active attacks that use this exploit code. While our investigation is ongoing, our investigation so far has shown that Windows 2000 Service Pack 4, Windows XP, and Windows Server 2003 are vulnerable; all versions of Windows Vista and Windows Server 2008 are not vulnerable."

Vulnerable Configurations

Part	Description	Count
Application	Microsoft Microsoft Directx 7.0 Microsoft Directx 7.0A Microsoft Directx 7.1 Microsoft Directx 8.1 Microsoft Directx 8.1B Microsoft Directx 9.0 Microsoft Directx 9.0A Microsoft Directx 9.0B Microsoft Directx 9.0C	9
OS	Microsoft Microsoft Windows 2000 * Microsoft Windows 2003 Server * Microsoft Windows Server 2003 * Microsoft Windows XP *	8

Msbulletin

bulletin_id	MS09-028
bulletin_url
date	2009-07-14T00:00:00
impact	Remote Code Execution
knowledgebase_id	971633
knowledgebase_url
severity	Critical
title	Vulnerabilities in Microsoft DirectShow Could Allow Remote Code Execution

Nessus

NASL family	Windows : Microsoft Bulletins
NASL id	SMB_NT_MS09-028.NASL
description	The DirectShow component included with the version of Microsoft DirectX installed on the remote host is affected by multiple vulnerabilities that may allow execution of arbitrary code when processing a specially crafted QuickTime media file.
last seen	2020-06-01
modified	2020-06-02
plugin id	39791
published	2009-07-14
reporter	This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/39791
title	MS09-028: Vulnerabilities in Microsoft DirectShow Could Allow Remote Code Execution (971633)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(39791); script_version("1.25"); script_cvs_date("Date: 2018/11/15 20:50:30"); script_cve_id("CVE-2009-1537", "CVE-2009-1538", "CVE-2009-1539"); script_bugtraq_id(35139, 35600, 35616); script_xref(name:"MSFT", value:"MS09-028"); script_xref(name:"MSKB", value:"971633"); script_name(english:"MS09-028: Vulnerabilities in Microsoft DirectShow Could Allow Remote Code Execution (971633)"); script_summary(english:"Checks version of Quartz.dll"); script_set_attribute(attribute:"synopsis", value: "It is possible to execute arbitrary code on the remote Windows host using DirectX."); script_set_attribute(attribute:"description", value: "The DirectShow component included with the version of Microsoft DirectX installed on the remote host is affected by multiple vulnerabilities that may allow execution of arbitrary code when processing a specially crafted QuickTime media file."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2009/ms09-028"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for DirectX 7.0, 8.0 and 9.0."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'D2ExploitPack'); script_cwe_id(20, 94); script_set_attribute(attribute:"vuln_publication_date", value:"2009/05/28"); script_set_attribute(attribute:"patch_publication_date", value:"2009/07/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/07/14"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:directx"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows : Microsoft Bulletins"); script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc."); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, 'Host/patch_management_checks'); exit(0); } include("audit.inc"); include("smb_hotfixes_fcheck.inc"); include("smb_hotfixes.inc"); include("smb_func.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS09-028'; kb = "971633"; kbs = make_list(kb); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit('SMB/Registry/Enumerated'); get_kb_item_or_exit('SMB/WindowsVersion', exit_code:1); if (hotfix_check_sp_range(win2k:'4,5', xp:'2,3', win2003:'2') <= 0) audit(AUDIT_OS_SP_NOT_VULN); if (!get_kb_item("SMB/Registry/HKLM/SOFTWARE/Microsoft/DirectX/Version")) audit(AUDIT_NOT_INST, "DirectX"); rootfile = hotfix_get_systemroot(); if (!rootfile) exit(1, "Failed to get the system root."); share = hotfix_path2share(path:rootfile); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); if ( # Windows 2003 hotfix_is_vulnerable(os:"5.2", sp:2, file:"Quartz.dll", version:"6.5.3790.4523", dir:"\System32", bulletin:bulletin, kb:kb) \|\| # Windows XP hotfix_is_vulnerable(os:"5.1", sp:3, arch:"x86", file:"Quartz.dll", version:"6.5.2600.5822", dir:"\System32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.1", sp:2, arch:"x64", file:"Quartz.dll", version:"6.5.3790.4523", dir:"\System32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.1", sp:2, arch:"x86", file:"Quartz.dll", version:"6.5.2600.3580", dir:"\System32", bulletin:bulletin, kb:kb) \|\| # Windows 2000 hotfix_is_vulnerable(os:"5.0", file:"Quartz.dll", version:"6.5.1.911", min_version:"6.5.0.0", dir:"\System32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.0", file:"Quartz.dll", version:"6.3.1.893", min_version:"6.3.0.0", dir:"\System32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.0", file:"Quartz.dll", version:"6.1.9.736", dir:"\System32", bulletin:bulletin, kb:kb) ) { set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }

Oval

accepted

2013-04-15T04:00:28.654-04:00

class

vulnerability

contributors

name Dragos Prisaca
organization Gideon Technologies, Inc.
name Dragos Prisaca
organization Gideon Technologies, Inc.
name Dragos Prisaca
organization G2, Inc.

definition_extensions

comment Microsoft Windows 2000 SP4 or later is installed
oval oval:org.mitre.oval:def:229
comment Microsoft Windows 2000 SP4 or later is installed
oval oval:org.mitre.oval:def:229
comment Microsoft Windows 2000 SP4 or later is installed
oval oval:org.mitre.oval:def:229
comment Microsoft Windows XP (x86) SP2 is installed
oval oval:org.mitre.oval:def:754
comment Microsoft Windows XP (x86) SP3 is installed
oval oval:org.mitre.oval:def:5631
comment Microsoft Windows XP x64 Edition SP2 is installed
oval oval:org.mitre.oval:def:4193
comment Microsoft Windows Server 2003 SP2 (x64) is installed
oval oval:org.mitre.oval:def:2161
comment Microsoft Windows Server 2003 SP2 (x86) is installed
oval oval:org.mitre.oval:def:1935
comment Microsoft Windows Server 2003 (ia64) SP2 is installed
oval oval:org.mitre.oval:def:1442

description

family

windows

oval:org.mitre.oval:def:6237

status

accepted

submitted

2009-05-29T10:00:00

title

DirectX NULL Byte Overwrite Vulnerability

version

Saint

bid	35139
description	Microsoft DirectX DirectShow QuickTime movie parsing vulnerability
id	win_patch_directxquicktime
osvdb	54797
title	microsoft_directx_quicktime
type	client

Seebug

bulletinFamily	exploit
description	BUGTRAQ ID: 35139 CVE(CAN) ID: CVE-2009-1537 Microsoft DirectX是Windows操作系统中的一项功能，流媒体在玩游戏或观看视频时通过这个功能支持图形和声音。 DirectX的DirectShow组件（quartz.dll）在解析畸形的QuickTime媒体文件时存在错误，用户受骗打开了恶意的媒体文件就会导致执行任意代码。由于用户可能在浏览器中安装媒体播放插件，因此访问恶意网页就足以导致播放QuickTime文件，触发Quartz.dll中的漏洞。 Microsoft DirectX 9.0 Microsoft DirectX 8.1 Microsoft DirectX 7.0 临时解决方法： * 在quartz.dll中禁用QuickTime内容。使用交互方式 32位Windows系统： 1. 点击“开始”、“运行”，在“打开”框中键入“Regedit”然后点击“确定”。 2. 找到以下子键：HKEY_CLASSES_ROOT\CLSID\{D51BD5A0-7548-11CF-A520-0080C77EF58A}。 3. 在“文件”菜单中点击“导出”。 4. 在“导出注册表文件”对话框中，输入“QuickTime_Parser_Backup.reg”并点击“保存”。 5. 按删除键删除注册表项。当“确认项删除”对话框提示删除注册表项时，点击“是”。 64位Windows系统： 1. 点击“开始”、“运行”，在“打开”框中键入“Regedit”然后点击“确定”。 2. 找到以下子键：HKEY_CLASSES_ROOT\CLSID\{D51BD5A0-7548-11CF-A520-0080C77EF58A} 3. 在“文件”菜单中点击“导出”。 4. 在“导出注册表文件”对话框中，输入“QuickTime_Parser_Backup1.reg”并点击“保存”。 5. 按删除键删除注册表项。当“确认项删除”对话框提示删除注册表项时，点击“是”。 6. 找到以下子键：HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{D51BD5A0-7548-11CF-A520-0080C77EF58A}。 7. 在“文件”菜单中点击“导出”。 8.在“导出注册表文件”对话框中，输入“QuickTime_Parser_Backup2.reg”并点击“保存”。 9. 按删除键删除注册表项。当“确认项删除”对话框提示删除注册表项时，点击“是”。使用管理的部署脚本 1. 使用包含有以下命令的管理部署脚本创建注册表项的备份： 32位Windows系统： Regedit.exe /e QuickTime_Decoder_Backup.reg HKEY_CLASSES_ROOT\CLSID\{D51BD5A0-7548-11CF-A520-0080C77EF58A} 64位Windows系统： Regedit.exe /e QuickTime_Decoder_Backup1.reg HKEY_CLASSES_ROOT\CLSID\{D51BD5A0-7548-11CF-A520-0080C77EF58A} Regedit.exe /e QuickTime_Decoder_Backup2.reg HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{D51BD5A0-7548-11CF-A520-0080C77EF58A} 2. 将以下内容保存为.REG文件，如Disable_QuickTime_Parser.reg： 32位Windows系统： Windows Registry Editor Version 5.00 [-HKEY_CLASSES_ROOT\CLSID\{D51BD5A0-7548-11CF-A520-0080C77EF58A}] 64位Windows系统： Windows Registry Editor Version 5.00 [-HKEY_CLASSES_ROOT\CLSID\{D51BD5A0-7548-11CF-A520-0080C77EF58A}] [-HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{D51BD5A0-7548-11CF-A520-0080C77EF58A}] 3. 在提升的命令提示符中通过以下命令在目标机器上运行以上注册表脚本： Regedit.exe /s Disable_QuickTime_Parser.reg * 修改quartz.dll的访问控制列表。在Windows XP和Windows Server 2003上，从命令提示符运行以下命令（需要管理权限）： 32位Windows系统： Echo y\| cacls %WINDIR%\SYSTEM32\quartz.DLL /E /P everyone:N 64位Windows系统： Echo y\| cacls %WINDIR%\SYSTEM32\quartz.DLL /E /P everyone:N Echo y\| cacls %WINDIR%\SYSWOW64\quartz.DLL /E /P everyone:N * 注销quartz.dll，在提升的命令提示符运行以下命令： 32位Windows系统： Regsvr32.exe –u %WINDIR%\system32\quartz.dll 64位Windows系统： Regsvr32.exe –u %WINDIR%\system32\quartz.dll Regsvr32.exe –u %WINDIR%\syswow64\quartz.dll * 对于非多媒体文件夹类型，可通过使用Windows传统风格的文件夹来缓解Windows shell攻击： 1. 点击“开始”、“控制面板”、“外观和主题”，然后点击“文件夹选项”；或打开任意文件夹，在“工具”菜单中点击“文件夹选项”。 2. 在“常规”标签页中“任务”下选择“使用Windows传统风格的文件夹”。厂商补丁： Microsoft --------- 目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本： <a href="http://www.microsoft.com/technet/security/" target="_blank" rel=external nofollow>http://www.microsoft.com/technet/security/</a>
id	SSV:11488
last seen	2017-11-19
modified	2009-06-01
published	2009-06-01
reporter	Root
title	Microsoft DirectX QuickTime媒体文件解析代码执行漏洞

bulletinFamily	exploit
description	BUGTRAQ ID: 35139 CVE(CAN) ID: CVE-2009-1537 Microsoft DirectX是Windows操作系统中的一项功能，流媒体在玩游戏或观看视频时通过这个功能支持图形和声音。 DirectX的DirectShow组件（quartz.dll）在解析畸形的QuickTime媒体文件时存在错误，用户受骗打开了恶意的媒体文件就会导致执行任意代码。由于用户可能在浏览器中安装媒体播放插件，因此访问恶意网页就足以导致播放QuickTime文件，触发Quartz.dll中的漏洞。 Microsoft DirectX 9.0 Microsoft DirectX 8.1 Microsoft DirectX 7.0 临时解决方法： * 在quartz.dll中禁用QuickTime内容。使用交互方式 32位Windows系统： 1. 点击“开始”、“运行”，在“打开”框中键入“Regedit”然后点击“确定”。 2. 找到以下子键：HKEY_CLASSES_ROOT\CLSID\{D51BD5A0-7548-11CF-A520-0080C77EF58A}。 3. 在“文件”菜单中点击“导出”。 4. 在“导出注册表文件”对话框中，输入“QuickTime_Parser_Backup.reg”并点击“保存”。 5. 按删除键删除注册表项。当“确认项删除”对话框提示删除注册表项时，点击“是”。 64位Windows系统： 1. 点击“开始”、“运行”，在“打开”框中键入“Regedit”然后点击“确定”。 2. 找到以下子键：HKEY_CLASSES_ROOT\CLSID\{D51BD5A0-7548-11CF-A520-0080C77EF58A} 3. 在“文件”菜单中点击“导出”。 4. 在“导出注册表文件”对话框中，输入“QuickTime_Parser_Backup1.reg”并点击“保存”。 5. 按删除键删除注册表项。当“确认项删除”对话框提示删除注册表项时，点击“是”。 6. 找到以下子键：HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{D51BD5A0-7548-11CF-A520-0080C77EF58A}。 7. 在“文件”菜单中点击“导出”。 8.在“导出注册表文件”对话框中，输入“QuickTime_Parser_Backup2.reg”并点击“保存”。 9. 按删除键删除注册表项。当“确认项删除”对话框提示删除注册表项时，点击“是”。使用管理的部署脚本 1. 使用包含有以下命令的管理部署脚本创建注册表项的备份： 32位Windows系统： Regedit.exe /e QuickTime_Decoder_Backup.reg HKEY_CLASSES_ROOT\CLSID\{D51BD5A0-7548-11CF-A520-0080C77EF58A} 64位Windows系统： Regedit.exe /e QuickTime_Decoder_Backup1.reg HKEY_CLASSES_ROOT\CLSID\{D51BD5A0-7548-11CF-A520-0080C77EF58A} Regedit.exe /e QuickTime_Decoder_Backup2.reg HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{D51BD5A0-7548-11CF-A520-0080C77EF58A} 2. 将以下内容保存为.REG文件，如Disable_QuickTime_Parser.reg： 32位Windows系统： Windows Registry Editor Version 5.00 [-HKEY_CLASSES_ROOT\CLSID\{D51BD5A0-7548-11CF-A520-0080C77EF58A}] 64位Windows系统： Windows Registry Editor Version 5.00 [-HKEY_CLASSES_ROOT\CLSID\{D51BD5A0-7548-11CF-A520-0080C77EF58A}] [-HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{D51BD5A0-7548-11CF-A520-0080C77EF58A}] 3. 在提升的命令提示符中通过以下命令在目标机器上运行以上注册表脚本： Regedit.exe /s Disable_QuickTime_Parser.reg * 修改quartz.dll的访问控制列表。在Windows XP和Windows Server 2003上，从命令提示符运行以下命令（需要管理权限）： 32位Windows系统： Echo y\| cacls %WINDIR%\SYSTEM32\quartz.DLL /E /P everyone:N 64位Windows系统： Echo y\| cacls %WINDIR%\SYSTEM32\quartz.DLL /E /P everyone:N Echo y\| cacls %WINDIR%\SYSWOW64\quartz.DLL /E /P everyone:N * 注销quartz.dll，在提升的命令提示符运行以下命令： 32位Windows系统： Regsvr32.exe –u %WINDIR%\system32\quartz.dll 64位Windows系统： Regsvr32.exe –u %WINDIR%\system32\quartz.dll Regsvr32.exe –u %WINDIR%\syswow64\quartz.dll * 对于非多媒体文件夹类型，可通过使用Windows传统风格的文件夹来缓解Windows shell攻击： 1. 点击“开始”、“控制面板”、“外观和主题”，然后点击“文件夹选项”；或打开任意文件夹，在“工具”菜单中点击“文件夹选项”。 2. 在“常规”标签页中“任务”下选择“使用Windows传统风格的文件夹”。厂商补丁： Microsoft --------- Microsoft已经为此发布了一个安全公告（MS09-028）以及相应补丁: MS09-028：Vulnerabilities in Microsoft DirectShow Could Allow Remote Code Execution (971633) 链接：http://www.microsoft.com/technet/security/bulletin/MS09-028.mspx?pf=true
id	SSV:11819
last seen	2017-11-19
modified	2009-07-16
published	2009-07-16
reporter	Root
title	Microsoft DirectX QuickTime媒体文件解析代码执行漏洞(MS09-028)

Summary

Vulnerable Configurations

Msbulletin

Nessus

Oval

Saint

Seebug

References