Vulnerabilities > CVE-2009-1537 - Remote Code Execution vulnerability in Microsoft DirectX DirectShow QuickTime Video

047910
CVSS 9.3 - CRITICAL
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
microsoft
critical
nessus

Summary

Unspecified vulnerability in the QuickTime Movie Parser Filter in quartz.dll in DirectShow in Microsoft DirectX 7.0 through 9.0c on Windows 2000 SP4, Windows XP SP2 and SP3, and Windows Server 2003 SP2 allows remote attackers to execute arbitrary code via a crafted QuickTime media file, as exploited in the wild in May 2009, aka "DirectX NULL Byte Overwrite Vulnerability." Per: http://www.microsoft.com/technet/security/advisory/971778.mspx "Microsoft is aware of limited, active attacks that use this exploit code. While our investigation is ongoing, our investigation so far has shown that Windows 2000 Service Pack 4, Windows XP, and Windows Server 2003 are vulnerable; all versions of Windows Vista and Windows Server 2008 are not vulnerable."

Msbulletin

bulletin_idMS09-028
bulletin_url
date2009-07-14T00:00:00
impactRemote Code Execution
knowledgebase_id971633
knowledgebase_url
severityCritical
titleVulnerabilities in Microsoft DirectShow Could Allow Remote Code Execution

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS09-028.NASL
descriptionThe DirectShow component included with the version of Microsoft DirectX installed on the remote host is affected by multiple vulnerabilities that may allow execution of arbitrary code when processing a specially crafted QuickTime media file.
last seen2020-06-01
modified2020-06-02
plugin id39791
published2009-07-14
reporterThis script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/39791
titleMS09-028: Vulnerabilities in Microsoft DirectShow Could Allow Remote Code Execution (971633)
code
#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");


if (description)
{
  script_id(39791);
  script_version("1.25");
  script_cvs_date("Date: 2018/11/15 20:50:30");

  script_cve_id("CVE-2009-1537", "CVE-2009-1538", "CVE-2009-1539");
  script_bugtraq_id(35139, 35600, 35616);
  script_xref(name:"MSFT", value:"MS09-028");
  script_xref(name:"MSKB", value:"971633");

  script_name(english:"MS09-028: Vulnerabilities in Microsoft DirectShow Could Allow Remote Code Execution (971633)");
  script_summary(english:"Checks version of Quartz.dll");

  script_set_attribute(attribute:"synopsis", value:
"It is possible to execute arbitrary code on the remote Windows host
using DirectX.");
  script_set_attribute(attribute:"description", value:
"The DirectShow component included with the version of Microsoft DirectX
installed on the remote host is affected by multiple vulnerabilities
that may allow execution of arbitrary code when processing a specially
crafted QuickTime media file.");
  script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2009/ms09-028");
  script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for DirectX 7.0, 8.0 and
9.0.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:'D2ExploitPack');
  script_cwe_id(20, 94);

  script_set_attribute(attribute:"vuln_publication_date", value:"2009/05/28");
  script_set_attribute(attribute:"patch_publication_date", value:"2009/07/14");
  script_set_attribute(attribute:"plugin_publication_date", value:"2009/07/14");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:directx");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.");

  script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
  script_require_keys("SMB/MS_Bulletin_Checks/Possible");
  script_require_ports(139, 445, 'Host/patch_management_checks');

  exit(0);
}


include("audit.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_hotfixes.inc");
include("smb_func.inc");
include("misc_func.inc");


get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS09-028';
kb = "971633";

kbs = make_list(kb);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);


get_kb_item_or_exit('SMB/Registry/Enumerated');
get_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);

if (hotfix_check_sp_range(win2k:'4,5', xp:'2,3', win2003:'2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
if (!get_kb_item("SMB/Registry/HKLM/SOFTWARE/Microsoft/DirectX/Version")) audit(AUDIT_NOT_INST, "DirectX");


rootfile = hotfix_get_systemroot();
if (!rootfile) exit(1, "Failed to get the system root.");

share = hotfix_path2share(path:rootfile);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

if (
  # Windows 2003
  hotfix_is_vulnerable(os:"5.2", sp:2,             file:"Quartz.dll", version:"6.5.3790.4523", dir:"\System32", bulletin:bulletin, kb:kb) ||

  # Windows XP
  hotfix_is_vulnerable(os:"5.1", sp:3, arch:"x86", file:"Quartz.dll", version:"6.5.2600.5822", dir:"\System32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.1", sp:2, arch:"x64", file:"Quartz.dll", version:"6.5.3790.4523", dir:"\System32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.1", sp:2, arch:"x86", file:"Quartz.dll", version:"6.5.2600.3580", dir:"\System32", bulletin:bulletin, kb:kb) ||

  # Windows 2000
  hotfix_is_vulnerable(os:"5.0",                   file:"Quartz.dll", version:"6.5.1.911", min_version:"6.5.0.0", dir:"\System32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.0",                   file:"Quartz.dll", version:"6.3.1.893", min_version:"6.3.0.0", dir:"\System32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.0",                   file:"Quartz.dll", version:"6.1.9.736",                        dir:"\System32", bulletin:bulletin, kb:kb)
)
{
  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
  hotfix_security_hole();

  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}

Oval

accepted2013-04-15T04:00:28.654-04:00
classvulnerability
contributors
  • nameDragos Prisaca
    organizationGideon Technologies, Inc.
  • nameDragos Prisaca
    organizationGideon Technologies, Inc.
  • nameDragos Prisaca
    organizationG2, Inc.
definition_extensions
  • commentMicrosoft Windows 2000 SP4 or later is installed
    ovaloval:org.mitre.oval:def:229
  • commentMicrosoft Windows 2000 SP4 or later is installed
    ovaloval:org.mitre.oval:def:229
  • commentMicrosoft Windows 2000 SP4 or later is installed
    ovaloval:org.mitre.oval:def:229
  • commentMicrosoft Windows XP (x86) SP2 is installed
    ovaloval:org.mitre.oval:def:754
  • commentMicrosoft Windows XP (x86) SP3 is installed
    ovaloval:org.mitre.oval:def:5631
  • commentMicrosoft Windows XP x64 Edition SP2 is installed
    ovaloval:org.mitre.oval:def:4193
  • commentMicrosoft Windows Server 2003 SP2 (x64) is installed
    ovaloval:org.mitre.oval:def:2161
  • commentMicrosoft Windows Server 2003 SP2 (x86) is installed
    ovaloval:org.mitre.oval:def:1935
  • commentMicrosoft Windows Server 2003 (ia64) SP2 is installed
    ovaloval:org.mitre.oval:def:1442
descriptionUnspecified vulnerability in the QuickTime Movie Parser Filter in quartz.dll in DirectShow in Microsoft DirectX 7.0 through 9.0c on Windows 2000 SP4, Windows XP SP2 and SP3, and Windows Server 2003 SP2 allows remote attackers to execute arbitrary code via a crafted QuickTime media file, as exploited in the wild in May 2009, aka "DirectX NULL Byte Overwrite Vulnerability."
familywindows
idoval:org.mitre.oval:def:6237
statusaccepted
submitted2009-05-29T10:00:00
titleDirectX NULL Byte Overwrite Vulnerability
version72

Saint

bid35139
descriptionMicrosoft DirectX DirectShow QuickTime movie parsing vulnerability
idwin_patch_directxquicktime
osvdb54797
titlemicrosoft_directx_quicktime
typeclient

Seebug

  • bulletinFamilyexploit
    descriptionBUGTRAQ ID: 35139 CVE(CAN) ID: CVE-2009-1537 Microsoft DirectX是Windows操作系统中的一项功能,流媒体在玩游戏或观看视频时通过这个功能支持图形和声音。 DirectX的DirectShow组件(quartz.dll)在解析畸形的QuickTime媒体文件时存在错误,用户受骗打开了恶意的媒体文件就会导致执行任意代码。由于用户可能在浏览器中安装媒体播放插件,因此访问恶意网页就足以导致播放QuickTime文件,触发Quartz.dll中的漏洞。 Microsoft DirectX 9.0 Microsoft DirectX 8.1 Microsoft DirectX 7.0 临时解决方法: * 在quartz.dll中禁用QuickTime内容。 使用交互方式 32位Windows系统: 1. 点击“开始”、“运行”,在“打开”框中键入“Regedit”然后点击“确定”。 2. 找到以下子键:HKEY_CLASSES_ROOT\CLSID\{D51BD5A0-7548-11CF-A520-0080C77EF58A}。 3. 在“文件”菜单中点击“导出”。 4. 在“导出注册表文件”对话框中,输入“QuickTime_Parser_Backup.reg”并点击“保存”。 5. 按删除键删除注册表项。当“确认项删除”对话框提示删除注册表项时,点击“是”。 64位Windows系统: 1. 点击“开始”、“运行”,在“打开”框中键入“Regedit”然后点击“确定”。 2. 找到以下子键:HKEY_CLASSES_ROOT\CLSID\{D51BD5A0-7548-11CF-A520-0080C77EF58A} 3. 在“文件”菜单中点击“导出”。 4. 在“导出注册表文件”对话框中,输入“QuickTime_Parser_Backup1.reg”并点击“保存”。 5. 按删除键删除注册表项。当“确认项删除”对话框提示删除注册表项时,点击“是”。 6. 找到以下子键:HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{D51BD5A0-7548-11CF-A520-0080C77EF58A}。 7. 在“文件”菜单中点击“导出”。 8.在“导出注册表文件”对话框中,输入“QuickTime_Parser_Backup2.reg”并点击“保存”。 9. 按删除键删除注册表项。当“确认项删除”对话框提示删除注册表项时,点击“是”。 使用管理的部署脚本 1. 使用包含有以下命令的管理部署脚本创建注册表项的备份: 32位Windows系统: Regedit.exe /e QuickTime_Decoder_Backup.reg HKEY_CLASSES_ROOT\CLSID\{D51BD5A0-7548-11CF-A520-0080C77EF58A} 64位Windows系统: Regedit.exe /e QuickTime_Decoder_Backup1.reg HKEY_CLASSES_ROOT\CLSID\{D51BD5A0-7548-11CF-A520-0080C77EF58A} Regedit.exe /e QuickTime_Decoder_Backup2.reg HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{D51BD5A0-7548-11CF-A520-0080C77EF58A} 2. 将以下内容保存为.REG文件,如Disable_QuickTime_Parser.reg: 32位Windows系统: Windows Registry Editor Version 5.00 [-HKEY_CLASSES_ROOT\CLSID\{D51BD5A0-7548-11CF-A520-0080C77EF58A}] 64位Windows系统: Windows Registry Editor Version 5.00 [-HKEY_CLASSES_ROOT\CLSID\{D51BD5A0-7548-11CF-A520-0080C77EF58A}] [-HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{D51BD5A0-7548-11CF-A520-0080C77EF58A}] 3. 在提升的命令提示符中通过以下命令在目标机器上运行以上注册表脚本: Regedit.exe /s Disable_QuickTime_Parser.reg * 修改quartz.dll的访问控制列表。 在Windows XP和Windows Server 2003上,从命令提示符运行以下命令(需要管理权限): 32位Windows系统: Echo y| cacls %WINDIR%\SYSTEM32\quartz.DLL /E /P everyone:N 64位Windows系统: Echo y| cacls %WINDIR%\SYSTEM32\quartz.DLL /E /P everyone:N Echo y| cacls %WINDIR%\SYSWOW64\quartz.DLL /E /P everyone:N * 注销quartz.dll,在提升的命令提示符运行以下命令: 32位Windows系统: Regsvr32.exe –u %WINDIR%\system32\quartz.dll 64位Windows系统: Regsvr32.exe –u %WINDIR%\system32\quartz.dll Regsvr32.exe –u %WINDIR%\syswow64\quartz.dll * 对于非多媒体文件夹类型,可通过使用Windows传统风格的文件夹来缓解Windows shell攻击: 1. 点击“开始”、“控制面板”、“外观和主题”,然后点击“文件夹选项”;或打开任意文件夹,在“工具”菜单中点击“文件夹选项”。 2. 在“常规”标签页中“任务”下选择“使用Windows传统风格的文件夹”。 厂商补丁: Microsoft --------- 目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: <a href="http://www.microsoft.com/technet/security/" target="_blank" rel=external nofollow>http://www.microsoft.com/technet/security/</a>
    idSSV:11488
    last seen2017-11-19
    modified2009-06-01
    published2009-06-01
    reporterRoot
    titleMicrosoft DirectX QuickTime媒体文件解析代码执行漏洞
  • bulletinFamilyexploit
    descriptionBUGTRAQ ID: 35139 CVE(CAN) ID: CVE-2009-1537 Microsoft DirectX是Windows操作系统中的一项功能,流媒体在玩游戏或观看视频时通过这个功能支持图形和声音。 DirectX的DirectShow组件(quartz.dll)在解析畸形的QuickTime媒体文件时存在错误,用户受骗打开了恶意的媒体文件就会导致执行任意代码。由于用户可能在浏览器中安装媒体播放插件,因此访问恶意网页就足以导致播放QuickTime文件,触发Quartz.dll中的漏洞。 Microsoft DirectX 9.0 Microsoft DirectX 8.1 Microsoft DirectX 7.0 临时解决方法: * 在quartz.dll中禁用QuickTime内容。 使用交互方式 32位Windows系统: 1. 点击“开始”、“运行”,在“打开”框中键入“Regedit”然后点击“确定”。 2. 找到以下子键:HKEY_CLASSES_ROOT\CLSID\{D51BD5A0-7548-11CF-A520-0080C77EF58A}。 3. 在“文件”菜单中点击“导出”。 4. 在“导出注册表文件”对话框中,输入“QuickTime_Parser_Backup.reg”并点击“保存”。 5. 按删除键删除注册表项。当“确认项删除”对话框提示删除注册表项时,点击“是”。 64位Windows系统: 1. 点击“开始”、“运行”,在“打开”框中键入“Regedit”然后点击“确定”。 2. 找到以下子键:HKEY_CLASSES_ROOT\CLSID\{D51BD5A0-7548-11CF-A520-0080C77EF58A} 3. 在“文件”菜单中点击“导出”。 4. 在“导出注册表文件”对话框中,输入“QuickTime_Parser_Backup1.reg”并点击“保存”。 5. 按删除键删除注册表项。当“确认项删除”对话框提示删除注册表项时,点击“是”。 6. 找到以下子键:HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{D51BD5A0-7548-11CF-A520-0080C77EF58A}。 7. 在“文件”菜单中点击“导出”。 8.在“导出注册表文件”对话框中,输入“QuickTime_Parser_Backup2.reg”并点击“保存”。 9. 按删除键删除注册表项。当“确认项删除”对话框提示删除注册表项时,点击“是”。 使用管理的部署脚本 1. 使用包含有以下命令的管理部署脚本创建注册表项的备份: 32位Windows系统: Regedit.exe /e QuickTime_Decoder_Backup.reg HKEY_CLASSES_ROOT\CLSID\{D51BD5A0-7548-11CF-A520-0080C77EF58A} 64位Windows系统: Regedit.exe /e QuickTime_Decoder_Backup1.reg HKEY_CLASSES_ROOT\CLSID\{D51BD5A0-7548-11CF-A520-0080C77EF58A} Regedit.exe /e QuickTime_Decoder_Backup2.reg HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{D51BD5A0-7548-11CF-A520-0080C77EF58A} 2. 将以下内容保存为.REG文件,如Disable_QuickTime_Parser.reg: 32位Windows系统: Windows Registry Editor Version 5.00 [-HKEY_CLASSES_ROOT\CLSID\{D51BD5A0-7548-11CF-A520-0080C77EF58A}] 64位Windows系统: Windows Registry Editor Version 5.00 [-HKEY_CLASSES_ROOT\CLSID\{D51BD5A0-7548-11CF-A520-0080C77EF58A}] [-HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{D51BD5A0-7548-11CF-A520-0080C77EF58A}] 3. 在提升的命令提示符中通过以下命令在目标机器上运行以上注册表脚本: Regedit.exe /s Disable_QuickTime_Parser.reg * 修改quartz.dll的访问控制列表。 在Windows XP和Windows Server 2003上,从命令提示符运行以下命令(需要管理权限): 32位Windows系统: Echo y| cacls %WINDIR%\SYSTEM32\quartz.DLL /E /P everyone:N 64位Windows系统: Echo y| cacls %WINDIR%\SYSTEM32\quartz.DLL /E /P everyone:N Echo y| cacls %WINDIR%\SYSWOW64\quartz.DLL /E /P everyone:N * 注销quartz.dll,在提升的命令提示符运行以下命令: 32位Windows系统: Regsvr32.exe –u %WINDIR%\system32\quartz.dll 64位Windows系统: Regsvr32.exe –u %WINDIR%\system32\quartz.dll Regsvr32.exe –u %WINDIR%\syswow64\quartz.dll * 对于非多媒体文件夹类型,可通过使用Windows传统风格的文件夹来缓解Windows shell攻击: 1. 点击“开始”、“控制面板”、“外观和主题”,然后点击“文件夹选项”;或打开任意文件夹,在“工具”菜单中点击“文件夹选项”。 2. 在“常规”标签页中“任务”下选择“使用Windows传统风格的文件夹”。 厂商补丁: Microsoft --------- Microsoft已经为此发布了一个安全公告(MS09-028)以及相应补丁: MS09-028:Vulnerabilities in Microsoft DirectShow Could Allow Remote Code Execution (971633) 链接:http://www.microsoft.com/technet/security/bulletin/MS09-028.mspx?pf=true
    idSSV:11819
    last seen2017-11-19
    modified2009-07-16
    published2009-07-16
    reporterRoot
    titleMicrosoft DirectX QuickTime媒体文件解析代码执行漏洞(MS09-028)