Vulnerabilities > CVE-2010-0480 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Microsoft products

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
microsoft
CWE-119
nessus
exploit available
metasploit

Summary

Multiple stack-based buffer overflows in the MPEG Layer-3 audio codecs in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2 allow remote attackers to execute arbitrary code via a crafted AVI file, aka "MPEG Layer-3 Audio Decoder Stack Overflow Vulnerability."

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Exploit-Db

  • descriptionMS10-026 Microsoft MPEG Layer-3 Audio Stack Based Overflow. CVE-2010-0480. Remote exploit for windows platform
    idEDB-ID:17659
    last seen2016-02-02
    modified2011-08-13
    published2011-08-13
    reportermetasploit
    sourcehttps://www.exploit-db.com/download/17659/
    titleMicrosoft MPEG Layer-3 Audio - Stack Based Overflow MS10-026
  • descriptionMOAUB #24 - Microsoft MPEG Layer-3 Audio Decoder Division By Zero. CVE-2010-0480. Dos exploit for windows platform
    idEDB-ID:15096
    last seen2016-02-01
    modified2010-09-24
    published2010-09-24
    reporterAbysssec
    sourcehttps://www.exploit-db.com/download/15096/
    titleMicrosoft MPEG Layer-3 Audio Decoder - Division By Zero

Metasploit

descriptionThis module exploits a buffer overflow in l3codecx.ax while processing a AVI files with MPEG Layer-3 audio contents. The overflow only allows to overwrite with 0's so the three least significant bytes of EIP saved on stack are overwritten and shellcode is mapped using the .NET DLL memory technique pioneered by Alexander Sotirov and Mark Dowd. Please note on IE 8 targets, your malicious URL must be a trusted site in order to load the .Net control.
idMSF:EXPLOIT/WINDOWS/BROWSER/MS10_026_AVI_NSAMPLESPERSEC
last seen2020-06-14
modified1976-01-01
published1976-01-01
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/ms10_026_avi_nsamplespersec.rb
titleMS10-026 Microsoft MPEG Layer-3 Audio Stack Based Overflow

Msbulletin

bulletin_idMS10-026
bulletin_url
date2010-04-13T00:00:00
impactRemote Code Execution
knowledgebase_id977816
knowledgebase_url
severityCritical
titleVulnerability in Microsoft MPEG Layer-3 Codecs Could Allow Remote Code Execution

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS10-026.NASL
descriptionThe Microsoft MPEG Layer-3 (MP3) codecs have a buffer overflow vulnerability that is triggered by opening a specially crafted AVI file with an MP3 audio stream. A remote attacker could exploit this by tricking a user into opening a malicious AVI file, which would lead to arbitrary code execution.
last seen2020-06-01
modified2020-06-02
plugin id45513
published2010-04-13
reporterThis script is Copyright (C) 2010-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/45513
titleMS10-026: Vulnerability in Microsoft MPEG Layer-3 Codecs Could Allow Remote Code Execution (977816)

Oval

accepted2010-06-07T04:00:39.696-04:00
classvulnerability
contributors
nameDragos Prisaca
organizationSymantec Corporation
definition_extensions
  • commentMicrosoft Windows 2000 SP4 or later is installed
    ovaloval:org.mitre.oval:def:229
  • commentMicrosoft Windows XP (x86) SP2 is installed
    ovaloval:org.mitre.oval:def:754
  • commentMicrosoft Windows XP (x86) SP3 is installed
    ovaloval:org.mitre.oval:def:5631
  • commentMicrosoft Windows Server 2003 SP2 (x86) is installed
    ovaloval:org.mitre.oval:def:1935
  • commentMicrosoft Windows XP x64 Edition SP2 is installed
    ovaloval:org.mitre.oval:def:4193
  • commentMicrosoft Windows Server 2003 SP2 (x64) is installed
    ovaloval:org.mitre.oval:def:2161
  • commentMicrosoft Windows Server 2003 (ia64) SP2 is installed
    ovaloval:org.mitre.oval:def:1442
  • commentMicrosoft Windows Vista (32-bit) is installed
    ovaloval:org.mitre.oval:def:1282
  • commentMicrosoft Windows Vista x64 Edition is installed
    ovaloval:org.mitre.oval:def:2041
  • commentMicrosoft Windows Vista (32-bit) Service Pack 1 is installed
    ovaloval:org.mitre.oval:def:4873
  • commentMicrosoft Windows Vista x64 Edition Service Pack 1 is installed
    ovaloval:org.mitre.oval:def:5254
  • commentMicrosoft Windows Server 2008 (32-bit) is installed
    ovaloval:org.mitre.oval:def:4870
  • commentMicrosoft Windows Server 2008 (64-bit) is installed
    ovaloval:org.mitre.oval:def:5356
  • commentMicrosoft Windows Vista (32-bit) Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:6124
  • commentMicrosoft Windows Vista x64 Edition Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:5594
  • commentMicrosoft Windows Server 2008 (32-bit) Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:5653
  • commentMicrosoft Windows Server 2008 x64 Edition Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:6216
descriptionMultiple stack-based buffer overflows in the MPEG Layer-3 audio codecs in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2 allow remote attackers to execute arbitrary code via a crafted AVI file, aka "MPEG Layer-3 Audio Decoder Stack Overflow Vulnerability."
familywindows
idoval:org.mitre.oval:def:7441
statusaccepted
submitted2010-03-13T13:00:00
titleMPEG Layer-3 Audio Decoder Stack Overflow Vulnerability
version72

Packetstorm

Seebug

  • bulletinFamilyexploit
    descriptionBUGTRAQ ID: 39303 CVE ID: CVE-2010-0480 Microsoft Windows是微软发布的非常流行的操作系统。 Windows中所使用的MP3编码解码器处理AVI媒体文件的方式中存在栈溢出漏洞。如果用户打开包含MP3音频流的特制的AVI文件,此漏洞可能允许远程执行代码。如果用户使用管理用户权限登录,成功利用此漏洞的攻击者便可完全控制受影响的系统。 Microsoft Windows XP SP3 Microsoft Windows XP SP2 Microsoft Windows Vista SP2 Microsoft Windows Vista SP1 Microsoft Windows Vista Microsoft Windows Server 2008 SP2 Microsoft Windows Server 2008 Microsoft Windows Server 2003 SP2 Microsoft Windows 2000SP4 临时解决方法: * 限制访问MP3音频编码解码器。 厂商补丁: Microsoft --------- Microsoft已经为此发布了一个安全公告(MS10-026)以及相应补丁: MS10-026:Vulnerability in Microsoft MPEG Layer-3 Codecs Could Allow Remote Code Execution (977816) 链接:http://www.microsoft.com/technet/security/bulletin/MS10-026.mspx?pf=true
    idSSV:19458
    last seen2017-11-19
    modified2010-04-14
    published2010-04-14
    reporterRoot
    titleMicrosoft Windows MP3音频解码器栈溢出漏洞(MS10-026)
  • bulletinFamilyexploit
    descriptionNo description provided by source.
    idSSV:20848
    last seen2017-11-19
    modified2011-08-14
    published2011-08-14
    reporterRoot
    sourcehttps://www.seebug.org/vuldb/ssvid-20848
    titleMS10-026 Microsoft MPEG Layer-3 Audio Stack Based Overflow
  • bulletinFamilyexploit
    descriptionNo description provided by source.
    idSSV:20094
    last seen2017-11-19
    modified2010-09-06
    published2010-09-06
    reporterRoot
    sourcehttps://www.seebug.org/vuldb/ssvid-20094
    titleMicrosoft MPEG Layer-3 Remote Command Execution Exploit
  • bulletinFamilyexploit
    descriptionNo description provided by source.
    idSSV:69775
    last seen2017-11-19
    modified2014-07-01
    published2014-07-01
    reporterRoot
    sourcehttps://www.seebug.org/vuldb/ssvid-69775
    titleMicrosoft MPEG Layer-3 - Remote Command Execution Exploit