Sign-up

ID

VAR-200810-0446


CVE

CVE-2008-4771


TITLE

Various IP Security Camera ActiveX Controls 'url' Attribute Buffer Overflow Vulnerability

Trust: 0.9

sources: BID: 28010 // CNNVD: CNNVD-200810-480

DESCRIPTION

Stack-based buffer overflow in VATDecoder.VatCtrl.1 ActiveX control in (1) 4xem VatCtrl Class (VATDecoder.dll 1.0.0.27 and 1.0.0.51), (2) D-Link MPEG4 SHM Audio Control (VAPGDecoder.dll 1.7.0.5), (3) Vivotek RTSP MPEG4 SP Control (RtspVapgDecoderNew.dll 2.0.0.39), and possibly other products, allows remote attackers to execute arbitrary code via a long Url property. NOTE: some of these details are obtained from third party information. Various IP Security Camera ActiveX controls are prone to a remote buffer-overflow vulnerability because the applications fail to properly bounds-check user-supplied data before copying it into insufficiently sized memory buffers. Exploiting this issue may allow remote attackers to execute arbitrary code in the context of applications that use the affected ActiveX control (typically Internet Explorer) and to compromise affected computers. Failed attempts will likely result in denial-of-service conditions. 4XEM VatCtrl Class ('VATDecoder.dll') 1.0.0.51. Vivotek RTSP MPEG4 SP Control ('RtspVapgDecoderNew.dll') 2.0.0.39. UPDATE (March 25, 2008): D-Link MPEG4 SHM Audio Control ('VAPGDecoder.dll') 1.7.0.5 identified by CLSID: A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C is being actively exploited in the wild. ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. Download and test it today: https://psi.secunia.com/ Read more about this new version: https://psi.secunia.com/?page=changelog ---------------------------------------------------------------------- TITLE: 4XEM VatDecoder VatCtrl Class ActiveX Control "Url" Property Buffer Overflow SECUNIA ADVISORY ID: SA29146 VERIFY ADVISORY: http://secunia.com/advisories/29146/ CRITICAL: Highly critical IMPACT: System access WHERE: >From remote SOFTWARE: 4XEM VatDecoder 1.x http://secunia.com/product/17836/ DESCRIPTION: rgod has discovered a vulnerability in 4XEM VatDecoder, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error in the VATDecoder.VatCtrl.1 ActiveX control (VATDecoder.dll) when handling strings assigned to the "Url" property. This can be exploited to cause a stack-based buffer overflow by assigning an overly long string to the affected property. Successful exploitation allows execution of arbitrary code. The vulnerability is confirmed in VATDecoder.dll version 1.0.0.27 and reported in version 1.0.0.51. Other versions may also be affected. SOLUTION: Set the kill-bit for the affected ActiveX control. PROVIDED AND/OR DISCOVERED BY: rgod ORIGINAL ADVISORY: http://www.milw0rm.com/exploits/5193 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 2.25

sources: NVD: CVE-2008-4771 // JVNDB: JVNDB-2008-003581 // BID: 28010 // VULHUB: VHN-34896 // PACKETSTORM: 64100 // PACKETSTORM: 64114 // PACKETSTORM: 64103

AFFECTED PRODUCTS

vendor:vivotekmodel:rtsp mpeg4 sp controlscope:eqversion:2.0.0.39

Trust: 1.9

vendor:d linkmodel:mpeg4 shm audio controlscope:eqversion:1.7.0.5

Trust: 1.3

vendor:4xemmodel:vatctrl classscope:eqversion:1.0.0.51

Trust: 1.3

vendor:4xemmodel:vatctrl classscope:eqversion:1.0.0.27

Trust: 1.0

vendor:4xemmodel:vatctrl classscope:eqversion:vatdecoder.dll 1.0.0.51 and 1.0.0.27

Trust: 0.8

vendor:d linkmodel:mpeg4 shm audio controlscope:eqversion:vapgdecoder.dll 1.7.0.5

Trust: 0.8

vendor:vivotekmodel:rtsp mpeg4 sp controlscope:eqversion:rtspvapgdecodernew.dll 2.0.0.39

Trust: 0.8

sources: BID: 28010 // JVNDB: JVNDB-2008-003581 // CNNVD: CNNVD-200810-480 // NVD: CVE-2008-4771

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2008-4771
value: HIGH

Trust: 1.0

NVD: CVE-2008-4771
value: HIGH

Trust: 0.8

CNNVD: CNNVD-200810-480
value: CRITICAL

Trust: 0.6

VULHUB: VHN-34896
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2008-4771
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-34896
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-34896 // JVNDB: JVNDB-2008-003581 // CNNVD: CNNVD-200810-480 // NVD: CVE-2008-4771

PROBLEMTYPE DATA

problemtype:CWE-119

Trust: 1.9

sources: VULHUB: VHN-34896 // JVNDB: JVNDB-2008-003581 // NVD: CVE-2008-4771

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200810-480

TYPE

buffer overflow

Trust: 0.6

sources: CNNVD: CNNVD-200810-480

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2008-003581

EXPLOIT AVAILABILITY
sources:
            
            
            VULHUB: VHN-34896

PATCH
title:Top Pageurl:http://www.4xem.com/
Trust: 0.8
title:Top Pageurl:http://www.dlink.com/
Trust: 0.8
title:Top Pageurl:http://www.vivotek.com/
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2008-003581

EXTERNAL IDS
db:NVDid:CVE-2008-4771
Trust: 2.8
db:BIDid:28010
Trust: 2.0
db:EXPLOIT-DBid:5193
Trust: 2.0
db:SECUNIAid:29131
Trust: 1.9
db:SECUNIAid:29145
Trust: 1.9
db:SECUNIAid:29146
Trust: 1.9
db:OSVDBid:43007
Trust: 1.7
db:OSVDBid:42378
Trust: 1.7
db:VUPENid:ADV-2008-0685
Trust: 1.7
db:VUPENid:ADV-2008-0686
Trust: 1.7
db:VUPENid:ADV-2008-0687
Trust: 1.7
db:SREASONid:4517
Trust: 1.7
db:JVNDBid:JVNDB-2008-003581
Trust: 0.8
db:XFid:40864
Trust: 0.6
db:XFid:40863
Trust: 0.6
db:XFid:40867
Trust: 0.6
db:XFid:4
Trust: 0.6
db:MILW0RMid:5193
Trust: 0.6
db:CNNVDid:CNNVD-200810-480
Trust: 0.6
db:VULHUBid:VHN-34896
Trust: 0.1
db:PACKETSTORMid:64100
Trust: 0.1
db:PACKETSTORMid:64114
Trust: 0.1
db:PACKETSTORMid:64103
Trust: 0.1
sources:
            
            
            VULHUB: VHN-34896 // 
            
            
            
            BID: 28010 // 
            
            
            
            JVNDB: JVNDB-2008-003581 // 
            
            
            
            PACKETSTORM: 64100 // 
            
            
            
            PACKETSTORM: 64114 // 
            
            
            
            PACKETSTORM: 64103 // 
            
            
            
            CNNVD: CNNVD-200810-480 // 
            
            
            
            NVD: CVE-2008-4771

REFERENCES
url:http://www.securityfocus.com/bid/28010
Trust: 1.7
url:http://osvdb.org/42378
Trust: 1.7
url:http://osvdb.org/43007
Trust: 1.7
url:http://secunia.com/advisories/29131
Trust: 1.7
url:http://secunia.com/advisories/29145
Trust: 1.7
url:http://secunia.com/advisories/29146
Trust: 1.7
url:http://securityreason.com/securityalert/4517
Trust: 1.7
url:https://www.exploit-db.com/exploits/5193
Trust: 1.1
url:http://www.vupen.com/english/advisories/2008/0685/references
Trust: 1.1
url:http://www.vupen.com/english/advisories/2008/0686/references
Trust: 1.1
url:http://www.vupen.com/english/advisories/2008/0687/references
Trust: 1.1
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/40864
Trust: 1.1
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/40863
Trust: 1.1
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/40867
Trust: 1.1
url:http://www.milw0rm.com/exploits/5193
Trust: 0.9
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-4771
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2008-4771
Trust: 0.8
url:http://xforce.iss.net/xforce/xfdb/40867
Trust: 0.6
url:http://xforce.iss.net/xforce/xfdb/40864
Trust: 0.6
url:http://xforce.iss.net/xforce/xfdb/40863
Trust: 0.6
url:http://www.frsirt.com/english/advisories/2008/0687/references
Trust: 0.6
url:http://www.frsirt.com/english/advisories/2008/0686/references
Trust: 0.6
url:http://www.frsirt.com/english/advisories/2008/0685/references
Trust: 0.6
url:http://www.4xem.com/
Trust: 0.3
url:http://www.dlink.com/products/livedemo/
Trust: 0.3
url:http://support.microsoft.com/kb/240797
Trust: 0.3
url:http://ebdemo.8800.org:17151
Trust: 0.3
url:http://secunia.com/secunia_security_advisories/
Trust: 0.3
url:https://psi.secunia.com/?page=changelog
Trust: 0.3
url:https://psi.secunia.com/
Trust: 0.3
url:http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
Trust: 0.3
url:http://secunia.com/about_secunia_advisories/
Trust: 0.3
url:http://secunia.com/advisories/29146/
Trust: 0.1
url:http://secunia.com/product/17836/
Trust: 0.1
url:http://secunia.com/advisories/29131/
Trust: 0.1
url:http://secunia.com/product/17835/
Trust: 0.1
url:http://secunia.com/product/17837/
Trust: 0.1
url:http://secunia.com/advisories/29145/
Trust: 0.1
url:http://secunia.com/product/17250/
Trust: 0.1
sources:
            
            
            VULHUB: VHN-34896 // 
            
            
            
            BID: 28010 // 
            
            
            
            JVNDB: JVNDB-2008-003581 // 
            
            
            
            PACKETSTORM: 64100 // 
            
            
            
            PACKETSTORM: 64114 // 
            
            
            
            PACKETSTORM: 64103 // 
            
            
            
            CNNVD: CNNVD-200810-480 // 
            
            
            
            NVD: CVE-2008-4771

CREDITS
rgod discovered this vulnerability.
Trust: 0.9
sources:
            
            
            BID: 28010 // 
            
            
            
            CNNVD: CNNVD-200810-480

SOURCES
db:VULHUBid:VHN-34896
db:BIDid:28010
db:JVNDBid:JVNDB-2008-003581
db:PACKETSTORMid:64100
db:PACKETSTORMid:64114
db:PACKETSTORMid:64103
db:CNNVDid:CNNVD-200810-480
db:NVDid:CVE-2008-4771

LAST UPDATE DATE
2025-04-10T20:59:22.444000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-34896date:2017-09-29T00:00:00
db:BIDid:28010date:2015-04-16T18:05:00
db:JVNDBid:JVNDB-2008-003581date:2012-06-26T00:00:00
db:CNNVDid:CNNVD-200810-480date:2009-01-29T00:00:00
db:NVDid:CVE-2008-4771date:2025-04-09T00:30:58.490

SOURCES RELEASE DATE
db:VULHUBid:VHN-34896date:2008-10-28T00:00:00
db:BIDid:28010date:2008-02-26T00:00:00
db:JVNDBid:JVNDB-2008-003581date:2012-06-26T00:00:00
db:PACKETSTORMid:64100date:2008-02-27T20:02:28
db:PACKETSTORMid:64114date:2008-02-28T02:32:52
db:PACKETSTORMid:64103date:2008-02-28T02:32:52
db:CNNVDid:CNNVD-200810-480date:2008-10-28T00:00:00
db:NVDid:CVE-2008-4771date:2008-10-28T19:20:14.633