Signature Detail

HTTP: AVI File Header Processing Memory Corruption

This signature detects attempts to exploit a known vulnerability against Microsoft Windows Avi processing routine. A successful attack can lead to arbitrary code execution in the context of the client.

Extended Description

Microsoft Windows is prone to a remote code-execution vulnerability that arises when an affected Windows component handles a malicious Audio Video Interleave (AVI) file. An attacker can exploit this issue to execute arbitrary code with the privileges of the affected user. Failed exploit attempts will result in a denial-of-service condition. NOTE: Since the affected Windows operating system component is independent of Windows Media Player, this issue does not specifically affect Windows Media Player.

Affected Products

• Microsoft windows_2000_advanced_server SP4
• Microsoft windows_2000_datacenter_server SP4
• Microsoft windows_2000_professional SP4
• Microsoft windows_2000_server SP4
• Microsoft windows_server_2003 SP2
• Microsoft windows_server_2003_itanium SP2
• Microsoft windows_server_2003_x64 SP2
• Microsoft windows_server_2008_for_32-bit_systems SP2
• Microsoft windows_server_2008_for_32-bit_systems
• Microsoft windows_server_2008_for_itanium-based_systems SP2
• Microsoft windows_server_2008_for_itanium-based_systems
• Microsoft windows_server_2008_for_x64-based_systems SP2
• Microsoft windows_server_2008_for_x64-based_systems
• Microsoft windows_vista Business
• Microsoft windows_vista Business SP1
• Microsoft windows_vista Business SP2
• Microsoft windows_vista Enterprise
• Microsoft windows_vista Enterprise SP1
• Microsoft windows_vista Enterprise SP2
• Microsoft windows_vista Home Basic
• Microsoft windows_vista Home Basic SP1
• Microsoft windows_vista Home Basic SP2
• Microsoft windows_vista Home Premium
• Microsoft windows_vista Home Premium SP1
• Microsoft windows_vista Home Premium SP2
• Microsoft windows_vista Ultimate
• Microsoft windows_vista Ultimate SP1
• Microsoft windows_vista Ultimate SP2
• Microsoft windows_vista_x64_edition SP1
• Microsoft windows_vista_x64_edition SP2
• Microsoft windows_vista_x64_edition
• Microsoft windows_xp_home SP2
• Microsoft windows_xp_home SP3
• Microsoft windows_xp_media_center_edition SP2
• Microsoft windows_xp_media_center_edition SP3
• Microsoft windows_xp_professional SP2
• Microsoft windows_xp_professional SP3
• Microsoft windows_xp_professional_x64_edition SP2
• Microsoft windows_xp_tablet_pc_edition SP2
• Microsoft windows_xp_tablet_pc_edition SP3
• Nortel_networks callpilot 1002Rp
• Nortel_networks callpilot 1005R
• Nortel_networks callpilot 201I
• Nortel_networks callpilot 202I
• Nortel_networks callpilot 600R
• Nortel_networks callpilot 702T
• Nortel_networks contact_center
• Nortel_networks contact_center_administration
• Nortel_networks contact_center_express
• Nortel_networks contact_center_manager_server
• Nortel_networks contact_center_multimedia
• Nortel_networks contact_center_ncc
• Nortel_networks contact_center-tapi_server
• Nortel_networks media_processing_svr_100
• Nortel_networks media_processing_svr_1000_rel 3.0
• Nortel_networks media_processing_svr_500_rel 3.0
• Nortel_networks self-service_mps_100
• Nortel_networks self-service_mps_1000
• Nortel_networks self-service_mps_500
• Nortel_networks self-service_peri_nt_server
• Nortel_networks self-service_peri_workstation
• Nortel_networks self-service_speech_server
• Nortel_networks self_service_voicexml
• Nortel_networks self-service_wvads
• Nortel_networks symposium_agent

References

• BugTraq: 35967
• CVE: CVE-2009-1545