#VU1246 Heap-based buffer overflow in Xunlei Thunder
Vulnerability identifier: #VU1246
Vulnerability risk: Critical
CVSSv3.1: 9.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N/E:F/RL:U/RC:C]
CVE-ID:
CWE-ID:
CWE-122
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Xunlei Thunder
Client/Desktop applications /
Plugins for browsers, ActiveX components
Vendor: Xunlei
Description
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to boundary error in PPlayer.XPPlayer.1 ActiveX control when handling long strings passed via FlvPlayerUrl property value. A remote attacker can create a specially crafted web page, trick the victim into visiting it, cause a heap-based buffer overflow and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in compromise of vulnerable system.
Note: this vulnerability was being actively exploited.
Mitigation
Cybersecurity Help is
not aware of any official solution to address this vulnerability. It
is recommended to permanently remove the affected software from your system.
Vulnerable software versions
Xunlei Thunder: 5.7.4.401
External links
http://betanews.com/2008/05/19/ten-thousand-servers-hit-in-sql-injection-hack/
http://www.pcworld.com/article/146048/article.html
http://forums.whatthetech.com/index.php?showtopic=91131
http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=50081
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.
