본문 바로가기

Securities/SecurityFocus Vulnerabilities

Microsoft DirectX SAMI File Parsing Stack Buffer Overflow Vulnerability
















Bugtraq ID: 26789
Class: Boundary Condition Error
CVE: CVE-2007-3901
Remote: Yes
Local: No
Published: Dec 11 2007 12:00AM
Updated: Jan 12 2008 12:59AM
Credit: Jun Mao of VeriSign iDefense is credited with the discovery of this vulnerability.
Vulnerable: Nortel Networks Centrex IP Client Manager 9.0
Nortel Networks Centrex IP Client Manager 10.0
Nortel Networks CallPilot 703t
Nortel Networks CallPilot 702t
Nortel Networks CallPilot 201i
Nortel Networks CallPilot 200i
Nortel Networks CallPilot 1002rp
Microsoft DirectX 8.1
Microsoft DirectX 7.0
+ Microsoft Windows 2000 Advanced Server SP4
+ Microsoft Windows 2000 Advanced Server SP3
+ Microsoft Windows 2000 Advanced Server SP2
+ Microsoft Windows 2000 Advanced Server SP1
+ Microsoft Windows 2000 Advanced Server
+ Microsoft Windows 2000 Datacenter Server SP4
+ Microsoft Windows 2000 Datacenter Server SP3
+ Microsoft Windows 2000 Datacenter Server SP2
+ Microsoft Windows 2000 Datacenter Server SP1
+ Microsoft Windows 2000 Datacenter Server
+ Microsoft Windows 2000 Professional SP4
+ Microsoft Windows 2000 Professional SP3
+ Microsoft Windows 2000 Professional SP2
+ Microsoft Windows 2000 Professional SP1
+ Microsoft Windows 2000 Professional
+ Microsoft Windows 2000 Server SP4
+ Microsoft Windows 2000 Server SP3
+ Microsoft Windows 2000 Server SP2
+ Microsoft Windows 2000 Server SP1
+ Microsoft Windows 2000 Server
HP Storage Management Appliance III
HP Storage Management Appliance II
HP Storage Management Appliance I
HP Storage Management Appliance 2.1
Avaya Messaging Application Server MM 3.1
Avaya Messaging Application Server MM 3.0
Avaya Messaging Application Server MM 2.0
Avaya Messaging Application Server MM 1.1
Avaya Messaging Application Server 0
[discussion]
DirectX is prone to a stack-based buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data

An attacker could exploit this issue to execute arbitrary code within the privileges of the currently logged-in user. Failed exploit attempts may crash the application.

NOTE: Windows Media Player 6.4 on Windows 2000 was previously stated not to be an attack vector. The vendor has corrected this information to state that it is a possible attack vector.

[exploit]
Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.

The following exploit is available:

[solution]
Solution:
Microsoft has released updates and an advisory to address this issue. Please see the references for more information.


Microsoft DirectX 7.0

[references]
References: