Microsoft DirectX SAMI File Parsing Stack Buffer Overflow Vulnerability

Bugtraq ID:	26789
Class:	Boundary Condition Error
CVE:	CVE-2007-3901
Remote:	Yes
Local:	No
Published:	Dec 11 2007 12:00AM
Updated:	Jan 12 2008 12:59AM
Credit:	Jun Mao of VeriSign iDefense is credited with the discovery of this vulnerability.
Vulnerable:	Nortel Networks Centrex IP Client Manager 9.0 Nortel Networks Centrex IP Client Manager 10.0 Nortel Networks CallPilot 703t Nortel Networks CallPilot 702t Nortel Networks CallPilot 201i Nortel Networks CallPilot 200i Nortel Networks CallPilot 1002rp Microsoft DirectX 8.1 Microsoft DirectX 7.0 + Microsoft Windows 2000 Advanced Server SP4 + Microsoft Windows 2000 Advanced Server SP3 + Microsoft Windows 2000 Advanced Server SP2 + Microsoft Windows 2000 Advanced Server SP1 + Microsoft Windows 2000 Advanced Server + Microsoft Windows 2000 Datacenter Server SP4 + Microsoft Windows 2000 Datacenter Server SP3 + Microsoft Windows 2000 Datacenter Server SP2 + Microsoft Windows 2000 Datacenter Server SP1 + Microsoft Windows 2000 Datacenter Server + Microsoft Windows 2000 Professional SP4 + Microsoft Windows 2000 Professional SP3 + Microsoft Windows 2000 Professional SP2 + Microsoft Windows 2000 Professional SP1 + Microsoft Windows 2000 Professional + Microsoft Windows 2000 Server SP4 + Microsoft Windows 2000 Server SP3 + Microsoft Windows 2000 Server SP2 + Microsoft Windows 2000 Server SP1 + Microsoft Windows 2000 Server HP Storage Management Appliance III HP Storage Management Appliance II HP Storage Management Appliance I HP Storage Management Appliance 2.1 Avaya Messaging Application Server MM 3.1 Avaya Messaging Application Server MM 3.0 Avaya Messaging Application Server MM 2.0 Avaya Messaging Application Server MM 1.1 Avaya Messaging Application Server 0

[discussion]
DirectX is prone to a stack-based buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data

An attacker could exploit this issue to execute arbitrary code within the privileges of the currently logged-in user. Failed exploit attempts may crash the application.

NOTE: Windows Media Player 6.4 on Windows 2000 was previously stated not to be an attack vector. The vendor has corrected this information to state that it is a possible attack vector.

[exploit]
Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.

The following exploit is available:

• /data/vulnerabilities/exploits/26789.py

[solution]
Solution:
Microsoft has released updates and an advisory to address this issue. Please see the references for more information.


Microsoft DirectX 7.0

• Microsoft Security Update for Windows 2000 (KB941568)
  http://www.microsoft.com/downloads/details.aspx?FamilyId=06196774-5a11 -4525-b53c-8cb000738949&displaylang=en
  

[references]
References:

• ASA-2007-514 - MS07-064 Vulnerabilities in DirectX Could Allow Remote Code Execu (Avaya)
  
• Microsoft DirectX 7 and 8 DirectShow Stack Buffer Overflow Vulnerability (iDefense Labs)
  
• Microsoft DirectX Web Site (Microsoft)
  
• iDefense Security Advisory 12.11.07: Microsoft DirectX 7 and 8 DirectShow (iDefense Labs )
  
• Centrex IP Client Manager (CICM) response to Microsoft December security bulleti (Nortel Networks)
  
• Microsoft Security Bulletin MS07-064 (Microsoft)
  
• Nortel Response to Microsoft Security Bulletin MS07-064 (Nortel Networks)
  
• Vulnerability Note VU#804089 Microsoft DirectX SAMI parsing buffer overflow (US-CERT)