[NT] Microsoft DirectX 7 and 8 DirectShow Stack Buffer Overflow Vulnerability



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Microsoft DirectX 7 and 8 DirectShow Stack Buffer Overflow Vulnerability
------------------------------------------------------------------------


SUMMARY

Microsoft DirectShow, part of Microsoft DirectX, is "used for the capture
and playback of multimedia streams on Microsoft Windows systems.
Synchronized Accessible Media Interchange (SAMI) is a file format designed
by Microsoft Corp. to deliver captions, subtitles, or audio descriptions
synchronized with digital media content". Remote exploitation of a stack
buffer overflow vulnerability in Microsoft Corp.'s DirectShow could allow
an attacker to execute arbitrary code in the context of the current user.

DETAILS

Vulnerable Systems:
* Microsoft DirectX version 7.x
* Microsoft DirectX version 8.x

Immune Systems:
* Microsoft DirectX version 9.0c

This vulnerability exists in the DirextShow SAMI parser, which is
implemented in quartz.dll. When the SAMI parser copies parameters into a
stack buffer, it does not properly check the length of the parameter. As
such, parsing a specially crafted SAMI file can cause a stack-based buffer
overflow. This allows an attacker to execute arbitrary code.

Analysis:
Exploitation allows an attacker to execute arbitrary code in the context
of the current user.

In order to exploit this vulnerability, an attacker must persuade a user
to open a malicious SAMI file. This can be accomplished by hosting a
malicious SAMI file on a web site or by sending the malicious file to a
user via e-mail or instant message.

It is important to note that a SAMI file does not necessarily have to end
with a .smi or .sami extension. DirectShow will identify the file based on
the file contents.

If "Web View Content" is enabled in Windows Explorer, which is the default
setting, a single click will open the malicious file in the preview pane
and trigger the vulnerability.

DirectX 9.0c is listed as an optional update for Windows 2000 operating
system in Windows Update site. It is not listed as a critical update.
However, installing this update will remove this vulnerability.

Workaround:
To prevent exploitation of this vulnerability, upgrade to DirectX 9.0c or
newer.

If upgrading is not possible, you can prevent access to the vulnerable
code by un-registering quartz.dll as shown below. However, this workaround
will disable image, audio, and video rendering in DirectX-enabled
applications.

C:\> regsvr32 -u %windir%\system32\quartz.dll

Vendor response:
Microsoft has addressed this vulnerability within Microsoft Security
Bulletin MS07-064. For more information, consult their bulletin at the
following URL.
<http://www.microsoft.com/technet/security/Bulletin/MS07-064.mspx>
http://www.microsoft.com/technet/security/Bulletin/MS07-064.mspx

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3901>
CVE-2007-3901

Disclosure timeline:
09/28/2007 - Initial vendor notification
10/09/2007 - Initial vendor response
12/11/2007 - Coordinated public disclosure


ADDITIONAL INFORMATION

The information has been provided by
<mailto:idlabs-advisories@xxxxxxxxxxxx> iDefense Labs Security Advisories.
The original article can be found at:
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=632>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=632



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.