Microsoft DirectX DirectShow SAMI code execution (SAMI_DirectShow_Overflow)

About this signature or vulnerability

Proventia Network IPS, Proventia Desktop, Proventia Network MFS, Proventia-G 1.1 and earlier, Proventia Server IPS for Linux technology, RealSecure Network, RealSecure Server Sensor, BlackICE PC Protection, BlackICE Server Protection, Proventia Server IPS for Microsoft Windows technology:

This signature detects SAMI file specially crafted to overflow a buffer, allowing code execution.


Default risk level

High risk vulnerability  High

Sensors that have this signature

Proventia Network IPS: XPU 27.120, Proventia Desktop: 2130, Proventia Network MFS: XPU 27.120, Proventia-G 1.1 and earlier: XPU 27.120, Proventia Server IPS for Linux technology: 27.120, RealSecure Network: XPU 27.120, RealSecure Server Sensor: XPU 27.120, BlackICE PC Protection: 3.6cqs, BlackICE Server Protection: 3.6.cqs, Proventia Server IPS for Microsoft Windows technology: 1.0.914.2130

Systems affected

Microsoft DirectX: 7.0, Microsoft DirectX: 8.1, Microsoft Windows 2000: SP4

Type

Unauthorized Access Attempt

Vulnerability description

Microsoft DirectShow, which is part of Microsoft DirectX, could allow a remote attacker to execute arbitrary code on the system, caused by improper parsing of Synchronized Accessible Media Interchange (SAMI) files. By persuading a victim to open a specially-crafted SAMI file, an attacker could exploit this vulnerability to execute arbitrary code on the system with the privileges of the victim.

How to remove this vulnerability

Apply the appropriate patch for your system, as listed in the latest Microsoft Security Bulletin. See References.

— OR —

Use Microsoft Automatic Update if it is supported by your operating system. The original bulletin issued by Microsoft has been superseded.

References

Microsoft Security Bulletin MS07-064
Vulnerabilities in DirectShow Could Allow Remote Code Execution (941568)
http://www.microsoft.com/technet/security/Bulletin/MS07-064.mspx

IBM Internet Security Systems Protection Alert Dec. 11, 2007
Multiple Microsoft DirectShow Remote Code Execution Vulnerabilities
http://www.iss.net/threats/280.html

iDefense PUBLIC ADVISORY: 12.11.07
Microsoft DirectX 7 and 8 DirectShow Stack Buffer Overflow Vulnerability
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=632

Microsoft Security Bulletin MS08-033
Vulnerabilities in DirectX Could Allow Remote Code Execution (951698)
http://www.microsoft.com/technet/security/Bulletin/MS08-033.mspx

ISS X-Force
Microsoft DirectX DirectShow SAMI code execution
http://www.iss.net/security_center/static/38721.php

CVE
CVE-2007-3901
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3901