Microsoft Windows DirectX SAMI buffer overflow (SAMI_WMP_Overflow)

About this signature or vulnerability

Proventia Desktop, Proventia Network IPS, Proventia Network MFS, Proventia-G 1.1 and earlier, Proventia Server IPS for Linux technology, RealSecure Server Sensor, RealSecure Network, BlackICE PC Protection, BlackICE Server Protection, Proventia Server IPS for Microsoft Windows technology:

This signature detects a malformed SAMI file that could exploit a vulnerability in the quartz.dll module of Windows Media Player to allow remote code execution.


Default risk level

High risk vulnerability  High

Sensors that have this signature

Proventia Desktop: 2210, Proventia Network IPS: XPU 28.070, Proventia Network MFS: XPU 28.070, Proventia-G 1.1 and earlier: XPU 28.070, Proventia Server IPS for Linux technology: 28.070, RealSecure Server Sensor: XPU 28.070, RealSecure Network: XPU 28.070, BlackICE PC Protection: 3.6cra, BlackICE Server Protection: 3.6.cra, Proventia Server IPS for Microsoft Windows technology: 2.0.300.2210, Proventia Server IPS for Microsoft Windows technology: 1.0.914.2210

Systems affected

HP Storage Management Appliance: 2.1, Microsoft DirectX: 8.1, Microsoft DirectX: 7.0

Type

Unauthorized Access Attempt

Vulnerability description

Microsoft Windows DirectX is vulnerable to a stack-based buffer overflow, caused by improper bounds checking of the Accessible Media Interchange (SAMI) "Class Name"parameter. By persuading a victim to open a specially-crafted SAMI file, a remote attacker could overflow a buffer and execute arbitrary code on the system with the privileges of the victim.

How to remove this vulnerability

Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS08-033. See References.

For other distributions:
Apply the appropriate update for your system. See References.

References

Microsoft Security Bulletin MS08-033
Vulnerabilities in DirectX Could Allow Remote Code Execution (951698)
http://www.microsoft.com/technet/security/Bulletin/MS08-033.mspx

ZDI-08-040
Microsoft DirectX SAMI File Format Name Parsing Stack Overflow Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-08-040/

NORTEL BULLETIN ID: 2008008891, Rev 1
Centrex IP Client Manager (CICM) response to Microsoft June security bulletin
http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=734247

NORTEL BULLETIN ID: 2008008897, Rev 1
Nortel Response to Microsoft Security Bulletin MS08-033
http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=734154

ISS X-Force
Microsoft Windows DirectX SAMI buffer overflow
http://www.iss.net/security_center/static/42674.php

CVE
CVE-2008-1444
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1444