CVE-2007-3901
published 2007-12-12CVE-2007-3901: Stack-based buffer overflow in the DirectShow Synchronized Accessible Media Interchange (SAMI) parser in quartz.dll for Microsoft DirectX 7.0 through 10.0…
PriorityP355high8.5CVSS 2.0
AVNACMAuSCCICAC
EXPLOIT
EPSS
45.87%
98.7th percentile
Stack-based buffer overflow in the DirectShow Synchronized Accessible Media Interchange (SAMI) parser in quartz.dll for Microsoft DirectX 7.0 through 10.0 allows remote attackers to execute arbitrary code via a crafted SAMI file.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | directx | — | — |
| microsoft | directx | — | — |
| microsoft | directx | — | — |
| microsoft | directx | — | — |
| microsoft | directx | — | — |
| microsoft | directx | — | — |
| microsoft | directx | — | — |
| microsoft | directx | — | — |
| microsoft | directx | — | — |
| microsoft | directx | — | — |
| microsoft | directx | — | — |
| microsoft | directx | — | — |
| microsoft | directx | — | — |
| microsoft | directx | — | — |
| microsoft | directx | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Malicious SAMI/SMI files served over HTTP with Content-Type application/smil trigger the overflow; monitor for .smi file requests to untrusted hosts from media player processes. ↗
- →The exploit delivers a crafted SAMI body with an oversized buffer (offset 22412 bytes) to overflow the stack in quartz.dll; anomalously large SAMI/SMI files or SAMI files with very long tag content should be flagged. ↗
- →Reverse shell connection back to attacker on port 4444 from wmplayer.exe or related DirectShow host process is a post-exploitation indicator. ↗
- →The exploit module uses EXITFUNC=process and a StackAdjustment of -3500; look for unusual stack pivot activity within quartz.dll loaded by media player processes. ↗
- ·The Metasploit module's return address (0x75022ac4) and offset (22412) are specific to Windows 2000 Pro SP4 English with DirectX 8.0; exploitation against other OS/DirectX version combinations requires different offsets and return addresses. ↗
- ·The Python PoC exploit was tested only on Windows 2000 SP4 English with DirectX 7.0 (4.07.00.0700); reliability on other platforms is unconfirmed. ↗
- ·The Metasploit module was only tested with Windows Media Player version 6.4.09.1129 and DirectX 8.0; other DirectX versions (7.0–10.0) are vulnerable per the CVE but may require retargeting. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Microsoft DirectX DirectShow - SAMI Buffer Overflow (MS07-064) (Metasploit)
exploitdb·2010-10-05
CVE-2007-3901 Microsoft DirectX DirectShow - SAMI Buffer Overflow (MS07-064) (Metasploit)
Microsoft DirectX DirectShow - SAMI Buffer Overflow (MS07-064) (Metasploit)
---
##
# $Id: ms07_064_sami.rb 10550 2010-10-05 01:05:49Z mc $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
class Metasploit3 'Microsoft DirectX DirectShow SAMI Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the DirectShow Synchronized
Accessible Media Interchanged (SAMI) parser in quartz.dll. This module
has only been tested with Windows Media Player (6.4.09.1129) and
DirectX 8.0.
},
'Author' => 'MC',
'License' => MSF_LICENSE,
'Version' => '$Revision: 10550 $',
Exploit-DB
Microsoft DirectX SAMI File Parsing - Remote Stack Overflow
exploitdb·2008-01-08·CVSS 8.5
CVE-2007-3901 [HIGH] Microsoft DirectX SAMI File Parsing - Remote Stack Overflow
Microsoft DirectX SAMI File Parsing - Remote Stack Overflow
---
#!/usr/bin/python
##########################################################################
# Bug discovered by Jun Mao of VeriSign iDefense
# https://www.securityfocus.com/bid/26789
# CVE-2007-3901
# Coded by Matteo Memelli aka ryujin
# http://www.gray-world.net http://www.be4mind.com
# Tested on: Windows 2000 SP4 English, DirectX 7.0 (4.07.00.0700)
#------------------------------------------------------------------------
# THX TO all the guys at www.offensive-security.com
# EXPECIALLY TO ONE: THX FOR "NOT" HELPING MUTS!!!
# I DONT FEEL FC4'd ANYMORE NOW :P muhahahaha
#------------------------------------------------------------------------
##########################################################################
# On Win
Metasploit
MS07-064 Microsoft DirectX DirectShow SAMI Buffer Overflow
metasploit
MS07-064 Microsoft DirectX DirectShow SAMI Buffer Overflow
MS07-064 Microsoft DirectX DirectShow SAMI Buffer Overflow
This module exploits a stack buffer overflow in the DirectShow Synchronized Accessible Media Interchanged (SAMI) parser in quartz.dll. This module has only been tested with Windows Media Player (6.4.09.1129) and DirectX 8.0.
No writeups or analysis indexed.
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=632http://secunia.com/advisories/28010http://www.iss.net/threats/280.htmlhttp://www.kb.cert.org/vuls/id/804089http://www.securityfocus.com/archive/1/485268/100/0/threadedhttp://www.securityfocus.com/bid/26789http://www.securitytracker.com/id?1019073http://www.us-cert.gov/cas/techalerts/TA07-345A.htmlhttp://www.vupen.com/english/advisories/2007/4180https://docs.microsoft.com/en-us/security-updates/securitybulletins/2007/ms07-064https://exchange.xforce.ibmcloud.com/vulnerabilities/38721https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A4520https://www.exploit-db.com/exploits/4866http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=632http://secunia.com/advisories/28010http://www.iss.net/threats/280.htmlhttp://www.kb.cert.org/vuls/id/804089http://www.securityfocus.com/archive/1/485268/100/0/threadedhttp://www.securityfocus.com/bid/26789http://www.securitytracker.com/id?1019073http://www.us-cert.gov/cas/techalerts/TA07-345A.htmlhttp://www.vupen.com/english/advisories/2007/4180https://docs.microsoft.com/en-us/security-updates/securitybulletins/2007/ms07-064https://exchange.xforce.ibmcloud.com/vulnerabilities/38721https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A4520https://www.exploit-db.com/exploits/4866
2007-12-12
Published