Vulnerabilities in DirectX Could Allow Remote Code Execution (951698)

Vulnerabilities in DirectX Could Allow Remote Code Executio

Reporter	Title	Published	Views	Family All 18
Check Point Advisories	Microsoft Media Player SAMI Format Parsing Code Execution (MS08-033; CVE-2008-1444)	10 Jun 200800:00	–	checkpoint_advisories
Check Point Advisories	Update Protection against Microsoft MJPEG Decoder Vulnerability (MS08-033)	8 Jul 200800:00	–	checkpoint_advisories
Check Point Advisories	Microsoft DirectX Crafted MJPEG Stream Handling Code Execution (MS08-033; CVE-2008-0011)	14 Feb 201000:00	–	checkpoint_advisories
Check Point Advisories	Microsoft DirectX Crafted MJPEG Stream Handling Code Execution - Ver2 (CVE-2008-0011)	3 Mar 201400:00	–	checkpoint_advisories
CVE	CVE-2008-0011	12 Jun 200801:30	–	cve
CVE	CVE-2008-1444	12 Jun 200801:30	–	cve
Cvelist	CVE-2008-0011	12 Jun 200801:30	–	cvelist
Cvelist	CVE-2008-1444	12 Jun 200801:30	–	cvelist
NVD	CVE-2008-0011	12 Jun 200802:32	–	nvd
NVD	CVE-2008-1444	12 Jun 200802:32	–	nvd

Source	Link
frsirt	www.frsirt.com/english/advisories/2008/1780
us-cert	www.us-cert.gov/cas/techalerts/TA08-162B.html
secunia	www.secunia.com/advisories/30579
zerodayinitiative	www.zerodayinitiative.com/advisories/ZDI-08-040/
microsoft	www.microsoft.com/technet/security/bulletin/ms08-033.mspx

###############################################################################
# OpenVAS Vulnerability Test
# $Id: gb_ms08-033.nasl 5863 2017-04-05 07:38:11Z antu123 $
#
# Vulnerabilities in DirectX Could Allow Remote Code Execution (951698)
#
# Authors:
# Veerendra GG <[email protected]>
#
# Updated by Madhuri D <[email protected]> on 2010-12-09
#  - To detect the 'quartz.dll' file version on Windows vista and 2008 server
#
# Copyright:
# Copyright (c) 2008 Intevation GmbH, http://www.intevation.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################

tag_impact = "Successful exploitation allows remote attackers to execute arbitrary code when
  a user opens a specially crafted media file. An attacker could take complete
  control of an affected system.
  Impact Level: System";
tag_summary = "This host has DirectX installed, which is prone to remote code
  execution vulnerabilities.";

tag_affected = "DirectX 7.0, 8.1, 9.0, 9.0a, 9.0b and 9.0c on Microsoft Windows 2000
  DirectX 9.0, 9.0a, 9.0b and 9.0c on Microsoft Windows XP and 2003
  DirectX 10.0 on Microsoft Windows Vista and 2008 Server";
tag_insight = "The flaws are due to
  - error in the Windows MJPEG Codec when performing error checking on MJPEG
    video streams embedded in ASF or AVI media files which can be exploited
    with a specially crafted MJPEG file.
  - error in the parsing of Class Name variables in Synchronized Accessible
    Media Interchange (SAMI) files which can be exploited with a specially
    crafted SAMI file.";
tag_solution = "Run Windows Update and update the listed hotfixes or download and update
  mentioned hotfixes in the advisory from the below link.
  http://www.microsoft.com/technet/security/bulletin/ms08-033.mspx";

if(description)
{
  script_id(800104);
  script_version("$Revision: 5863 $");
  script_tag(name:"last_modification", value:"$Date: 2017-04-05 09:38:11 +0200 (Wed, 05 Apr 2017) $");
  script_tag(name:"creation_date", value:"2008-09-30 14:16:17 +0200 (Tue, 30 Sep 2008)");
  script_tag(name:"cvss_base", value:"9.3");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_cve_id("CVE-2008-0011","CVE-2008-1444");
  script_bugtraq_id(29581, 29578);
  script_xref(name:"CB-A", value:"08-0097");
  script_name("Vulnerabilities in DirectX Could Allow Remote Code Execution (951698)");
  script_xref(name : "URL" , value : "http://secunia.com/advisories/30579");
  script_xref(name : "URL" , value : "http://www.frsirt.com/english/advisories/2008/1780");
  script_xref(name : "URL" , value : "http://www.us-cert.gov/cas/techalerts/TA08-162B.html");
  script_xref(name : "URL" , value : "http://www.zerodayinitiative.com/advisories/ZDI-08-040/");
  script_xref(name : "URL" , value : "http://www.microsoft.com/technet/security/bulletin/ms08-033.mspx");

  script_category(ACT_GATHER_INFO);
  script_tag(name:"qod_type", value:"executable_version");
  script_copyright("Copyright (C) 2008 Intevation GmbH");
  script_family("Windows : Microsoft Bulletins");
  script_dependencies("secpod_reg_enum.nasl");
  script_require_ports(139, 445);
  script_mandatory_keys("SMB/WindowsVersion");

  script_tag(name : "impact" , value : tag_impact);
  script_tag(name : "affected" , value : tag_affected);
  script_tag(name : "insight" , value : tag_insight);
  script_tag(name : "solution" , value : tag_solution);
  script_tag(name : "summary" , value : tag_summary);
  exit(0);
}


include("smb_nt.inc");
include("secpod_reg.inc");
include("version_func.inc");
include("secpod_smb_func.inc");

# Check the hotfix applicability to each OS
if(hotfix_check_sp(win2k:5, xp:4, win2003:3, win2008:2, winVista:2) <= 0){
  exit(0);
}

dllFile = smb_get_system32root();
if(!dllFile){
  exit(0);
}

dllFile += "\quartz.dll";

# Check DirectX is installed
directXver = registry_get_sz(key:"SOFTWARE\Microsoft\DirectX", item:"Version");
if(!egrep(pattern:"^4\.0[7-9]\..*", string:directXver)){
  exit(0);
}

# MS08-033 Hotfix check
if(hotfix_missing(name:"951698") == 0){
  exit(0);
}

if(hotfix_check_sp(win2k:5) > 0)
{
  if(egrep(pattern:"^4\.07", string:directXver))
  {
    fileVer = get_version(dllPath:dllFile, string:"prod", offs:600000);
    if(fileVer == NULL){
      exit(0);
    }

    # Grep Quartz.dll version < 6.1.9.734
    if(egrep(pattern:"^6\.01\.09\.0?([0-6]?[0-9]?[0-9]|7([0-2][0-9]|3[0-3]))$",
             string:fileVer)){
      security_message(0);
    }
  }
  else if(egrep(pattern:"^4\.08", string:directXver))
  {
    # Grep Quartz.dll version < 6.3.1.891
    if(egrep(pattern:"^6\.03\.01\.0?([0-7]?[0-9]?[0-9]|8([0-8][0-9]|90))$",
             string:fileVer)){
      security_message(0);
    }
  }
  else if(egrep(pattern:"^4\.09", string:directXver))
  {
    # Grep Quartz.dll version < 6.5.1.909
    if(egrep(pattern:"^6\.05\.0?1\.0?([0-8]?[0-9]?[0-9]|90[0-8])$",
             string:fileVer)){
      security_message(0);
    }
    # Grep Quartz.dll version < 6.5.2600.1316
    else if(egrep(pattern:"^6\.05\.2600\.(0?[0-9]?[0-9]?[0-9]|1([0-2][0-9]" +
                       "[0-9]|3(0[0-9]|1[0-5])))$", string:fileVer)){
      security_message(0);
    }
  }
  exit(0);
}

if(hotfix_check_sp(xp:4) > 0)
{
  if(egrep(pattern:"^4\.09", string:directXver))
  {
    fileVer = get_version(dllPath:dllFile, string:"prod", offs:600000);;
    if(fileVer == NULL){
      exit(0);
    }

    SP = get_kb_item("SMB/WinXP/ServicePack");
    if("Service Pack 2" >< SP)
    {
      # Grep Quartz.dll version < 6.5.2600.3367
      if(egrep(pattern:"^6\.05\.2600\.([0-2]?[0-9]?[0-9]?[0-9]|3([0-2][0-9]" +
                       "[0-9]|3([0-5][0-9]|6[0-6])))$", string:fileVer)){
        security_message(0);
      }
    }
    else if("Service Pack 3" >< SP)
    {
      # Grep Quartz.dll version < 6.5.2600.5596
      if(egrep(pattern:"^6\.05\.2600\.([0-4]?[0-9]?[0-9]?[0-9]|5([0-4][0-9]" +
                       "[0-9]|5([0-8][0-9]|9[0-5])))$", string:fileVer)){
        security_message(0);
      }
    }
  }
  exit(0);
}

if(hotfix_check_sp(win2003:3) > 0)
{
  if(egrep(pattern:"^4\.09", string:directXver))
  {
    fileVer = get_version(dllPath:dllFile, string:"prod", offs:600000);
    if(fileVer == NULL){
      exit(0);
    }

    SP = get_kb_item("SMB/Win2003/ServicePack");
    if("Service Pack 1" >< SP)
    {
      # Grep Quartz.dll version < 6.5.3790.3130
      if(egrep(pattern:"^6\.05\.3790\.([0-2]?[0-9]?[0-9]?[0-9]|3(0[0-9]" +
                       "[0-9]|1[0-2][0-9]))$", string:fileVer)){
        security_message(0);
      }
    }
    else if("Service Pack 2" >< SP)
    {
      # Grep Quartz.dll version < 6.5.3790.4283
      if(egrep(pattern:"^6\.05\.3790\.([0-3]?[0-9]?[0-9]?[0-9]|4([01][0-9]" +
                       "[0-9]|2([0-7][0-9]|8[0-2])))$", string:fileVer)){
        security_message(0);
      }
    }
  }
}

## Get the 'Quartz.dll' path for Windows Vista and 2008 Server
dllPath = smb_get_system32root();
if(!dllPath){
  exit(0);
}

fileVer =  fetch_file_version(sysPath:dllPath, file_name:"\Quartz.dll");
if(fileVer)
{
  # Windows Vista
  if(hotfix_check_sp(winVista:2) > 0)
  {
    SP = get_kb_item("SMB/WinVista/ServicePack");
    if("Service Pack 1" >< SP)
    {
      # Grep for Quartz.dll version  < 6.6.6001.18063
      if(version_is_less(version:fileVer, test_version:"6.6.6001.18063")){
          security_message(0);
      }
      exit(0);
    }
  }

  # Windows Server 2008
  else if(hotfix_check_sp(win2008:2) > 0)
  {
    SP = get_kb_item("SMB/Win2008/ServicePack");
    if("Service Pack 1" >< SP)
    {
      # Grep for Quartz.dll version  < 6.6.6001.18063
      if(version_is_less(version:fileVer, test_version:"6.6.6001.18063")){
          security_message(0);
      }
      exit(0);
    }
  }
}

05 Apr 2017 00:00Current

0.6Low risk

Vulners AI Score0.6

EPSS0.62306