__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Apple QuickTime RTSP buffer overflow [Vulnerability Note VU#442497] January 3, 2007 18:00 GMT Number R-095 ______________________________________________________________________________ PROBLEM: A vulnerability exists in the handling of the rtsp:// URL handler. By supplying a specially crafted string, an attacker could overflow a stack-based buffer, using either HTML, Javascript or a QTL file as attack vector, leading to an exploitable remote arbitrary code execution condition. PLATFORM: QuickTime™ Version 7.1.3, Player Version 7.1.3. Previous versions should be vulnerable as well. Both Microsoft Windows and Mac OS X versions are affected. DAMAGE: A remote, unauthenticated attacker may be able to execute arbitrary code or cause a denial of service. SOLUTION: We are unaware of a solution to this problem. Until a solution becomes available the following workarounds are strongly encouraged. ______________________________________________________________________________ VULNERABILITY The risk is HIGH. A remote attacker may be able to execute ASSESSMENT: arbitrary code. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/r-095.shtml ORIGINAL BULLETIN: http://www.kb.cert.org/vuls/id/442497 CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0015 ______________________________________________________________________________ [***** Start Vulnerability Note VU#442497 *****] Vulnerability Note VU#442497 Apple QuickTime RTSP buffer overflow Overview Apple QuickTime may allow remote arbitrary code to be executed via a long src parameter in RTSP URL strings. I. Description A vulnerability exists in the way Apple QuickTime handles specially crafted Real Time Streaming Protocol (RTSP) URL strings. An attacker may be able to craft a QTL file to take advantage of this vulnerability. However, other attack vectors that do not involve QTL files may exist. According to MOAB-01-01-2007: By supplying a specially crafted string (rtsp:// [random] + semicolon + [299 bytes padding + payload]), an attacker could overflow a stack-based buffer, using either HTML, Javascript or a QTL file as attack vector, leading to an exploitable remote arbitrary code execution condition. Note that since QuickTime is a component of Apple iTunes, iTunes installations are also affected by this vulnerability. We are aware of publicly available proof-of-concept code that exploits this vulnerability. II. Impact A remote, unauthenticated attacker may be able to execute arbitrary code or cause a denial of service. III. Solution We are unaware of a solution to this problem. Until a solution becomes available the following workarounds are strongly encouraged: Disable QuickTime in your web browser An attacker may be able to exploit this vulnerability by persuading a user to access a specially crafted file with a web browser. Disabling QuickTime in your web browser will defend against this attack vector. For more information, refer to the Securing Your Web Browser document. Disable JavaScript For instructions on how to disable JavaScript, please refer to the Securing Your Web Browser document. Disable file association for QTL files Disable the file association for QTL files to help prevent windows applications from using Apple QuickTime to open QTL files. This can be accomplished by deleting the following registry key: HKEY_CLASSES_ROOT\.qtl Note that this only prevents attacks that utilize files with a .QTL extension. Do not access QuickTime files from untrusted sources Attackers may host malicious QuickTime files on web sites. In order to convince users to visit their sites, those attackers often use a variety of techniques to create misleading links including URL encoding, IP address variations, long URLs, and intentional misspellings. Do not click on unsolicited links received in email, instant messages, web forums, or internet relay chat (IRC) channels. Type URLs directly into the browser to avoid these misleading links. While these are generally good security practices, following these behaviors will not prevent exploitation of this vulnerability in all cases, particularly if a trusted site has been compromised or allows cross-site scripting. Systems Affected Vendor Status Date Updated Apple Computer, Inc. Vulnerable 2-Jan-2007 References http://secunia.com/advisories/23540/ http://projects.info-pull.com/moab/MOAB-01-01-2007.html Credit This issue was reported in MOAB-01-01-2007. This document was written by Chris Taschner. Other Information Date Public 01/02/2007 Date First Published 01/02/2007 02:44:58 PM Date Last Updated 01/03/2007 CERT Advisory CVE Name CVE-2007-0015 Metric 27.00 Document Revision 22 [***** End Vulnerability Note VU#442497 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of US-CERT for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) R-085: Privilege Escallation Using Watch Point R-086: LiveConnect Crase Finalizing JS Objects R-087: XSS by Setting img.src to JavaScript: URI R-088: Mozilla SVG Processing Remote Code Execution R-089: Mail Header Processing Heap Overflows R-090: XSS Using Outer Window's Function Object R-091: Tar Security Update R-092: Novell NetWare Client for Windows Vulnerabilities R-093: Security Vulnerabilities in the Java Runtime Environment R-094: Crashes with Evidence of Memory Corruption