copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Training
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login

  Home » Security Bul... » Security Bul... » AusCERT Alert » AL-2007.0001 -- [Win][OSX] -- Apple QuickTime and iT...
 

AL-2007.0001 -- [Win][OSX] -- Apple QuickTime and iTunes RTSP buffer overflow
Date: 03 January 2007
References: ESB-2007.0044  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
A  U  S  C  E  R  T                                           A  L  E  R  T

                       AL-2007.0001 -- AUSCERT ALERT
                                [Win][OSX]
              Apple QuickTime and iTunes RTSP buffer overflow
                              4 January 2007

===========================================================================

        AusCERT Alert Summary
        ---------------------

Product:              Apple QuickTime 7.1.3 and prior
                      Apple iTunes 7.0.2 and prior
Publisher:            US-CERT
Operating System:     Windows
                      Mac OS X
Impact:               Execute Arbitrary Code/Commands
Access:               Remote/Unauthenticated
CVE Names:            CVE-2007-0015

Original Bulletin:    http://www.kb.cert.org/vuls/id/442497

- --------------------------BEGIN INCLUDED TEXT--------------------

US-CERT Vulnerability Note VU#442497
Apple QuickTime RTSP buffer overflow

Overview

	Apple QuickTime may allow remote arbitrary code to be executed via a
	long src parameter in RTSP URL strings.

I. Description

	A vulnerability exists in the way Apple QuickTime handles specially
	crafted Real Time Streaming Protocol (RTSP) URL strings. An attacker
	may be able to craft a QTL file to take advantage of this vulnerability.
	However, other attack vectors that do not involve QTL files may exist.
	According to MOAB-01-01-2007:

	    By supplying a specially crafted string (rtsp:// [random] +
	    semicolon + [299 bytes padding + payload]), an attacker could
	    overflow a stack-based buffer, using either HTML, Javascript
	    or a QTL file as attack vector, leading to an exploitable
	    remote arbitrary code execution condition.

	Note that since QuickTime is a component of Apple iTunes, iTunes
	installations are also affected by this vulnerability. We are aware
	of publicly available proof-of-concept code that exploits this
	vulnerability.

II. Impact

	A remote, unauthenticated attacker may be able to execute arbitrary
	code or cause a denial of service.

III. Solution

	We are unaware of a solution to this problem. Until a solution becomes
	available the following workarounds are strongly encouraged:


	Disable QuickTime in your web browser
	An attacker may be able to exploit this vulnerability by persuading
	a user to access a specially crafted file with a web browser. Disabling
	QuickTime in your web browser will defend against this attack vector.
	For more information, refer to the Securing Your Web Browser document.
	http://www.us-cert.gov/reading_room/securing_browser/

	Disable JavaScript
	For instructions on how to disable JavaScript, please refer to the
	Securing Your Web Browser document.
	http://www.us-cert.gov/reading_room/securing_browser/

	Disable file association for QTL files
	Disable the file association for QTL files to help prevent windows
	applications from using Apple QuickTime to open QTL files. This can
	be accomplished by deleting the following registry key:

	HKEY_CLASSES_ROOT\.qtl

	Note that this only prevents attacks that utilize files with a .QTL
	extension.

	Do not access QuickTime files from untrusted sources
	Attackers may host malicious QuickTime files on web sites. In order
	to convince users to visit their sites, those attackers often use a
	variety of techniques to create misleading links including URL encoding,
	IP address variations, long URLs, and intentional misspellings. Do
	not click on unsolicited links received in email, instant messages,
	web forums, or internet relay chat (IRC) channels. Type URLs directly
	into the browser to avoid these misleading links. While these are
	generally good security practices, following these behaviors will not
	prevent exploitation of this vulnerability in all cases, particularly
	if a trusted site has been compromised or allows cross-site scripting.

Systems Affected

	Vendor                  Status        Date Updated
	Apple Computer, Inc.    Vulnerable    2-Jan-2007

References

	http://secunia.com/advisories/23540/
	http://projects.info-pull.com/moab/MOAB-01-01-2007.html

Credit

	This issue was reported in MOAB-01-01-2007.
	http://projects.info-pull.com/moab/MOAB-01-01-2007.html

	This document was written by Chris Taschner.
	Other Information
	Date Public	01/02/2007
	Date First Published	01/02/2007 02:44:58 PM
	Date Last Updated	01/03/2007
	CERT Advisory	 
	CVE Name	CVE-2007-0015
	Metric	27.00
	Document Revision	22

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBRZw/wyh9+71yA2DNAQI20gQAlI2L8b6Ir76H6kU2Pu2VyqqVk8rC4NJ0
OEP060x8yc+23M4g+6WoAyfRaahhNzjgv1Hu3KC0IwZQ9GlxLZlQYLeXkN1FCuqq
yeuCW0Yn1yw1dmVnxSqwI7sRfevgT/7LhFAUimdbv0Z8IjvoyJRIiECpXFwanHWn
LJB1gPGMPq8=
=UQiO
-----END PGP SIGNATURE-----




Comments? Click here http://www.auscert.org.au/render.html?cid=1977&it=7154