Date: 13 January 2008
References: AL-2008.0013
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
A U S C E R T A L E R T
AL-2008.0004 -- AUSCERT ALERT
[Win][Mac][OSX]
Apple QuickTime RTSP Response message Reason-Phrase buffer
overflow vulnerability
14 January 2008
===========================================================================
AusCERT Alert Summary
---------------------
Product: Apple QuickTime
Publisher: US-CERT
Operating System: Windows
Mac OS
Mac OS X
Impact: Execute Arbitrary Code/Commands
Denial of Service
Access: Remote/Unauthenticated
CVE Names: CVE-2008-0234
Original Bulletin: http://www.kb.cert.org/vuls/id/112179
- --------------------------BEGIN INCLUDED TEXT--------------------
Vulnerability Note VU#112179
Apple QuickTime RTSP Response message Reason-Phrase buffer overflow
vulnerability
Overview
Apple QuickTime contains a buffer overflow vulnerability that may allow
a remote, unauthenticated attacker to cause a denial-of-service condition
and possibly execute arbitrary code.
I. Description
Real Time Streaming Protocol (RTSP) is a protocol that is used by
streaming media systems. Apple QuickTime Streaming Server and QuickTime
Player both support RTSP.
Apple QuickTime contains a buffer overflow vulnerability in the way
QuickTime handles RTSP response messages. For some RTSP Status-Codes,
QuickTime displays the Reason-Phrase (see RFC 2326). When attempting to
display a specially crafted Reason-Phrase, QuickTime Player crashes at a
memory location that can be controlled by an attacker.
This vulnerability may be exploited by convincing a user to connect to a
specially crafted RTSP stream. Note that QuickTime is a component of
Apple iTunes, therefore iTunes installations are also affected by this
vulnerability. Apple Mac OS X and Microsoft Windows versions of QuickTime
are affected.
We are aware of publicly available proof-of-concept code for this
vulnerability.
II. Impact
By convincing a user to connect to a specially crafted RTSP stream, a
remote attacker may be able to cause a denial of service or execute
arbitrary code on a vulnerable system. An attacker can use various types
of web page content, including a QuickTime Media Link file, to cause a
user to load an RTSP stream.
III. Solution
We are currently unaware of a practical solution to this problem.
Uninstall QuickTime
Until updates are available, uninstalling QuickTime will mitigate this
vulnerability. Note that uninstalling QuickTime will make applications
that rely on QuickTime (such as iTunes) fail to run or run with limited
functionality.
Block the rtsp:// protocol
Blocking the RTSP protocol with proxy or firewall rules may help mitigate
this vulnerability.
* Blocking outbound access to 554/tcp and 6970-6999/udp may partially
mitigate this vulnerability. Since RTSP may use a variety of port
numbers, blocking the protocol based on a particular port may not be
sufficient.
* Content-filtering, proxy servers and application firewalls may also be
used to block the RTSP protocol.
Secure your web browser
Follow the guidelines described in the Securing Your Web Browser
document (http://www.us-cert.gov/reading_room/securing_browser/)
These guidelines include several mitigations against this
vulnerability, such as disabling downloads from untrusted sites in
Internet Explorer on Microsoft Windows systems and disabling the option
to Open \"safe\" files after downloading in Safari on Apple Mac systems.
Disable the QuickTime ActiveX controls in Internet Explorer
The QuickTime ActiveX controls can be disabled in Internet Explorer by
setting the kill bit for the following CLSIDs:
{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}
{4063BE15-3B08-470D-A0D5-B37161CFFD69}
More information about how to set the kill bit is available in Microsoft
Support Document 240797. Alternatively, the following text can be saved
as a .REG file and imported to set the kill bit for these controls:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\ActiveX Compatibility\\{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}]
\"Compatibility Flags\"=dword:00000400
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\ActiveX Compatibility\\{4063BE15-3B08-470D-A0D5-B37161CFFD69}]
\"Compatibility Flags\"=dword:00000400
Disable the QuickTime plug-in for Mozilla-based browsers
Users of Mozilla-based browsers such as Firefox can disable the
QuickTime plugin, as specified in the PluginDoc article Uninstalling
Plugins, or by using the NoScript plugin.
Disable the RTSP protocol handler
Mac OS X users can disable the RTSP protocol handler by editing the
~/Library/Preferences/com.apple.LaunchServices.plist file with Property
List Editor. Change the LSHandlerRoleAll value associated with the rtsp
LSHanlderURLScheme to something other than com.apple.quicktimeplayer.
This process can be simplified by using an application such as
RCDefaultApp. Microsoft Windows users should not need to make any
changes, as QuickTime does not appear to register itself as the handler
for the RTSP protocol on Windows systems.
Disable file association for QuickTime files
Disable the file association for QuickTime file types to help prevent
windows applications from using Apple QuickTime to open QuickTime files.
This can be accomplished by deleting the following registry keys:
HKEY_CLASSES_ROOT\\QuickTime.*
This will remove the association for approximately 32 file types that
are configured to open with the QuickTime Player software.
Disable QuickTime as the RTSP protocol handler on OS X
To disable the RTSP registered protocol handler in OS X open
~/Library/Preferences/com.apple.LaunchServices.plist and look through a
hundred or more entries to find RTSP and change it to something else.
Disable JavaScript
For instructions on how to disable JavaScript, please refer to the
Securing Your Web Browser document. This can help prevent some attack
techniques that use the QuickTime plug-in or ActiveX control.
Do not access QuickTime files from untrusted sources
Attackers may host malicious QuickTime files on web sites. In order to
convince users to visit their sites, those attackers often use a variety
of techniques to create misleading links including URL encoding, IP
address variations, long URLs, and intentional misspellings. Do not
click on unsolicited links received in email, instant messages, web
forums, or internet relay chat (IRC) channels. Type URLs directly into
the browser to avoid these misleading links. While these are generally
good security practices, following these behaviors will not prevent
exploitation of this vulnerability in all cases, particularly if a
trusted site has been compromised or allows cross-site scripting.
Systems Affected
Vendor Status Date Updated
Apple Computer, Inc. Vulnerable 10-Jan-2008
References
http://www.milw0rm.com/exploits/4885
http://tools.ietf.org/html/rfc2326
http://noscript.net/features#contentblocking
http://www.us-cert.gov/reading_room/securing_browser/
http://plugindoc.mozdev.org/faqs/uninstall.html
http://support.microsoft.com/kb/240797
Credit
This vulnerability was disclosed by Luigi Auriemma.
This document was written by Ryan Giobbi, Chris Taschner, Will Dorman
and Art Manion.
Other Information
Date Public 01/10/2008
Date First Published 01/10/2008 06:08:09 PM
Date Last Updated 01/10/2008
CERT Advisory
CVE Name
Metric 13.47
Document Revision 23
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation\'s
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT\'s members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation\'s
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author\'s website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBR4rAvih9+71yA2DNAQLx5AP/RoV8Js9JH7QmF5NPeNagwbC2/FYBcXVq
b1OLVCygJoyvEL8432yINTpg7JU/r7RLIzJdEDp3ImCbtqaZGY8n2RGWvyybMf2n
dLiS8AIdlOY+lm2obr+E9WZLCNW/AcC5TRE86/xEH2myU9cnfiydEQllfl1Hy277
utg8Y/K9jhM=
=rS+Q
-----END PGP SIGNATURE-----
|