[NT] Apple QuickTime ActiveX Buffer Overrun
From: support@securiteam.comDate: 09/11/02
- Previous message: support@securiteam.com: "[UNIX] PHP fopen() CRLF Injection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Wed, 11 Sep 2002 17:13:06 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Apple QuickTime ActiveX Buffer Overrun
------------------------------------------------------------------------
SUMMARY
Apple's QuickTime ActiveX has been found to contain a security
vulnerability. The vulnerability is a buffer overflow condition that can
result in execution of arbitrary code.
DETAILS
Vulnerable systems:
* Apple QuickTime ActiveX version 5.0.2
Apple <http://www.quicktime.com> QuickTime is the media player used by a
large number of distributors for high quality video and audio based media.
Version 5.0 has been downloaded over 100,000,000 times. There is a buffer
overrun caused by the way that the QuickTime ActiveX component handles the
"pluginspage" field when parsed from a malicious remote or local HTML
page. This can allow the execution of arbitrary computer code on the
computer viewing the malicious web page. The QuickTime ActiveX component
is commonly used for movie trailers (i.e. those located at
http://www.apple.com/trailers/) and other streaming or static media
technologies when they are embedded in a web page.
Details:
To exploit this vulnerability an attacker would need to get his or her
target to open a malicious HTML file as an attachment to an email message,
as a file on the local or network file system, or as a file via HTTP. Most
likely, this would be accomplished by embedding a link to a vulnerable web
site in an email message or another web page. If the malicious HTML file
is opened, it will cause QuickTime to execute the arbitrary computer code
contained within the HTML page.
Take the following example HTML page:
---- Begin Sample HTML
<OBJ7ECT CLASSID="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B"
WIDTH="480" HEIGHT="376">
<PA7RAM NAME="src" VALUE="test.mov">
<PA7RAM NAME="controller" VALUE="false">
<PA7RAM NAME="target" VALUE="myself">
<PA7RAM NAME="href" VALUE="test.mov">
<PA7RAM NAME="pluginspage" VALUE="insert overly long
string here">
<EM7BED WIDTH="480" HEIGHT="376" CONTROLLER="false"
TARGET="myself" HREF="test2.mov"
SRC="test.mov"
BGCOLOR="FFFFFF"
BORDER="0"
PLUGINSPAGE="insert overly long string here">
</EM7BED>
</OB7JECT>
---- End Sample HTML
[note: remove the '7's in the tags above to create valid HTML]
This sample HTML when, edited to insert an overly long string, will cause
an exception that is exploitable.
It is possible for an attacker to specify a codebase that will download a
vulnerable version of the ActiveX component.
This is a good example of why not to trust *ANY* ActiveX components from
any unknown source even if the site is considered safe and the ActiveX
component is signed on behalf of a trusted organization.
Vendor Response:
Apple was notified of this issue by @stake on May 13, 2002.
Apple has resolved this issue within QuickTime 6 which can be downloaded
from <http://www.apple.com/quicktime/> http://www.apple.com/quicktime/.
Recommendation:
If you use QuickTime, upgrade to QuickTime 6. If you are a web site that
hosts the qtplugin.cab file you should upgrade to version 6.
You should never open attachments/webpages that come from unknown sources
no matter how benign they may appear. Be wary of those that come from
known sources.
You can set the "kill bit" for a known vulnerable ActiveX component by
editing the registry. This will keep Internet Explorer from executing the
vulnerable component. Directions for setting the kill bit on a are at:
<http://support.microsoft.com/default.aspx?scid=KB;EN-US;q240797&>
http://support.microsoft.com/default.aspx?scid=KB;EN-US;q240797&
You should consider the benefits and risks of each attachment file type or
ActiveX components that you let into your organization. Attachment file
types or ActiveX components that you do not need should be dropped at your
perimeter mail gateway or proxy server. Attachments that you choose to
forward on into your organization should be scanned for known malicious
code using an antivirus product.
ADDITIONAL INFORMATION
The information has been provided by <mailto:ollie@atstake.com> Ollie
Whitehouse and <mailto:andreas@atstake.com> Andreas Junestam of @Stake.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[UNIX] PHP fopen() CRLF Injection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
