R7-0015: Multiple Vulnerabilities Apple QuickTime/Darwin Streaming Server

advisory_at_rapid7.com
Date: 07/23/03

  • Next message: William A. Rowe, Jr.: "Re: Apache 1.3.27 mod_proxy security issue"
    To: bugtraq@securityfocus.com
    Date: Tue, 22 Jul 2003 18:43:31 -0700
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    _______________________________________________________________________
                         Rapid7, Inc. Security Advisory
           Visit http://www.rapid7.com/ to download NeXpose,
            the world's most advanced vulnerability scanner.
          Linux and Windows 2000/XP versions are available now!
    _______________________________________________________________________

    Rapid7 Advisory R7-0015
    Multiple Vulnerabilities Apple QuickTime/Darwin Streaming Server

       Published: July 22, 2003
       Revision: 1.0
       http://www.rapid7.com/advisories/R7-0015.html

       CVE: CAN-2003-0421, CAN-2003-0422, CAN-2003-0423, CAN-2003-0424,
               CAN-2003-0425, CAN-2003-0426, CAN-2003-0502

    1. Affected system(s):

       KNOWN VULNERABLE:
        o QuickTime/Darwin Streaming Server v4.1.3 for MacOS X
        o QuickTime/Darwin Streaming Server v4.1.3 for Win32
        o QuickTime/Darwin Streaming Server v4.1.3 for Linux

       UNKNOWN/NOT TESTED:
        o other platforms (Solaris)

    2. Summary

       Several vulnerabilities have been found in the Apple
       QuickTime/Darwin Streaming Server, including denial of service,
       web root traversal, and script source disclosure.

    3. Vendor status and information

       Apple
       http://www.apple.com/

       The vendor has been notified and has released fixes for all but
       one of the issues, which is currently under investigation.

    4. Solution

       Upgrade to version 4.1.3g or later of Darwin Streaming Server,
       which may be obtained as a free download from:

          http://developer.apple.com/darwin/projects/streaming/

       Please see the next section for detailed fix information.

    5. Detailed analysis

       There are several vulnerabilities.

       Denial of Service by HTTP Request for DOS Device Name
       CVE ID: CAN-2003-0421
       Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only)
       Fixed: In version 4.1.3f (Win32)

          Requesting a DOS device name (e.g. AUX) over HTTP (port 1220)
          will cause a denial of service on the server. An initial
          HTTP 404 response will be returned for the device request,
          but future requests will not be serviced. For example:

          ==> GET /AUX HTTP/1.0

       Denial of Service by Request for ../ DOS Device Name
       CVE ID: CAN-2003-0502
       Affects: Darwin Streaming Server v4.1.3f and earlier (Win32 only)
       Fixed: In version 4.1.3g (Win32)

          This is a variant of CAN-2003-0421. A fix for CAN-2003-0421
          was included in Streaming Server version, 4.1.3f, but further
          testing revealed that it was vulnerable to a variant where
          the device name was prefixed by dotdot slash (../), as in:

          ==> GET /../AUX HTTP/1.0

       Denial of Service by HTTP Request for /view_broadcast.cgi Script
       CVE ID: CAN-2003-0422
       Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only)
       Fixed: In version 4.1.3f (Win32)

          Requesting the /view_broadcast.cgi script over HTTP (port 1220)
          will cause a denial of service on the server if the required
          request parameters are not sent. The connection will be
          closed midway through servicing the request and no new
          connections will be allowed to the server.

          Example:

          ==> GET /view_broadcast.cgi HTTP/1.0

          <== HTTP/1.0 200 OK
          <== Content-Type: video/quicktime
          <==
          <== rtsp://
                    ^^ server drops connection

       Source Disclosure via HTTP Request for /parse_xml.cgi Script
       CVE ID: CAN-2003-0423
       Affects: Darwin Streaming Server v4.1.3g and earlier
       Fixed: No fix is available at this time. Apple is aware of
              this issue and they are investigating it further.

          The source code of any file within the web root can be obtained
          by issuing a request for /parse_xml.cgi?filename=[file], where
          [file] is the file whose source code you wish to view.

          This is only a serious risk if the administrator has installed
          custom scripts on Darwin Streaming Server that need to be
          protected.

       Script Source Disclosure by Appending Special Characters
       CVE ID: CAN-2003-0424
       Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only)
       Fixed: In version 4.1.3f (Win32)

          The source code of any script can be obtained by appending the
          special characters %2e (period) or %20 (space) to an HTTP request
          for that script. For example, requesting /view_broadcast.cgi%2e
          will reveal the source code for that script.
     
       Web Root Traversal and Arbitrary File Disclosure (Win32)
       CVE ID: CAN-2003-0425
       Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only)
       Fixed: In version 4.1.3f (Win32)

          Any file on the system can be retrieved by using three dots
          to break out of the web root. For example, requesting
          /.../qtusers will return the QuickTime user/password file.

       Default Install Allows Remote User to Set Admin Password
       CVE ID: CAN-2003-0426
       Affects: Darwin Streaming Server v4.1.3e and earlier (Mac OS X only)
       Fixed: In version 4.1.3f (Mac OS X)
     
          When Darwin Streaming Server is first installed, the
          HTTP-based administration server (typically port 1220)
          presents a "Setup Assistant" page where the user is prompted
          to set a new administrator password. This would allow any
          remote user to connect and set up an administrator password
          before the server administrator has had a chance to do so.

    6. Contact Information

       Rapid7 Security Advisories
       Email: advisory@rapid7.com
       Web: http://www.rapid7.com/
       Phone: +1 (212) 558-8700

    7. Disclaimer and Copyright

       Rapid7, Inc. is not responsible for the misuse of the information
       provided in our security advisories. These advisories are a service
       to the professional security community. There are NO WARRANTIES
       with regard to this information. Any application or distribution of
       this information constitutes acceptance AS IS, at the user's own
       risk. This information is subject to change without notice.

       This advisory Copyright (C) 2003 Rapid7, Inc. Permission is
       hereby granted to redistribute this advisory, providing that no
       changes are made and that the copyright notices and disclaimers
       remain intact.

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.0

    iQA/AwUBPx3UVST52JC2U8wAEQLPIwCg2Ps9jBufF8N6dGgCaoxEMijMtbcAnRL8
    793Plejp5hw/r1OkojX2CQaB
    =OD0m
    -----END PGP SIGNATURE-----


  • Next message: William A. Rowe, Jr.: "Re: Apache 1.3.27 mod_proxy security issue"

    Relevant Pages