08 january, 2007
US-CERT Vulnerability Note VU#442497Apple QuickTime RTSP buffer overflow
Overview
Apple QuickTime may allow remote arbitrary code to be executed via a
long src parameter in RTSP URL strings.
I. Description
A vulnerability exists in the way Apple QuickTime handles specially
crafted Real Time Streaming Protocol (RTSP) URL strings. An attacker
may be able to craft a QTL file to take advantage of this vulnerability.
However, other attack vectors that do not involve QTL files may exist.
According to MOAB-01-01-2007:
By supplying a specially crafted string (rtsp:// [random] +
semicolon + [299 bytes padding + payload]), an attacker could
overflow a stack-based buffer, using either HTML, Javascript
or a QTL file as attack vector, leading to an exploitable
remote arbitrary code execution condition.
Note that since QuickTime is a component of Apple iTunes, iTunes
installations are also affected by this vulnerability. We are aware
of publicly available proof-of-concept code that exploits this
vulnerability.
II. Impact
A remote, unauthenticated attacker may be able to execute arbitrary
code or cause a denial of service.
III. Solution
We are unaware of a solution to this problem. Until a solution becomes
available the following workarounds are strongly encouraged:
Disable QuickTime in your web browser
An attacker may be able to exploit this vulnerability by persuading
a user to access a specially crafted file with a web browser. Disabling
QuickTime in your web browser will defend against this attack vector.
For more information, refer to the Securing Your Web Browser document.
http://www.us-cert.gov/reading_room/securing_browser/
Disable JavaScript
For instructions on how to disable JavaScript, please refer to the
Securing Your Web Browser document.
http://www.us-cert.gov/reading_room/securing_browser/
Disable file association for QTL files
Disable the file association for QTL files to help prevent windows
applications from using Apple QuickTime to open QTL files. This can
be accomplished by deleting the following registry key:
HKEY_CLASSES_ROOT\.qtl
Note that this only prevents attacks that utilize files with a .QTL
extension.
Do not access QuickTime files from untrusted sources
Attackers may host malicious QuickTime files on web sites. In order
to convince users to visit their sites, those attackers often use a
variety of techniques to create misleading links including URL encoding,
IP address variations, long URLs, and intentional misspellings. Do
not click on unsolicited links received in email, instant messages,
web forums, or internet relay chat (IRC) channels. Type URLs directly
into the browser to avoid these misleading links. While these are
generally good security practices, following these behaviors will not
prevent exploitation of this vulnerability in all cases, particularly
if a trusted site has been compromised or allows cross-site scripting.
Systems Affected
Vendor Status Date Updated
Apple Computer, Inc. Vulnerable 2-Jan-2007
References
http://secunia.com/advisories/23540/
http://projects.info-pull.com/moab/MOAB-01-01-2007.html
Credit
This issue was reported in MOAB-01-01-2007.
http://projects.info-pull.com/moab/MOAB-01-01-2007.html
This document was written by Chris Taschner.
Other Information
Date Public 01/02/2007
Date First Published 01/02/2007 02:44:58 PM
Date Last Updated 01/03/2007
CERT Advisory
CVE Name CVE-2007-0015
Metric 27.00
Document Revision 22