exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Rapid7 Security Advisory 15

Rapid7 Security Advisory 15
Posted Jul 23, 2003
Authored by Rapid7 | Site rapid7.com

Rapid7 Security Advisory - Several vulnerabilities have been found in the Apple QuickTime/Darwin Streaming Server, including denial of service, web root traversal, and script source disclosure.

tags | advisory, web, denial of service, root, vulnerability
systems | apple
advisories | CVE-2003-0421, CVE-2003-0502, CVE-2003-0422, CVE-2003-0423, CVE-2003-0424, CVE-2003-0425, CVE-2003-0426
SHA-256 | 088977e2989bbb584a3f0a1dd33037977138a112e0e0d0ac7e59fdc167b37bf7

Rapid7 Security Advisory 15

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________
Rapid7, Inc. Security Advisory
Visit http://www.rapid7.com/ to download NeXpose,
the world's most advanced vulnerability scanner.
Linux and Windows 2000/XP versions are available now!
_______________________________________________________________________

Rapid7 Advisory R7-0015
Multiple Vulnerabilities Apple QuickTime/Darwin Streaming Server

Published: July 22, 2003
Revision: 1.0
http://www.rapid7.com/advisories/R7-0015.html

CVE: CAN-2003-0421, CAN-2003-0422, CAN-2003-0423, CAN-2003-0424,
CAN-2003-0425, CAN-2003-0426, CAN-2003-0502

1. Affected system(s):

KNOWN VULNERABLE:
o QuickTime/Darwin Streaming Server v4.1.3 for MacOS X
o QuickTime/Darwin Streaming Server v4.1.3 for Win32
o QuickTime/Darwin Streaming Server v4.1.3 for Linux

UNKNOWN/NOT TESTED:
o other platforms (Solaris)

2. Summary

Several vulnerabilities have been found in the Apple
QuickTime/Darwin Streaming Server, including denial of service,
web root traversal, and script source disclosure.

3. Vendor status and information

Apple
http://www.apple.com/

The vendor has been notified and has released fixes for all but
one of the issues, which is currently under investigation.

4. Solution

Upgrade to version 4.1.3g or later of Darwin Streaming Server,
which may be obtained as a free download from:

http://developer.apple.com/darwin/projects/streaming/

Please see the next section for detailed fix information.

5. Detailed analysis

There are several vulnerabilities.

Denial of Service by HTTP Request for DOS Device Name
CVE ID: CAN-2003-0421
Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only)
Fixed: In version 4.1.3f (Win32)

Requesting a DOS device name (e.g. AUX) over HTTP (port 1220)
will cause a denial of service on the server. An initial
HTTP 404 response will be returned for the device request,
but future requests will not be serviced. For example:

==> GET /AUX HTTP/1.0

Denial of Service by Request for ../ DOS Device Name
CVE ID: CAN-2003-0502
Affects: Darwin Streaming Server v4.1.3f and earlier (Win32 only)
Fixed: In version 4.1.3g (Win32)

This is a variant of CAN-2003-0421. A fix for CAN-2003-0421
was included in Streaming Server version, 4.1.3f, but further
testing revealed that it was vulnerable to a variant where
the device name was prefixed by dotdot slash (../), as in:

==> GET /../AUX HTTP/1.0

Denial of Service by HTTP Request for /view_broadcast.cgi Script
CVE ID: CAN-2003-0422
Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only)
Fixed: In version 4.1.3f (Win32)

Requesting the /view_broadcast.cgi script over HTTP (port 1220)
will cause a denial of service on the server if the required
request parameters are not sent. The connection will be
closed midway through servicing the request and no new
connections will be allowed to the server.

Example:

==> GET /view_broadcast.cgi HTTP/1.0

<== HTTP/1.0 200 OK
<== Content-Type: video/quicktime
<==
<== rtsp://
^^ server drops connection

Source Disclosure via HTTP Request for /parse_xml.cgi Script
CVE ID: CAN-2003-0423
Affects: Darwin Streaming Server v4.1.3g and earlier
Fixed: No fix is available at this time. Apple is aware of
this issue and they are investigating it further.

The source code of any file within the web root can be obtained
by issuing a request for /parse_xml.cgi?filename=[file], where
[file] is the file whose source code you wish to view.

This is only a serious risk if the administrator has installed
custom scripts on Darwin Streaming Server that need to be
protected.

Script Source Disclosure by Appending Special Characters
CVE ID: CAN-2003-0424
Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only)
Fixed: In version 4.1.3f (Win32)

The source code of any script can be obtained by appending the
special characters %2e (period) or %20 (space) to an HTTP request
for that script. For example, requesting /view_broadcast.cgi%2e
will reveal the source code for that script.

Web Root Traversal and Arbitrary File Disclosure (Win32)
CVE ID: CAN-2003-0425
Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only)
Fixed: In version 4.1.3f (Win32)

Any file on the system can be retrieved by using three dots
to break out of the web root. For example, requesting
/.../qtusers will return the QuickTime user/password file.

Default Install Allows Remote User to Set Admin Password
CVE ID: CAN-2003-0426
Affects: Darwin Streaming Server v4.1.3e and earlier (Mac OS X only)
Fixed: In version 4.1.3f (Mac OS X)

When Darwin Streaming Server is first installed, the
HTTP-based administration server (typically port 1220)
presents a "Setup Assistant" page where the user is prompted
to set a new administrator password. This would allow any
remote user to connect and set up an administrator password
before the server administrator has had a chance to do so.

6. Contact Information

Rapid7 Security Advisories
Email: advisory@rapid7.com
Web: http://www.rapid7.com/
Phone: +1 (212) 558-8700

7. Disclaimer and Copyright

Rapid7, Inc. is not responsible for the misuse of the information
provided in our security advisories. These advisories are a service
to the professional security community. There are NO WARRANTIES
with regard to this information. Any application or distribution of
this information constitutes acceptance AS IS, at the user's own
risk. This information is subject to change without notice.

This advisory Copyright (C) 2003 Rapid7, Inc. Permission is
hereby granted to redistribute this advisory, providing that no
changes are made and that the copyright notices and disclaimers
remain intact.


-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPx3UVST52JC2U8wAEQLPIwCg2Ps9jBufF8N6dGgCaoxEMijMtbcAnRL8
793Plejp5hw/r1OkojX2CQaB
=OD0m
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close