what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Atstake Security Advisory 02-09-10.1

Atstake Security Advisory 02-09-10.1
Posted Sep 11, 2002
Authored by Atstake | Site atstake.com

Atstake Security Advisory A091002-1 - Apple QuickTime ActiveX v5.0.2 has a buffer overrun conditions that can result in execution of arbitrary code. To exploit this vulnerability an attacker would need to get his or her target to open a malicious HTML file as an attachment to an email message, as a file on the local or network file system, or as a file via HTTP.

tags | web, overflow, arbitrary, local, activex
systems | apple
SHA-256 | 67fa04ee26e8153f5ebac2a4e8afbc94afbd217f0c2391f6d6bcc01b0c137578

Atstake Security Advisory 02-09-10.1

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



@stake Inc.
www.atstake.com

Security Advisory

Advisory Name: Apple QuickTime ActiveX v5.0.2 Buffer Overrun
Release Date: 09/10/2002
Application: Apple QuickTime ActiveX v5.0.2
Platform: Windows NT4 SP6a, Windows 2000 SP1
Windows XP
Severity: There is a buffer overflow condition that
can result in execution of arbitrary
code.
Author: Ollie Whitehouse [ollie@atstake.com]
Contributions: Andreas Junestam [andreas@atstake.com]
Dave Aitel
Vendor Status: Vendor has fixed software update
CVE Candidate: CAN-2002-0376
Reference: www.atstake.com/research/advisories/2002/a091002-1.txt


Overview:

Apple QuickTime (http://www.quicktime.com) is the media player
used by a large number of distributors for high quality video and
audio based media. Version 5.0 has been downloaded over 100,000,000
times. There is a buffer overrun caused by the way that the QuickTime
ActiveX component handles the "pluginspage" field when parsed from a
malicious remote orlocal HTML page. This can allow the execution of
arbitrary computer code on the computer viewing the malicious web
page. The QuickTime ActiveX component is commonly used for movie
trailers (i.e. those located at http://www.apple.com/trailers/) and
other streaming or static media technologies when they are embedded
in a web page.


Details:

To exploit this vulnerability an attacker would need to get his or
her target to open a malicious HTML file as an attachment to an
email message, as a file on the local or network file system, or as
a file via HTTP. Most likely this would be accomplished by embedding
a link to a vulnerabile web site in an email message or another web
page. If the malicious HTML file is opened it will cause Quicktime to
execute the arbitrary computer code contained within the HTML page.

Take the following example HTML page:

---- Begin Sample HTML
<OBJ7ECT CLASSID="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B"
WIDTH="480" HEIGHT="376">
<PA7RAM NAME="src" VALUE="test.mov">
<PA7RAM NAME="controller" VALUE="false">
<PA7RAM NAME="target" VALUE="myself">
<PA7RAM NAME="href" VALUE="test.mov">
<PA7RAM NAME="pluginspage" VALUE="insert overly long
string here">
<EM7BED WIDTH="480" HEIGHT="376" CONTROLLER="false"
TARGET="myself" HREF="test2.mov"
SRC="test.mov"
BGCOLOR="FFFFFF"
BORDER="0"
PLUGINSPAGE="insert overly long string here">
</EM7BED>
</OB7JECT>
---- End Sample HTML

[note: remove the '7's in the tags above to create valid HTML]

This sample HTML when, edited to insert an overly long string, will
cause an exception that is exploitable.

It is possible for an attacker to specify a codebase that will
download a vulnerable version of the ActiveX component.

This is a good example of why not to trust *ANY* ActiveX components
from any unknown source even if the site is considered safe and the
ActiveX component is signed on behalf of a trusted organization.


Vendor Response:

Apple was notified of this issue by @stake on May 13, 2002.

Apple has resolved this issue within QuickTime 6 which can be
downloaded from http://www.apple.com/quicktime/.


Recommendation:

If you use Quicktime, upgrade to Quicktime 6. If you are a web
site that hosts the qtplugin.cab file you should upgrade to
version 6.

You should never open attachments/webpages that come from
unknown sources no matter how benign they may appear. Be wary of
those that come from known sources.

You can set the "kill bit" for a known vulnerable ActiveX component
by editting the registry. This will keep Internet Explorer from
executing the vulnerable component. Directions for setting the kill
bit on a are at:
http://support.microsoft.com/default.aspx?scid=KB;EN-US;q240797&

You should consider the benefits and risks of each attachment file
type or ActiveX components that you let into your organization.
Attachment file types or ActiveX components that you do not need
should be dropped at your perimeter mail gateway or proxy server.
Attachments that you choose to forward on into your organization
should be scanned for known malicious code using an antivirus product.


Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has
assigned the following names to these issues. These are candidates
for inclusion in the CVE list (http://cve.mitre.org), which
standardizes names for security problems.

CAN-2002-0376 Apple QuickTime ActiveX v5.0.2 Buffer Overrun


@stake Vulnerability Reporting Policy:
http://www.atstake.com/research/policy/

@stake Advisory Archive:
http://www.atstake.com/research/advisories/

PGP Key:
http://www.atstake.com/research/pgp_key.asc

Copyright 2002 @stake, Inc. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.3

iQA/AwUBPX5bY0e9kNIfAm4yEQIH+QCdFToXSMrwlO9izwdxGLEyUUkbTWEAoJbj
Z9cyqqB498EcNiXqMK/INQN3
=MXuj
-----END PGP SIGNATURE-----

Login or Register to add favorites

File Archive:

September 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    23 Files
  • 2
    Sep 2nd
    12 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    0 Files
  • 5
    Sep 5th
    10 Files
  • 6
    Sep 6th
    8 Files
  • 7
    Sep 7th
    30 Files
  • 8
    Sep 8th
    14 Files
  • 9
    Sep 9th
    26 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    5 Files
  • 13
    Sep 13th
    28 Files
  • 14
    Sep 14th
    15 Files
  • 15
    Sep 15th
    17 Files
  • 16
    Sep 16th
    9 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    12 Files
  • 20
    Sep 20th
    15 Files
  • 21
    Sep 21st
    20 Files
  • 22
    Sep 22nd
    13 Files
  • 23
    Sep 23rd
    12 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    30 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close