var-200512-0300
Vulnerability from variot
Heap-based buffer overflow in Apple Quicktime before 7.0.4 allows remote attackers to execute arbitrary code via a GIF image file with a crafted Netscape Navigator Application Extension Block that modifies the heap in the Picture Modifier block. Apple's QuickTime is a player for files and streaming media in a variety of different formats. A flaw in QuickTime's handling of Targa (TGA) image format files could allow a remote attacker to execute arbitrary code on a vulnerable system. Apple From QuickTime Version that fixes multiple vulnerabilities in 7.0.4 Has been released.Arbitrary code may be executed by a remote third party, DoS You can be attacked. For more information, see the information provided by the vendor. QuickTime is prone to a remote heap-based overflow vulnerability. This issue presents itself when the application processes a specially crafted GIF image file. A successful attack can result in a remote compromise. Versions prior to QuickTime 7.0.4 are vulnerable.
This flaw has proven to allow for reliable control of data on the heap chunk and can be exploited via a web site by using ActiveX controls. The heap can be overwritten in the Picture Modifier block.
The block size calculate code such as:
.text:66A339CC mov ax, [esi+0Ch]
.text:66A339D0 xor ecx, ecx
.text:66A339D2 mov [esp+34h+var_28], ecx
.text:66A339D6 mov [esp+34h+var_24], ecx
.text:66A339DA mov [esp+34h+var_20], ecx
.text:66A339DE mov [esp+34h+var_1C], ecx
.text:66A339E2 mov word ptr [esp+34h+var_10], cx
.text:66A339E7 mov [esp+34h+arg_4], eax
.text:66A339EB movsx eax, ax
.text:66A339EE mov word ptr [esp+34h+var_10+2], cx
.text:66A339F3 mov cx, [esi+8]
.text:66A339F7 movsx edx, cx
.text:66A339FA sub eax, edx
.text:66A339FC movsx edx, word ptr [esi+6]
.text:66A33A00 add eax, 3Eh
.text:66A33A03 push edi
.text:66A33A04 movsx edi, word ptr [esi+0Ah]
.text:66A33A08 sar eax, 3
.text:66A33A0B lea ebx, [esi+6]
.text:66A33A0E and eax, 0FFFFFFFCh
.text:66A33A11 sub edi, edx
.text:66A33A13 movsx edx, ax
.text:66A33A16 mov [esi+4], ax
.text:66A33A1A imul edi, edx
The allocate code is : .text:66A33A68 push edi .text:66A33A69 call sub_668B5B30
But when it real process data to this memory, it use real decode data to write this memory but didn\xa1\xaft check this heap size. This is segment of the write code function(sub_66AE0A70): .text:66AE0B18 movsx edx, word ptr [edi+12h] ; default .text:66AE0B1C imul edx, [edi+0Ch] .text:66AE0B20 mov ecx, [edi+4] .text:66AE0B23 inc word ptr [edi+16h] .text:66AE0B27 mov eax, [esp+arg_0] .text:66AE0B2B add edx, ecx .text:66AE0B2D mov [eax], edx .text:66AE0B2F mov eax, [ebp+10h] .text:66AE0B32 test eax, eax .text:66AE0B34 jz short loc_66AE0B62 .text:66AE0B36 mov ax, [ebp+1Ch] .text:66AE0B3A mov edx, [ebp+0Ch] .text:66AE0B3D movzx cx, ah .text:66AE0B41 mov ch, al .text:66AE0B43 mov [edx], cx .text:66AE0B46 movsx eax, word ptr [edi+12h] .text:66AE0B4A imul eax, [ebp+14h] .text:66AE0B4E add eax, [ebp+10h] .text:66AE0B51 mov cx, [ebp+18h] .text:66AE0B55 mov [ebp+0Ch], eax .text:66AE0B58 mov [ebp+1Ah], cx .text:66AE0B5C mov word ptr [ebp+1Ch], 0
Vendor Status: Apple has released a patch for this vulnerability. An attacker can create a qtif file and send it to the user via email, web page, or qtif file with activex and can directy overflow a function pointer immediately used so it can bypass any stack overflow protection in systems such as xp sp2 and 2003 sp1.
Technical Details: When Quicktime processes the data field of a qtif format file, it will copy it to the stack by a byte to a byte , but there is no proper checking, so it will cause a stack overflow in memory. And in this stack, there is a function pointer which will be used immediately when it pre byte copies, so we can use it to bypass any stack overflow protection, such in xp sp2 and 2003 sp1.
The origin function point value is 0x44332211. We only need to overflow it to : 0x08332211, ensuring it didn't cause a crash before the 0x44 has been overflowed to 0x08. When it overflows to 0x08332211, we can execute code to 0x08332211, and can first use javascript to get this memory and set my code in it.
call [esp+138h+arg_4] <- call a function point in the stack, but this point can be overflowed
References QuickTime: QuickTime File Format http://developer.apple.com/documentation/QuickTime/QTFF/index.html
Protection: Retina Network Security Scanner has been updated to identify this vulnerability.
Vendor Status: Apple has released a patch for this vulnerability. The patch is available via the Updates section of the affected applications. This vulnerability has been assigned the CVE identifier CVE-2005-2340.
Credit: Discovery: Fang Xing
Greetings: Thanks to all the guys at eEye, and especially Karl Lynn's help.
Copyright (c) 1998-2006 eEye Digital Security Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission.
Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA06-011A
Apple QuickTime Vulnerabilities
Original release date: January 11, 2006 Last revised: January 11, 2006 Source: US-CERT
Systems Affected
Apple QuickTime on systems running
* Apple Mac OS X
* Microsoft Windows XP
* Microsoft Windows 2000
Overview
Apple has released QuickTime 7.0.4 to correct multiple vulnerabilities. The impacts of these vulnerabilities include execution of arbitrary code and denial of service.
I. Description
Apple QuickTime 7.0.4 resolves a number of image and media file handling vulnerabilities. (CAN-2005-3713)
II. Impact
The impacts of these vulnerabilities vary. For information about specific impacts, please see the Vulnerability Notes. Potential consequences include remote execution of arbitrary code or commands and denial of service.
III. Solution
Upgrade
Upgrade to QuickTime 7.0.4.
Appendix A. References
* US-CERT Vulnerability Note VU#629845 -
<http://www.kb.cert.org/vuls/id/629845>
* US-CERT Vulnerability Note VU#921193 -
<http://www.kb.cert.org/vuls/id/921193>
* US-CERT Vulnerability Note VU#115729 -
<http://www.kb.cert.org/vuls/id/115729>
* US-CERT Vulnerability Note VU#150753 -
<http://www.kb.cert.org/vuls/id/150753>
* US-CERT Vulnerability Note VU#913449 -
<http://www.kb.cert.org/vuls/id/913449>
* CVE-2005-2340 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2340>
* CVE-2005-4092 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4092>
* CVE-2005-3707 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3707>
* CVE-2005-3710 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3710>
* CVE-2005-3713 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3713>
* Security Content for QuickTime 7.0.4 -
<http://docs.info.apple.com/article.html?artnum=303101>
* QuickTime 7.0.4 -
<http://www.apple.com/support/downloads/quicktime704.html>
* About the Mac OS X 10.4.4 Update (Delta) -
<http://docs.info.apple.com/article.html?artnum=302810>
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA06-011A.html>
Feedback can be directed to US-CERT Technical Staff. Please send email to cert@cert.org with "TA06-011A Feedback VU#913449" in the subject.
For instructions on subscribing to or unsubscribing from this mailing list, visit http://www.us-cert.gov/cas/signup.html.
Produced 2006 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
Revision History
January 11, 2006: Initial release
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQ8V8iX0pj593lg50AQJ85wf+OuHVseQVzZ0uI8h8TnmtAJmjzV6tp3Cj 34jwpSLlvo5S8svIHChcX/BYOwKVL/uQZswsjk/mbEu+TrPcVKPd7VPCetxIXVey AdC5hsAH1Wm0MnvY1LgvONo8IQ9RlT6Rj6fY7k7QhPUWsYxj/rDCWDAY9kgsHXc/ HpXWL/Cy5va35z8aYHrLVlxmofKrOWtX0PVa6lSKV8lIsY+TDihA5tYIb5wRDVxL osieJ+MHSXGchXpjX2c0o6Ja6vhJNR61LEwelk9FMLT1JRTkp+wz9/AoVUSyZ/hy 0WBP0M8cwl8koWgijNcLXA18YX8QtDftAVRwpwHKMrbNCYdrWblYVw== =5Kiq -----END PGP SIGNATURE-----
Show details on source website{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", "affected_products": { "@id": "https://www.variotdbs.pl/ref/affected_products" }, "configurations": { "@id": "https://www.variotdbs.pl/ref/configurations" }, "credits": { "@id": "https://www.variotdbs.pl/ref/credits" }, "cvss": { "@id": "https://www.variotdbs.pl/ref/cvss/" }, "description": { "@id": "https://www.variotdbs.pl/ref/description/" }, "exploit_availability": { "@id": "https://www.variotdbs.pl/ref/exploit_availability/" }, "external_ids": { "@id": "https://www.variotdbs.pl/ref/external_ids/" }, "iot": { "@id": "https://www.variotdbs.pl/ref/iot/" }, "iot_taxonomy": { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/" }, "patch": { "@id": "https://www.variotdbs.pl/ref/patch/" }, "problemtype_data": { "@id": "https://www.variotdbs.pl/ref/problemtype_data/" }, "references": { "@id": "https://www.variotdbs.pl/ref/references/" }, "sources": { "@id": "https://www.variotdbs.pl/ref/sources/" }, "sources_release_date": { "@id": "https://www.variotdbs.pl/ref/sources_release_date/" }, "sources_update_date": { "@id": "https://www.variotdbs.pl/ref/sources_update_date/" }, "threat_type": { "@id": "https://www.variotdbs.pl/ref/threat_type/" }, "title": { "@id": "https://www.variotdbs.pl/ref/title/" }, "type": { "@id": "https://www.variotdbs.pl/ref/type/" } }, "@id": "https://www.variotdbs.pl/vuln/VAR-200512-0300", "affected_products": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "model": null, "scope": null, "trust": 4.0, "vendor": "apple computer", "version": null }, { "model": "quicktime", "scope": "eq", "trust": 1.6, "vendor": "apple", "version": "7.0.2" }, { "model": "quicktime", "scope": "eq", "trust": 1.6, "vendor": "apple", "version": "7.0" }, { "model": "quicktime", "scope": "eq", "trust": 1.6, "vendor": "apple", "version": "7.0.1" }, { "model": "quicktime", "scope": "lte", "trust": 1.0, "vendor": "apple", "version": "7.0.3" }, { "model": "mac os x", "scope": null, "trust": 0.8, "vendor": "apple", "version": null }, { "model": "windows 2000", "scope": null, "trust": 0.8, "vendor": "microsoft", "version": null }, { "model": "windows xp", "scope": "eq", "trust": 0.8, "vendor": "microsoft", "version": "sp3" }, { "model": "quicktime", "scope": "eq", "trust": 0.6, "vendor": "apple", "version": "7.0.3" }, { "model": "quicktime player", "scope": "eq", "trust": 0.3, "vendor": "apple", "version": "7.0.3" }, { "model": "quicktime player", "scope": "eq", "trust": 0.3, "vendor": "apple", "version": "7.0.2" }, { "model": "quicktime player", "scope": "eq", "trust": 0.3, "vendor": "apple", "version": "7.0.1" }, { "model": "quicktime player", "scope": "eq", "trust": 0.3, "vendor": "apple", "version": "7.0" }, { "model": "quicktime player", "scope": "ne", "trust": 0.3, "vendor": "apple", "version": "7.0.4" } ], "sources": [ { "db": "CERT/CC", "id": "VU#921193" }, { "db": "CERT/CC", "id": "VU#629845" }, { "db": "CERT/CC", "id": "VU#115729" }, { "db": "CERT/CC", "id": "VU#150753" }, { "db": "CERT/CC", "id": "VU#913449" }, { "db": "BID", "id": "16864" }, { "db": "JVNDB", "id": "JVNDB-2005-000858" }, { "db": "CNNVD", "id": "CNNVD-200512-862" }, { "db": "NVD", "id": "CVE-2005-3713" } ] }, "configurations": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/configurations#", "children": { "@container": "@list" }, "cpe_match": { "@container": "@list" }, "data": { "@container": "@list" }, "nodes": { "@container": "@list" } }, "data": [ { "CVE_data_version": "4.0", "nodes": [ { "cpe_match": [ { "cpe22Uri": "cpe:/o:apple:mac_os_x", "vulnerable": true }, { "cpe22Uri": "cpe:/o:microsoft:windows_2000", "vulnerable": true }, { "cpe22Uri": "cpe:/o:microsoft:windows_xp", "vulnerable": true } ], "operator": "OR" } ] } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2005-000858" } ] }, "credits": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/credits#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "eEye info@eEye.com", "sources": [ { "db": "CNNVD", "id": "CNNVD-200512-862" } ], "trust": 0.6 }, "cve": "CVE-2005-3713", "cvss": { "@context": { "cvssV2": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2" }, "cvssV3": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/" }, "severity": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#" }, "@id": "https://www.variotdbs.pl/ref/cvss/severity" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "cvssV2": [ { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "author": "nvd@nist.gov", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "exploitabilityScore": 10.0, "id": "CVE-2005-3713", "impactScore": 6.4, "integrityImpact": "PARTIAL", "severity": "HIGH", "trust": 1.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0" }, { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "author": "VULHUB", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "exploitabilityScore": 10.0, "id": "VHN-14921", "impactScore": 6.4, "integrityImpact": "PARTIAL", "severity": "HIGH", "trust": 0.1, "vectorString": "AV:N/AC:L/AU:N/C:P/I:P/A:P", "version": "2.0" } ], "cvssV3": [], "severity": [ { "author": "nvd@nist.gov", "id": "CVE-2005-3713", "trust": 1.0, "value": "HIGH" }, { "author": "CARNEGIE MELLON", "id": "VU#921193", "trust": 0.8, "value": "43.88" }, { "author": "CARNEGIE MELLON", "id": "VU#629845", "trust": 0.8, "value": "18.23" }, { "author": "CARNEGIE MELLON", "id": "VU#115729", "trust": 0.8, "value": "3.85" }, { "author": "CARNEGIE MELLON", "id": "VU#150753", "trust": 0.8, "value": "32.63" }, { "author": "CARNEGIE MELLON", "id": "VU#913449", "trust": 0.8, "value": "3.85" }, { "author": "CNNVD", "id": "CNNVD-200512-862", "trust": 0.6, "value": "HIGH" }, { "author": "VULHUB", "id": "VHN-14921", "trust": 0.1, "value": "HIGH" } ] } ], "sources": [ { "db": "CERT/CC", "id": "VU#921193" }, { "db": "CERT/CC", "id": "VU#629845" }, { "db": "CERT/CC", "id": "VU#115729" }, { "db": "CERT/CC", "id": "VU#150753" }, { "db": "CERT/CC", "id": "VU#913449" }, { "db": "VULHUB", "id": "VHN-14921" }, { "db": "CNNVD", "id": "CNNVD-200512-862" }, { "db": "NVD", "id": "CVE-2005-3713" } ] }, "description": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Heap-based buffer overflow in Apple Quicktime before 7.0.4 allows remote attackers to execute arbitrary code via a GIF image file with a crafted Netscape Navigator Application Extension Block that modifies the heap in the Picture Modifier block. Apple\u0027s QuickTime is a player for files and streaming media in a variety of different formats. A flaw in QuickTime\u0027s handling of Targa (TGA) image format files could allow a remote attacker to execute arbitrary code on a vulnerable system. Apple From QuickTime Version that fixes multiple vulnerabilities in 7.0.4 Has been released.Arbitrary code may be executed by a remote third party, DoS You can be attacked. For more information, see the information provided by the vendor. QuickTime is prone to a remote heap-based overflow vulnerability. \nThis issue presents itself when the application processes a specially crafted GIF image file. \nA successful attack can result in a remote compromise. \nVersions prior to QuickTime 7.0.4 are vulnerable. \n\nThis flaw has proven to allow for reliable control of data on the heap chunk and can be exploited via a web site by using ActiveX controls. The heap can be overwritten in the Picture Modifier block. \nThe block size calculate code such as:\n.text:66A339CC mov ax, [esi+0Ch]\n.text:66A339D0 xor ecx, ecx\n.text:66A339D2 mov [esp+34h+var_28], ecx\n.text:66A339D6 mov [esp+34h+var_24], ecx\n.text:66A339DA mov [esp+34h+var_20], ecx\n.text:66A339DE mov [esp+34h+var_1C], ecx\n.text:66A339E2 mov word ptr [esp+34h+var_10], cx\n.text:66A339E7 mov [esp+34h+arg_4], eax\n.text:66A339EB movsx eax, ax\n.text:66A339EE mov word ptr [esp+34h+var_10+2], cx\n.text:66A339F3 mov cx, [esi+8]\n.text:66A339F7 movsx edx, cx\n.text:66A339FA sub eax, edx\n.text:66A339FC movsx edx, word ptr [esi+6]\n.text:66A33A00 add eax, 3Eh\n.text:66A33A03 push edi\n.text:66A33A04 movsx edi, word ptr [esi+0Ah]\n.text:66A33A08 sar eax, 3\n.text:66A33A0B lea ebx, [esi+6]\n.text:66A33A0E and eax, 0FFFFFFFCh\n.text:66A33A11 sub edi, edx\n.text:66A33A13 movsx edx, ax\n.text:66A33A16 mov [esi+4], ax\n.text:66A33A1A imul edi, edx\n\nThe allocate code is :\n.text:66A33A68 push edi\n.text:66A33A69 call sub_668B5B30\n\n\nBut when it real process data to this memory, it use real decode data to write this memory \nbut didn\\xa1\\xaft check this heap size. This is segment of the write code function(sub_66AE0A70):\n.text:66AE0B18 movsx edx, word ptr [edi+12h] ; default\n.text:66AE0B1C imul edx, [edi+0Ch]\n.text:66AE0B20 mov ecx, [edi+4]\n.text:66AE0B23 inc word ptr [edi+16h]\n.text:66AE0B27 mov eax, [esp+arg_0]\n.text:66AE0B2B add edx, ecx\n.text:66AE0B2D mov [eax], edx\n.text:66AE0B2F mov eax, [ebp+10h]\n.text:66AE0B32 test eax, eax\n.text:66AE0B34 jz short loc_66AE0B62\n.text:66AE0B36 mov ax, [ebp+1Ch]\n.text:66AE0B3A mov edx, [ebp+0Ch]\n.text:66AE0B3D movzx cx, ah\n.text:66AE0B41 mov ch, al\n.text:66AE0B43 mov [edx], cx\n.text:66AE0B46 movsx eax, word ptr [edi+12h]\n.text:66AE0B4A imul eax, [ebp+14h]\n.text:66AE0B4E add eax, [ebp+10h]\n.text:66AE0B51 mov cx, [ebp+18h]\n.text:66AE0B55 mov [ebp+0Ch], eax\n.text:66AE0B58 mov [ebp+1Ah], cx\n.text:66AE0B5C mov word ptr [ebp+1Ch], 0\n\n\n\n\nVendor Status:\nApple has released a patch for this vulnerability. An attacker can create a qtif file and send\nit to the user via email, web page, or qtif file with activex and can\ndirecty overflow a function pointer immediately used so it can bypass\nany stack overflow protection in systems such as xp sp2 and 2003 sp1. \n\nTechnical Details:\nWhen Quicktime processes the data field of a qtif format file, it will\ncopy it to the stack by a byte to a byte , but there is no proper\nchecking, so it will cause a stack overflow in memory. And in this\nstack, there is a function pointer which will be used immediately when\nit pre byte copies, so we can use it to bypass any stack overflow\nprotection, such in xp sp2 and 2003 sp1. \n\nThe origin function point value is 0x44332211. We only need to overflow\nit to : 0x08332211, ensuring it didn\u0027t cause a crash before the 0x44 has\nbeen overflowed to 0x08. When it overflows to 0x08332211, we can\nexecute code to 0x08332211, and can first use javascript to get this\nmemory and set my code in it. \n\ncall [esp+138h+arg_4] \u003c- call a function point in the stack, but this\npoint can be overflowed\n\n\nReferences\nQuickTime: QuickTime File Format\nhttp://developer.apple.com/documentation/QuickTime/QTFF/index.html\n\nProtection:\nRetina Network Security Scanner has been updated to identify this\nvulnerability. \n\nVendor Status:\nApple has released a patch for this vulnerability. The patch is\navailable via the Updates section of the affected applications. \nThis vulnerability has been assigned the CVE identifier CVE-2005-2340. \n\nCredit:\nDiscovery: Fang Xing\n\nGreetings:\nThanks to all the guys at eEye, and especially Karl Lynn\u0027s help. \n\nCopyright (c) 1998-2006 eEye Digital Security\nPermission is hereby granted for the redistribution of this alert\nelectronically. It is not to be edited in any way without express\nconsent of eEye. If you wish to reprint the whole or any part of this\nalert in any other medium excluding electronic medium, please email\nalert@eEye.com for permission. \n\nDisclaimer\nThe information within this paper may change without notice. Use of this\ninformation constitutes acceptance for use in an AS IS condition. There\nare no warranties, implied or express, with regard to this information. \nIn no event shall the author be liable for any direct or indirect\ndamages whatsoever arising out of or in connection with the use or\nspread of this information. \n-----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\n \n National Cyber Alert System\n\n Technical Cyber Security Alert TA06-011A\n\n\nApple QuickTime Vulnerabilities\n\n Original release date: January 11, 2006\n Last revised: January 11, 2006\n Source: US-CERT\n\nSystems Affected\n\n Apple QuickTime on systems running\n\n * Apple Mac OS X\n * Microsoft Windows XP\n * Microsoft Windows 2000\n\n\nOverview\n\n Apple has released QuickTime 7.0.4 to correct multiple\n vulnerabilities. The impacts of these vulnerabilities include\n execution of arbitrary code and denial of service. \n\n\nI. Description\n\n Apple QuickTime 7.0.4 resolves a number of image and media file\n handling vulnerabilities. \n (CAN-2005-3713)\n\n\nII. Impact\n\n The impacts of these vulnerabilities vary. For information about\n specific impacts, please see the Vulnerability Notes. Potential\n consequences include remote execution of arbitrary code or commands\n and denial of service. \n\n\nIII. Solution\n\nUpgrade\n\n Upgrade to QuickTime 7.0.4. \n\n\nAppendix A. References\n\n * US-CERT Vulnerability Note VU#629845 -\n \u003chttp://www.kb.cert.org/vuls/id/629845\u003e\n\n * US-CERT Vulnerability Note VU#921193 -\n \u003chttp://www.kb.cert.org/vuls/id/921193\u003e\n\n * US-CERT Vulnerability Note VU#115729 -\n \u003chttp://www.kb.cert.org/vuls/id/115729\u003e\n\n * US-CERT Vulnerability Note VU#150753 -\n \u003chttp://www.kb.cert.org/vuls/id/150753\u003e\n\n * US-CERT Vulnerability Note VU#913449 -\n \u003chttp://www.kb.cert.org/vuls/id/913449\u003e\n\n * CVE-2005-2340 -\n \u003chttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2340\u003e\n\n * CVE-2005-4092 -\n \u003chttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4092\u003e\n\n * CVE-2005-3707 -\n \u003chttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3707\u003e\n\n * CVE-2005-3710 -\n \u003chttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3710\u003e\n\n * CVE-2005-3713 -\n \u003chttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3713\u003e\n\n * Security Content for QuickTime 7.0.4 -\n \u003chttp://docs.info.apple.com/article.html?artnum=303101\u003e\n\n * QuickTime 7.0.4 -\n \u003chttp://www.apple.com/support/downloads/quicktime704.html\u003e\n\n * About the Mac OS X 10.4.4 Update (Delta) -\n \u003chttp://docs.info.apple.com/article.html?artnum=302810\u003e\n\n\n ____________________________________________________________________\n\n The most recent version of this document can be found at:\n\n \u003chttp://www.us-cert.gov/cas/techalerts/TA06-011A.html\u003e\n ____________________________________________________________________\n\n Feedback can be directed to US-CERT Technical Staff. Please send\n email to \u003ccert@cert.org\u003e with \"TA06-011A Feedback VU#913449\" in the\n subject. \n ____________________________________________________________________\n\n For instructions on subscribing to or unsubscribing from this\n mailing list, visit \u003chttp://www.us-cert.gov/cas/signup.html\u003e. \n ____________________________________________________________________\n\n Produced 2006 by US-CERT, a government organization. \n\n Terms of use:\n\n \u003chttp://www.us-cert.gov/legal.html\u003e\n ____________________________________________________________________\n\n\n\nRevision History\n\n January 11, 2006: Initial release\n\n\n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1.2.1 (GNU/Linux)\n\niQEVAwUBQ8V8iX0pj593lg50AQJ85wf+OuHVseQVzZ0uI8h8TnmtAJmjzV6tp3Cj\n34jwpSLlvo5S8svIHChcX/BYOwKVL/uQZswsjk/mbEu+TrPcVKPd7VPCetxIXVey\nAdC5hsAH1Wm0MnvY1LgvONo8IQ9RlT6Rj6fY7k7QhPUWsYxj/rDCWDAY9kgsHXc/\nHpXWL/Cy5va35z8aYHrLVlxmofKrOWtX0PVa6lSKV8lIsY+TDihA5tYIb5wRDVxL\nosieJ+MHSXGchXpjX2c0o6Ja6vhJNR61LEwelk9FMLT1JRTkp+wz9/AoVUSyZ/hy\n0WBP0M8cwl8koWgijNcLXA18YX8QtDftAVRwpwHKMrbNCYdrWblYVw==\n=5Kiq\n-----END PGP SIGNATURE-----\n", "sources": [ { "db": "NVD", "id": "CVE-2005-3713" }, { "db": "CERT/CC", "id": "VU#921193" }, { "db": "CERT/CC", "id": "VU#629845" }, { "db": "CERT/CC", "id": "VU#115729" }, { "db": "CERT/CC", "id": "VU#150753" }, { "db": "CERT/CC", "id": "VU#913449" }, { "db": "JVNDB", "id": "JVNDB-2005-000858" }, { "db": "BID", "id": "16864" }, { "db": "VULHUB", "id": "VHN-14921" }, { "db": "PACKETSTORM", "id": "43060" }, { "db": "PACKETSTORM", "id": "43057" }, { "db": "PACKETSTORM", "id": "43062" } ], "trust": 5.85 }, "exploit_availability": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/exploit_availability#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "reference": "https://www.scap.org.cn/vuln/vhn-14921", "trust": 0.1, "type": "unknown" } ], "sources": [ { "db": "VULHUB", "id": "VHN-14921" } ] }, "external_ids": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "db": "SECUNIA", "id": "18370", "trust": 4.9 }, { "db": "CERT/CC", "id": "VU#913449", "trust": 3.4 }, { "db": "NVD", "id": "CVE-2005-3713", "trust": 3.1 }, { "db": "USCERT", "id": "TA06-011A", "trust": 2.6 }, { "db": "BID", "id": "16202", "trust": 2.5 }, { "db": "SECTRACK", "id": "1015466", "trust": 2.5 }, { "db": "CERT/CC", "id": "VU#921193", "trust": 1.7 }, { "db": "CERT/CC", "id": "VU#629845", "trust": 1.7 }, { "db": "CERT/CC", "id": "VU#115729", "trust": 1.7 }, { "db": "CERT/CC", "id": "VU#150753", "trust": 1.7 }, { "db": "VUPEN", "id": "ADV-2006-0128", "trust": 1.7 }, { "db": "OSVDB", "id": "22338", "trust": 1.7 }, { "db": "SREASON", "id": "333", "trust": 1.7 }, { "db": "OSVDB", "id": "22337", "trust": 0.8 }, { "db": "JVNDB", "id": "JVNDB-2005-000858", "trust": 0.8 }, { "db": "CNNVD", "id": "CNNVD-200512-862", "trust": 0.7 }, { "db": "XF", "id": "24060", "trust": 0.6 }, { "db": "CERT/CC", "id": "TA06-011A", "trust": 0.6 }, { "db": "NSFOCUS", "id": "8392", "trust": 0.6 }, { "db": "NSFOCUS", "id": "8395", "trust": 0.6 }, { "db": "NSFOCUS", "id": "8394\u203b8395\u203b8392\u203b8393", "trust": 0.6 }, { "db": "NSFOCUS", "id": "8393", "trust": 0.6 }, { "db": "NSFOCUS", "id": "8394", "trust": 0.6 }, { "db": "FULLDISC", "id": "20060111 UPDATED ADVISORIES - INCORRECT CVE INFORMATION", "trust": 0.6 }, { "db": "FULLDISC", "id": "20060111 [EEYEB-20051031] APPLE QUICKTIME MALFORMED GIF HEAP OVERFLOW", "trust": 0.6 }, { "db": "APPLE", "id": "APPLE-SA-2006-01-10", "trust": 0.6 }, { "db": "BUGTRAQ", "id": "20060111 UPDATED ADVISORIES - INCORRECT CVE INFORMATION", "trust": 0.6 }, { "db": "BUGTRAQ", "id": "20060111 [EEYEB-20051031] APPLE QUICKTIME MALFORMED GIF HEAP OVERFLOW", "trust": 0.6 }, { "db": "BID", "id": "16864", "trust": 0.4 }, { "db": "PACKETSTORM", "id": "43057", "trust": 0.2 }, { "db": "PACKETSTORM", "id": "43060", "trust": 0.2 }, { "db": "VULHUB", "id": "VHN-14921", "trust": 0.1 }, { "db": "PACKETSTORM", "id": "43062", "trust": 0.1 } ], "sources": [ { "db": "CERT/CC", "id": "VU#921193" }, { "db": "CERT/CC", "id": "VU#629845" }, { "db": "CERT/CC", "id": "VU#115729" }, { "db": "CERT/CC", "id": "VU#150753" }, { "db": "CERT/CC", "id": "VU#913449" }, { "db": "VULHUB", "id": "VHN-14921" }, { "db": "BID", "id": "16864" }, { "db": "JVNDB", "id": "JVNDB-2005-000858" }, { "db": "PACKETSTORM", "id": "43060" }, { "db": "PACKETSTORM", "id": "43057" }, { "db": "PACKETSTORM", "id": "43062" }, { "db": "CNNVD", "id": "CNNVD-200512-862" }, { "db": "NVD", "id": "CVE-2005-3713" } ] }, "id": "VAR-200512-0300", "iot": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": true, "sources": [ { "db": "VULHUB", "id": "VHN-14921" } ], "trust": 0.01 }, "last_update_date": "2024-11-29T22:47:57.596000Z", "patch": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "title": "Download the Standalone QuickTime Player", "trust": 0.8, "url": "http://www.apple.com/jp/quicktime/download/standalone.html" }, { "title": "TA23845", "trust": 0.8, "url": "http://support.apple.com/kb/TA23845?viewlocale=ja_JP" }, { "title": "TA06-011A", "trust": 0.8, "url": "http://software.fujitsu.com/jp/security/vulnerabilities/ta06-011a.html" } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2005-000858" } ] }, "problemtype_data": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "problemtype": "CWE-119", "trust": 1.1 } ], "sources": [ { "db": "VULHUB", "id": "VHN-14921" }, { "db": "NVD", "id": "CVE-2005-3713" } ] }, "references": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "trust": 4.9, "url": "http://docs.info.apple.com/article.html?artnum=303101" }, { "trust": 3.2, "url": "http://secunia.com/advisories/18370/" }, { "trust": 2.5, "url": "http://www.securityfocus.com/bid/16202" }, { "trust": 2.5, "url": "http://www.eeye.com/html/research/advisories/ad20060111d.html" }, { "trust": 2.5, "url": "http://www.kb.cert.org/vuls/id/913449" }, { "trust": 1.7, "url": "http://www.us-cert.gov/cas/techalerts/ta06-011a.html" }, { "trust": 1.7, "url": "http://archives.neohapsis.com/archives/fulldisclosure/2006-01/0402.html" }, { "trust": 1.7, "url": "http://archives.neohapsis.com/archives/fulldisclosure/2006-01/0401.html" }, { "trust": 1.7, "url": "http://www.osvdb.org/22338" }, { "trust": 1.7, "url": "http://securitytracker.com/id?1015466" }, { "trust": 1.7, "url": "http://secunia.com/advisories/18370" }, { "trust": 1.7, "url": "http://securityreason.com/securityalert/333" }, { "trust": 1.1, "url": "http://www.securityfocus.com/archive/1/421547/100/0/threaded" }, { "trust": 1.1, "url": "http://www.securityfocus.com/archive/1/421561/100/0/threaded" }, { "trust": 1.1, "url": "http://www.vupen.com/english/advisories/2006/0128" }, { "trust": 1.1, "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/24060" }, { "trust": 0.8, "url": "http://www.eeye.com/html/research/advisories/ad20060111a.html" }, { "trust": 0.8, "url": "about vulnerability notes" }, { "trust": 0.8, "url": "contact us about this vulnerability" }, { "trust": 0.8, "url": "provide a vendor statement" }, { "trust": 0.8, "url": "http://www.osvdb.org/displayvuln.php?osvdb_id=22337" }, { "trust": 0.8, "url": "http://securitytracker.com/alerts/2006/jan/1015466.html" }, { "trust": 0.8, "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2005-3713" }, { "trust": 0.8, "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2005-4092" }, { "trust": 0.8, "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2005-3707" }, { "trust": 0.8, "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2005-3710" }, { "trust": 0.8, "url": "http://jvn.jp/cert/jvnta06-011a/" }, { "trust": 0.8, "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2005-4092" }, { "trust": 0.8, "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2005-3707" }, { "trust": 0.8, "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2005-3710" }, { "trust": 0.8, "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2005-3713" }, { "trust": 0.8, "url": "http://www.kb.cert.org/vuls/id/629845" }, { "trust": 0.8, "url": "http://www.kb.cert.org/vuls/id/921193" }, { "trust": 0.8, "url": "http://www.kb.cert.org/vuls/id/115729" }, { "trust": 0.8, "url": "http://www.kb.cert.org/vuls/id/150753" }, { "trust": 0.6, "url": "http://www.frsirt.com/english/advisories/2006/0128" }, { "trust": 0.6, "url": "http://xforce.iss.net/xforce/xfdb/24060" }, { "trust": 0.6, "url": "http://www.securityfocus.com/archive/1/archive/1/421561/100/0/threaded" }, { "trust": 0.6, "url": "http://www.securityfocus.com/archive/1/archive/1/421547/100/0/threaded" }, { "trust": 0.6, "url": "http://www.nsfocus.net/vulndb/8394\u203b8395\u203b8392\u203b8393" }, { "trust": 0.3, "url": "http://www.apple.com/quicktime/" }, { "trust": 0.3, "url": "/archive/1/421566" }, { "trust": 0.3, "url": "https://nvd.nist.gov/vuln/detail/cve-2005-3713" }, { "trust": 0.1, "url": "" }, { "trust": 0.1, "url": "http://developer.apple.com/documentation/quicktime/qtff/index.html" }, { "trust": 0.1, "url": "http://www.kb.cert.org/vuls/id/913449\u003e" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2005-3710" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2005-4092" }, { "trust": 0.1, "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2005-4092\u003e" }, { "trust": 0.1, "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2005-3710\u003e" }, { "trust": 0.1, "url": "http://www.kb.cert.org/vuls/id/629845\u003e" }, { "trust": 0.1, "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2005-3713\u003e" }, { "trust": 0.1, "url": "http://www.us-cert.gov/cas/techalerts/ta06-011a.html\u003e" }, { "trust": 0.1, "url": "http://www.us-cert.gov/cas/signup.html\u003e." }, { "trust": 0.1, "url": "http://docs.info.apple.com/article.html?artnum=302810\u003e" }, { "trust": 0.1, "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2005-3707\u003e" }, { "trust": 0.1, "url": "http://www.kb.cert.org/vuls/id/115729\u003e" }, { "trust": 0.1, "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2005-2340\u003e" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2005-3707" }, { "trust": 0.1, "url": "http://www.apple.com/support/downloads/quicktime704.html\u003e" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2005-2340" }, { "trust": 0.1, "url": "http://www.kb.cert.org/vuls/id/921193\u003e" }, { "trust": 0.1, "url": "http://www.kb.cert.org/vuls/id/150753\u003e" }, { "trust": 0.1, "url": "http://docs.info.apple.com/article.html?artnum=303101\u003e" }, { "trust": 0.1, "url": "http://www.us-cert.gov/legal.html\u003e" } ], "sources": [ { "db": "CERT/CC", "id": "VU#921193" }, { "db": "CERT/CC", "id": "VU#629845" }, { "db": "CERT/CC", "id": "VU#115729" }, { "db": "CERT/CC", "id": "VU#150753" }, { "db": "CERT/CC", "id": "VU#913449" }, { "db": "VULHUB", "id": "VHN-14921" }, { "db": "BID", "id": "16864" }, { "db": "JVNDB", "id": "JVNDB-2005-000858" }, { "db": "PACKETSTORM", "id": "43060" }, { "db": "PACKETSTORM", "id": "43057" }, { "db": "PACKETSTORM", "id": "43062" }, { "db": "CNNVD", "id": "CNNVD-200512-862" }, { "db": "NVD", "id": "CVE-2005-3713" } ] }, "sources": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", "data": { "@container": "@list" } }, "data": [ { "db": "CERT/CC", "id": "VU#921193" }, { "db": "CERT/CC", "id": "VU#629845" }, { "db": "CERT/CC", "id": "VU#115729" }, { "db": "CERT/CC", "id": "VU#150753" }, { "db": "CERT/CC", "id": "VU#913449" }, { "db": "VULHUB", "id": "VHN-14921" }, { "db": "BID", "id": "16864" }, { "db": "JVNDB", "id": "JVNDB-2005-000858" }, { "db": "PACKETSTORM", "id": "43060" }, { "db": "PACKETSTORM", "id": "43057" }, { "db": "PACKETSTORM", "id": "43062" }, { "db": "CNNVD", "id": "CNNVD-200512-862" }, { "db": "NVD", "id": "CVE-2005-3713" } ] }, "sources_release_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2006-01-11T00:00:00", "db": "CERT/CC", "id": "VU#921193" }, { "date": "2006-01-11T00:00:00", "db": "CERT/CC", "id": "VU#629845" }, { "date": "2006-01-11T00:00:00", "db": "CERT/CC", "id": "VU#115729" }, { "date": "2006-01-11T00:00:00", "db": "CERT/CC", "id": "VU#150753" }, { "date": "2006-01-11T00:00:00", "db": "CERT/CC", "id": "VU#913449" }, { "date": "2005-12-31T00:00:00", "db": "VULHUB", "id": "VHN-14921" }, { "date": "2006-01-10T00:00:00", "db": "BID", "id": "16864" }, { "date": "2009-04-03T00:00:00", "db": "JVNDB", "id": "JVNDB-2005-000858" }, { "date": "2006-01-15T15:35:32", "db": "PACKETSTORM", "id": "43060" }, { "date": "2006-01-15T15:29:29", "db": "PACKETSTORM", "id": "43057" }, { "date": "2006-01-15T15:39:24", "db": "PACKETSTORM", "id": "43062" }, { "date": "2005-12-31T00:00:00", "db": "CNNVD", "id": "CNNVD-200512-862" }, { "date": "2005-12-31T05:00:00", "db": "NVD", "id": "CVE-2005-3713" } ] }, "sources_update_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2006-01-12T00:00:00", "db": "CERT/CC", "id": "VU#921193" }, { "date": "2006-01-13T00:00:00", "db": "CERT/CC", "id": "VU#629845" }, { "date": "2006-01-11T00:00:00", "db": "CERT/CC", "id": "VU#115729" }, { "date": "2006-01-13T00:00:00", "db": "CERT/CC", "id": "VU#150753" }, { "date": "2006-01-31T00:00:00", "db": "CERT/CC", "id": "VU#913449" }, { "date": "2018-10-19T00:00:00", "db": "VULHUB", "id": "VHN-14921" }, { "date": "2008-05-01T18:56:00", "db": "BID", "id": "16864" }, { "date": "2009-04-03T00:00:00", "db": "JVNDB", "id": "JVNDB-2005-000858" }, { "date": "2006-05-24T00:00:00", "db": "CNNVD", "id": "CNNVD-200512-862" }, { "date": "2024-11-21T00:02:30.143000", "db": "NVD", "id": "CVE-2005-3713" } ] }, "threat_type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "remote", "sources": [ { "db": "CNNVD", "id": "CNNVD-200512-862" } ], "trust": 0.6 }, "title": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Apple QuickTime fails to properly handle corrupt media files", "sources": [ { "db": "CERT/CC", "id": "VU#921193" } ], "trust": 0.8 }, "type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "buffer overflow", "sources": [ { "db": "CNNVD", "id": "CNNVD-200512-862" } ], "trust": 0.6 } }
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.