var-201012-0213
Vulnerability from variot
Apple QuickTime before 7.6.9 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted FlashPix file. User interaction is required in that a user must be coerced into opening up a malicious document or visiting a malicious website.The specific flaw exists within the way the application parses a particular property out of a flashpix file. The application will explicitly trust a field in the property as a length for a loop over an array of data structures. If this field's value is larger than the number of objects, the application will utilize objects outside of this array. Successful exploitation can lead to code execution under the context of the application. Versions prior to QuickTime 7.6.9 on both Mac OS X and Windows platforms are vulnerable. Apple QuickTime is a multimedia playback software developed by Apple (Apple). The software is capable of handling multiple sources such as digital video, media segments, and more. ZDI-10-259: Apple QuickTime FPX Subimage Count Out-of-bounds Counter Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-259
December 7, 2010
-- CVE ID: CVE-2010-3801
-- CVSS: 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C)
-- Affected Vendors: Apple
-- Affected Products: Apple Quicktime
-- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 10654.
-- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at:
http://support.apple.com/kb/HT4447
-- Disclosure Timeline: 2010-06-01 - Vulnerability reported to vendor 2010-12-07 - Coordinated public release of advisory
-- Credit: This vulnerability was discovered by: * Damian Put
-- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
Follow the ZDI on Twitter:
http://twitter.com/thezdi
. Check Point Software Technologies - Vulnerability Discovery Team (VDT) http://www.checkpoint.com/defense/
Apple Quicktime Memory Corruption when parsing FPX files CVE-2010-3801
INTRODUCTION
Apple Quicktime is a "powerful media technology that works on Mac and PC with just about every popular video or audio format you come across. So you can play the digital media you want to play".
QuickTime player does not properly parse .fpx media files, which causes a memory corruption by opening a malformed file with an invalid value located in PoC repro.fpx at offset 0x49.
This problem was confirmed in the following versions of Apple Quicktime and browsers, other versions may be also affected.
QuickTime Player version 7.6.8 (1675) in all Operating Systems QuickTime Player version 7.6.6 (1671) in all Operating Systems
CVSS Scoring System
The CVSS score is: 9 Base Score: 10 Temporal Score: 9 We used the following values to calculate the scores: Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:C Temporal score is: E:POC/RL:U/RC:C
TRIGGERING THE PROBLEM
The problem is triggered by PoC repro.fpx which causes invalid memory access in all the refered versions and is available to interested parties only.
DETAILS
Disassembly:
668E2387 F7C7 03000000 TEST EDI,3 668E238D 75 15 JNZ SHORT QuickT_1.668E23A4 668E238F C1E9 02 SHR ECX,2 668E2392 83E2 03 AND EDX,3 668E2395 83F9 08 CMP ECX,8 668E2398 72 2A JB SHORT QuickT_1.668E23C4 668E239A F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] <----- Crash Here
EDI = 0x089A0020 ESI = 0x61626364
(3e8.e3c): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled.
eax=61626560 ebx=00000000 ecx=0000007f edx=00000000 esi=61626364 edi=06d80020 eip=668e239a esp=0012dfbc ebp=0012dfc4 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
668e239a f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
0:000> !exploitable Exploitability Classification: PROBABLY_EXPLOITABLE Recommended Bug Title: Probably Exploitable - Read Access Violation on Block Data Move starting at QuickTime!CallComponentFunctionWithStorage+0x000000000003f20a (Hash=0x4b1e3917.0x4f031b17) This is a read access violation in a block data move, and is therefore classified as probably exploitable.
CREDITS
This vulnerability was discovered and researched by Rodrigo Rubira Branco from Check Point Vulnerability Discovery Team (VDT).
Rodrigo Rubira Branco Senior Security Researcher Vulnerability Discovery Team (VDT) Check Point Software Technologies http://www.checkpoint.com/defense
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201012-0213",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "quicktime",
"scope": "eq",
"trust": 1.6,
"vendor": "apple",
"version": "5.0"
},
{
"model": "quicktime",
"scope": "eq",
"trust": 1.6,
"vendor": "apple",
"version": "6.1"
},
{
"model": "quicktime",
"scope": "eq",
"trust": 1.6,
"vendor": "apple",
"version": "6.1.0"
},
{
"model": "quicktime",
"scope": "eq",
"trust": 1.6,
"vendor": "apple",
"version": "5.0.2"
},
{
"model": "quicktime",
"scope": "eq",
"trust": 1.6,
"vendor": "apple",
"version": "6.0.0"
},
{
"model": "quicktime",
"scope": "eq",
"trust": 1.6,
"vendor": "apple",
"version": "6.0.1"
},
{
"model": "quicktime",
"scope": "eq",
"trust": 1.6,
"vendor": "apple",
"version": "6.0.2"
},
{
"model": "quicktime",
"scope": "eq",
"trust": 1.6,
"vendor": "apple",
"version": "6.0"
},
{
"model": "quicktime",
"scope": "eq",
"trust": 1.6,
"vendor": "apple",
"version": "4.1.2"
},
{
"model": "quicktime",
"scope": "eq",
"trust": 1.6,
"vendor": "apple",
"version": "5.0.1"
},
{
"model": "quicktime",
"scope": "eq",
"trust": 1.3,
"vendor": "apple",
"version": "7.2"
},
{
"model": "quicktime",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": "7.0"
},
{
"model": "quicktime",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": "6.5.1"
},
{
"model": "quicktime",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": "7.1.6"
},
{
"model": "quicktime",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": "7.2.1"
},
{
"model": "quicktime",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": "7.4.1"
},
{
"model": "quicktime",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": "6.5.0"
},
{
"model": "quicktime",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": "7.1.0"
},
{
"model": "quicktime",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": "7.1.1"
},
{
"model": "quicktime",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": "7.0.0"
},
{
"model": "quicktime",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": "7.6.6"
},
{
"model": "quicktime",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": "7.6.0"
},
{
"model": "quicktime",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": "7.4.5"
},
{
"model": "quicktime",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": "7.3.1.70"
},
{
"model": "quicktime",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": "7.3.1"
},
{
"model": "quicktime",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": "7.5.0"
},
{
"model": "quicktime",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": "6.5.2"
},
{
"model": "quicktime",
"scope": "lte",
"trust": 1.0,
"vendor": "apple",
"version": "7.6.8"
},
{
"model": "quicktime",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": "6.5"
},
{
"model": "quicktime",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": "7.6.5"
},
{
"model": "quicktime",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": "7.6.1"
},
{
"model": "quicktime",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": "7.0.1"
},
{
"model": "quicktime",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": "7.0.2"
},
{
"model": "quicktime",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": "6.4.0"
},
{
"model": "quicktime",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": "7.4"
},
{
"model": "quicktime",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": "6.2.0"
},
{
"model": "quicktime",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": "7.5.5"
},
{
"model": "quicktime",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": "7.1.2"
},
{
"model": "quicktime",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": "7.3"
},
{
"model": "quicktime",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": "7.1"
},
{
"model": "quicktime",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": "7.1.5"
},
{
"model": "quicktime",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": "7.0.3"
},
{
"model": "quicktime",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": "7.1.3"
},
{
"model": "quicktime",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": "7.3.0"
},
{
"model": "quicktime",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": "3.0"
},
{
"model": "quicktime",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": "7.6.7"
},
{
"model": "quicktime",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": "6.1.1"
},
{
"model": "quicktime",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": "7.6.2"
},
{
"model": "quicktime",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": "6.3.0"
},
{
"model": "quicktime",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": "7.0.4"
},
{
"model": "quicktime",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": "7.4.0"
},
{
"model": "quicktime",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": "7.1.4"
},
{
"model": "mac os x",
"scope": "eq",
"trust": 0.8,
"vendor": "apple",
"version": "v10.5.8"
},
{
"model": "mac os x",
"scope": "eq",
"trust": 0.8,
"vendor": "apple",
"version": "v10.6 to v10.6.6"
},
{
"model": "mac os x server",
"scope": "eq",
"trust": 0.8,
"vendor": "apple",
"version": "v10.5.8"
},
{
"model": "mac os x server",
"scope": "eq",
"trust": 0.8,
"vendor": "apple",
"version": "v10.6 to v10.6.6"
},
{
"model": "quicktime",
"scope": "lt",
"trust": 0.8,
"vendor": "apple",
"version": "7.6.9"
},
{
"model": "quicktime",
"scope": null,
"trust": 0.7,
"vendor": "apple",
"version": null
},
{
"model": "quicktime player",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "7.6.8"
},
{
"model": "quicktime player",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "7.6.7"
},
{
"model": "quicktime player",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "7.6.6(1671)"
},
{
"model": "quicktime player",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "7.6.6"
},
{
"model": "quicktime player",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "7.6.5"
},
{
"model": "quicktime player",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "7.6.4"
},
{
"model": "quicktime player",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "7.6.2"
},
{
"model": "quicktime player",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "7.6.1"
},
{
"model": "quicktime player",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "7.5.5"
},
{
"model": "quicktime player",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "7.4.5"
},
{
"model": "quicktime player",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "7.4.1"
},
{
"model": "quicktime player",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "7.3.1.70"
},
{
"model": "quicktime player",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "7.3.1"
},
{
"model": "quicktime player",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "7.1.6"
},
{
"model": "quicktime player",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "7.1.5"
},
{
"model": "quicktime player",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "7.1.4"
},
{
"model": "quicktime player",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "7.1.3"
},
{
"model": "quicktime player",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "7.1.2"
},
{
"model": "quicktime player",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "7.1.1"
},
{
"model": "quicktime player",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "7.0.4"
},
{
"model": "quicktime player",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "7.0.3"
},
{
"model": "quicktime player",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "7.0.2"
},
{
"model": "quicktime player",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "7.0.1"
},
{
"model": "quicktime player",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "7.0"
},
{
"model": "quicktime player",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "6.5.2"
},
{
"model": "quicktime player",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "6.5.1"
},
{
"model": "quicktime player",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "6.5"
},
{
"model": "quicktime player",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "6.1"
},
{
"model": "quicktime player",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "5.0.2"
},
{
"model": "quicktime player",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "7.64.17.73"
},
{
"model": "quicktime player",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "7.6"
},
{
"model": "quicktime player",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "7.5"
},
{
"model": "quicktime player",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "7.4"
},
{
"model": "quicktime player",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "7.3"
},
{
"model": "quicktime player",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "7.2"
},
{
"model": "quicktime player",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "7.1"
},
{
"model": "quicktime player",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "6.4"
},
{
"model": "quicktime player",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "6"
},
{
"model": "quicktime",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "7.3.4"
},
{
"model": "quicktime",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "7"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.6.6"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.6.5"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.6.4"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.6.3"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.6.2"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.6.1"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.6"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.6.5"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.6.4"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.6.3"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.6.2"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.6.1"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.6"
},
{
"model": "quicktime player",
"scope": "ne",
"trust": 0.3,
"vendor": "apple",
"version": "7.6.9"
},
{
"model": "mac os server",
"scope": "ne",
"trust": 0.3,
"vendor": "apple",
"version": "x10.6.7"
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-10-259"
},
{
"db": "BID",
"id": "45240"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-002555"
},
{
"db": "CNNVD",
"id": "CNNVD-201012-116"
},
{
"db": "NVD",
"id": "CVE-2010-3801"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/o:apple:mac_os_x",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:apple:mac_os_x_server",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/a:apple:quicktime",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2010-002555"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Damian Put",
"sources": [
{
"db": "ZDI",
"id": "ZDI-10-259"
}
],
"trust": 0.7
},
"cve": "CVE-2010-3801",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "COMPLETE",
"baseScore": 9.3,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 8.6,
"id": "CVE-2010-3801",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 1.8,
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "ZDI",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CVE-2010-3801",
"impactScore": 8.5,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "HIGH",
"trust": 0.7,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:C",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "COMPLETE",
"baseScore": 9.3,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 8.6,
"id": "VHN-46406",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:N/AC:M/AU:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2010-3801",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "CVE-2010-3801",
"trust": 0.8,
"value": "High"
},
{
"author": "ZDI",
"id": "CVE-2010-3801",
"trust": 0.7,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201012-116",
"trust": 0.6,
"value": "CRITICAL"
},
{
"author": "VULHUB",
"id": "VHN-46406",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-10-259"
},
{
"db": "VULHUB",
"id": "VHN-46406"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-002555"
},
{
"db": "CNNVD",
"id": "CNNVD-201012-116"
},
{
"db": "NVD",
"id": "CVE-2010-3801"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apple QuickTime before 7.6.9 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted FlashPix file. User interaction is required in that a user must be coerced into opening up a malicious document or visiting a malicious website.The specific flaw exists within the way the application parses a particular property out of a flashpix file. The application will explicitly trust a field in the property as a length for a loop over an array of data structures. If this field\u0027s value is larger than the number of objects, the application will utilize objects outside of this array. Successful exploitation can lead to code execution under the context of the application. \nVersions prior to QuickTime 7.6.9 on both Mac OS X and Windows platforms are vulnerable. Apple QuickTime is a multimedia playback software developed by Apple (Apple). The software is capable of handling multiple sources such as digital video, media segments, and more. ZDI-10-259: Apple QuickTime FPX Subimage Count Out-of-bounds Counter Remote Code Execution Vulnerability\n\nhttp://www.zerodayinitiative.com/advisories/ZDI-10-259\n\nDecember 7, 2010\n\n-- CVE ID:\nCVE-2010-3801\n\n-- CVSS:\n9, (AV:N/AC:L/Au:N/C:P/I:P/A:C)\n\n-- Affected Vendors:\nApple\n\n-- Affected Products:\nApple Quicktime\n\n-- TippingPoint(TM) IPS Customer Protection:\nTippingPoint IPS customers have been protected against this\nvulnerability by Digital Vaccine protection filter ID 10654. \n\n-- Vendor Response:\nApple has issued an update to correct this vulnerability. More\ndetails can be found at:\n\nhttp://support.apple.com/kb/HT4447\n\n-- Disclosure Timeline:\n2010-06-01 - Vulnerability reported to vendor\n2010-12-07 - Coordinated public release of advisory\n\n-- Credit:\nThis vulnerability was discovered by:\n * Damian Put\n\n-- About the Zero Day Initiative (ZDI):\nEstablished by TippingPoint, The Zero Day Initiative (ZDI) represents\na best-of-breed model for rewarding security researchers for responsibly\ndisclosing discovered vulnerabilities. \n\nResearchers interested in getting paid for their security research\nthrough the ZDI can find more information and sign-up at:\n\n http://www.zerodayinitiative.com\n\nThe ZDI is unique in how the acquired vulnerability information is\nused. TippingPoint does not re-sell the vulnerability details or any\nexploit code. Instead, upon notifying the affected product vendor,\nTippingPoint provides its customers with zero day protection through\nits intrusion prevention technology. Explicit details regarding the\nspecifics of the vulnerability are not exposed to any parties until\nan official vendor patch is publicly available. Furthermore, with the\naltruistic aim of helping to secure a broader user base, TippingPoint\nprovides this vulnerability information confidentially to security\nvendors (including competitors) who have a vulnerability protection or\nmitigation product. \n\nOur vulnerability disclosure policy is available online at:\n\n http://www.zerodayinitiative.com/advisories/disclosure_policy/\n\nFollow the ZDI on Twitter:\n\n http://twitter.com/thezdi\n\n\n. Check Point Software Technologies - Vulnerability Discovery Team (VDT)\nhttp://www.checkpoint.com/defense/\n\nApple Quicktime Memory Corruption when parsing FPX files\nCVE-2010-3801\n\n\nINTRODUCTION\n\nApple Quicktime is a \"powerful media technology that works on Mac and PC with just about \nevery popular video or audio format you come across. So you can play the digital media \nyou want to play\". \n\nQuickTime player does not properly parse .fpx media files, which causes a memory corruption by \nopening a malformed file with an invalid value located in PoC repro.fpx at offset 0x49. \n\nThis problem was confirmed in the following versions of Apple Quicktime and browsers, other \nversions may be also affected. \n\nQuickTime Player version 7.6.8 (1675) in all Operating Systems\nQuickTime Player version 7.6.6 (1671) in all Operating Systems\n\nCVSS Scoring System\n\nThe CVSS score is: 9\n\tBase Score: 10\n\tTemporal Score: 9\nWe used the following values to calculate the scores:\n\tBase score is: AV:N/AC:L/Au:N/C:C/I:C/A:C\n\tTemporal score is: E:POC/RL:U/RC:C\n\n\nTRIGGERING THE PROBLEM\n\nThe problem is triggered by PoC repro.fpx which causes invalid memory access in all the \nrefered versions and is available to interested parties only. \n\n\nDETAILS\n\n\nDisassembly:\n\n668E2387 F7C7 03000000 TEST EDI,3\n668E238D 75 15 JNZ SHORT QuickT_1.668E23A4\n668E238F C1E9 02 SHR ECX,2\n668E2392 83E2 03 AND EDX,3\n668E2395 83F9 08 CMP ECX,8\n668E2398 72 2A JB SHORT QuickT_1.668E23C4\n668E239A F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] \u003c----- Crash Here\n\nEDI = 0x089A0020\nESI = 0x61626364\n\n(3e8.e3c): Access violation - code c0000005 (first chance)\nFirst chance exceptions are reported before any exception handling. \nThis exception may be expected and handled. \n\neax=61626560 ebx=00000000 ecx=0000007f edx=00000000 esi=61626364 edi=06d80020\neip=668e239a esp=0012dfbc ebp=0012dfc4 iopl=0 nv up ei pl nz na pe nc\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206\n\n668e239a f3a5 rep movs dword ptr es:[edi],dword ptr [esi]\n\n0:000\u003e !exploitable\nExploitability Classification: PROBABLY_EXPLOITABLE\nRecommended Bug Title: Probably Exploitable - Read Access Violation on Block Data Move starting at QuickTime!CallComponentFunctionWithStorage+0x000000000003f20a (Hash=0x4b1e3917.0x4f031b17)\nThis is a read access violation in a block data move, and is therefore classified as probably exploitable. \n\n\nCREDITS\n\nThis vulnerability was discovered and researched by Rodrigo Rubira Branco from Check Point Vulnerability Discovery Team (VDT). \n\n\n\n\n\nRodrigo Rubira Branco\nSenior Security Researcher\nVulnerability Discovery Team (VDT)\nCheck Point Software Technologies\nhttp://www.checkpoint.com/defense\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2010-3801"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-002555"
},
{
"db": "ZDI",
"id": "ZDI-10-259"
},
{
"db": "BID",
"id": "45240"
},
{
"db": "VULHUB",
"id": "VHN-46406"
},
{
"db": "PACKETSTORM",
"id": "96476"
},
{
"db": "PACKETSTORM",
"id": "96786"
}
],
"trust": 2.79
},
"exploit_availability": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"reference": "https://www.scap.org.cn/vuln/vhn-46406",
"trust": 0.1,
"type": "unknown"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-46406"
}
]
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2010-3801",
"trust": 3.7
},
{
"db": "ZDI",
"id": "ZDI-10-259",
"trust": 2.8
},
{
"db": "OSVDB",
"id": "69755",
"trust": 1.9
},
{
"db": "SECTRACK",
"id": "1024830",
"trust": 1.1
},
{
"db": "JVNDB",
"id": "JVNDB-2010-002555",
"trust": 0.8
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-681",
"trust": 0.7
},
{
"db": "CNNVD",
"id": "CNNVD-201012-116",
"trust": 0.7
},
{
"db": "APPLE",
"id": "APPLE-SA-2010-12-07-1",
"trust": 0.6
},
{
"db": "NSFOCUS",
"id": "16118",
"trust": 0.6
},
{
"db": "BID",
"id": "45240",
"trust": 0.4
},
{
"db": "PACKETSTORM",
"id": "96476",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "96786",
"trust": 0.2
},
{
"db": "VULHUB",
"id": "VHN-46406",
"trust": 0.1
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-10-259"
},
{
"db": "VULHUB",
"id": "VHN-46406"
},
{
"db": "BID",
"id": "45240"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-002555"
},
{
"db": "PACKETSTORM",
"id": "96476"
},
{
"db": "PACKETSTORM",
"id": "96786"
},
{
"db": "CNNVD",
"id": "CNNVD-201012-116"
},
{
"db": "NVD",
"id": "CVE-2010-3801"
}
]
},
"id": "VAR-201012-0213",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-46406"
}
],
"trust": 0.01
},
"last_update_date": "2024-11-23T22:02:59.203000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "HT4447",
"trust": 1.5,
"url": "http://support.apple.com/kb/HT4447"
},
{
"title": "HT4581",
"trust": 0.8,
"url": "http://support.apple.com/kb/HT4581"
},
{
"title": "HT4447",
"trust": 0.8,
"url": "http://support.apple.com/kb/HT4447?viewlocale=ja_JP"
},
{
"title": "HT4581",
"trust": 0.8,
"url": "http://support.apple.com/kb/HT4581?viewlocale=ja_JP"
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-10-259"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-002555"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-119",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-46406"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-002555"
},
{
"db": "NVD",
"id": "CVE-2010-3801"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.5,
"url": "http://support.apple.com/kb/ht4447"
},
{
"trust": 1.9,
"url": "http://osvdb.org/69755"
},
{
"trust": 1.7,
"url": "http://lists.apple.com/archives/security-announce/2010//dec/msg00000.html"
},
{
"trust": 1.7,
"url": "http://zerodayinitiative.com/advisories/zdi-10-259/"
},
{
"trust": 1.1,
"url": "http://lists.apple.com/archives/security-announce/2011/mar/msg00006.html"
},
{
"trust": 1.1,
"url": "http://support.apple.com/kb/ht4581"
},
{
"trust": 1.1,
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3aorg.mitre.oval%3adef%3a15642"
},
{
"trust": 1.1,
"url": "http://www.securitytracker.com/id?1024830"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2010-3801"
},
{
"trust": 0.8,
"url": "http://jvn.jp/cert/jvnvu636925"
},
{
"trust": 0.8,
"url": "http://jvn.jp/cert/jvnvu387412"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2010-3801"
},
{
"trust": 0.6,
"url": "http://www.nsfocus.net/vulndb/16118"
},
{
"trust": 0.4,
"url": "http://www.zerodayinitiative.com/advisories/zdi-10-259"
},
{
"trust": 0.3,
"url": "http://www.apple.com/quicktime/"
},
{
"trust": 0.3,
"url": "/archive/1/515344"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2010-3801"
},
{
"trust": 0.1,
"url": "http://www.zerodayinitiative.com/advisories/disclosure_policy/"
},
{
"trust": 0.1,
"url": "http://twitter.com/thezdi"
},
{
"trust": 0.1,
"url": "http://www.tippingpoint.com"
},
{
"trust": 0.1,
"url": "http://www.zerodayinitiative.com"
},
{
"trust": 0.1,
"url": "http://www.checkpoint.com/defense/"
},
{
"trust": 0.1,
"url": "http://www.checkpoint.com/defense"
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-10-259"
},
{
"db": "VULHUB",
"id": "VHN-46406"
},
{
"db": "BID",
"id": "45240"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-002555"
},
{
"db": "PACKETSTORM",
"id": "96476"
},
{
"db": "PACKETSTORM",
"id": "96786"
},
{
"db": "CNNVD",
"id": "CNNVD-201012-116"
},
{
"db": "NVD",
"id": "CVE-2010-3801"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "ZDI",
"id": "ZDI-10-259"
},
{
"db": "VULHUB",
"id": "VHN-46406"
},
{
"db": "BID",
"id": "45240"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-002555"
},
{
"db": "PACKETSTORM",
"id": "96476"
},
{
"db": "PACKETSTORM",
"id": "96786"
},
{
"db": "CNNVD",
"id": "CNNVD-201012-116"
},
{
"db": "NVD",
"id": "CVE-2010-3801"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2010-12-07T00:00:00",
"db": "ZDI",
"id": "ZDI-10-259"
},
{
"date": "2010-12-09T00:00:00",
"db": "VULHUB",
"id": "VHN-46406"
},
{
"date": "2010-12-07T00:00:00",
"db": "BID",
"id": "45240"
},
{
"date": "2010-12-27T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2010-002555"
},
{
"date": "2010-12-08T19:15:38",
"db": "PACKETSTORM",
"id": "96476"
},
{
"date": "2010-12-17T21:23:44",
"db": "PACKETSTORM",
"id": "96786"
},
{
"date": "2010-12-13T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201012-116"
},
{
"date": "2010-12-09T20:00:17.337000",
"db": "NVD",
"id": "CVE-2010-3801"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2010-12-07T00:00:00",
"db": "ZDI",
"id": "ZDI-10-259"
},
{
"date": "2017-09-19T00:00:00",
"db": "VULHUB",
"id": "VHN-46406"
},
{
"date": "2015-03-19T08:36:00",
"db": "BID",
"id": "45240"
},
{
"date": "2011-04-04T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2010-002555"
},
{
"date": "2010-12-13T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201012-116"
},
{
"date": "2024-11-21T01:19:38.250000",
"db": "NVD",
"id": "CVE-2010-3801"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "96476"
},
{
"db": "CNNVD",
"id": "CNNVD-201012-116"
}
],
"trust": 0.7
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apple QuickTime Vulnerable to arbitrary code execution",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2010-002555"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "buffer overflow",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201012-116"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…