Skip Navigation

  • Home
  • Contact us
  • FAQ
  • Glossary
  • Public key
  • Sitemap
  • Cymraeg
  • What's new
CPNI - Centre for the Protection of National Infastructure

Advanced search

  • About CPNI
  • The threats
  • Security planning
  • Methods of attack
  • Protecting your assets
  • Products and services
    • CSIRTUK advisories
      • Advisories archive
    • General protective security publications
    • InfoSec briefings
    • InfoSec technical notes
    • InfoSec vulnerability disclosures
    • Good practice guidelines
    • Viewpoints
    • Information exchanges
    • Risk Management Delivery Group
  • Research
Home > Products and services > CSIRTUK advisories > Advisories archive > January 2007 > Apple QuickTime RTSP buffer overflow

January 2007

Apple QuickTime RTSP buffer overflow

ID: 00002
Ref: 01/2007
Date: 03 January 2007:11:21:09
Version: 1
Title: Apple QuickTime RTSP buffer overflow
Abstract: Apple QuickTime may allow remote arbitrary code to be executed via a long src parameter in RTSP URL strings.
Vendors affected: Apple
Applications affected: Apple
Vulnerability Note VU#442497
Apple QuickTime RTSP buffer overflow
http://www.kb.cert.org/vuls/id/442497

Overview
Apple QuickTime may allow remote arbitrary code to be executed via a long src parameter in RTSP URL strings.

I. Description

A vulnerability exists in the way Apple QuickTime handles specially crafted Real Time Streaming Protocol (RTSP) URL strings. An attacker may be able to craft a QTL file to take advantage of this vulnerability. However, other attack vectors that do not involve QTL files may exist. According to MOAB-01-01-2007:

By supplying a specially crafted string (rtsp:// [random] + semicolon + [299 bytes padding + payload]), an attacker could overflow a stack-based buffer, using either HTML, Javascript or a QTL file as attack vector, leading to an exploitable remote arbitrary code execution condition.

Note that since QuickTime is a component of Apple iTunes, iTunes installations are also affected by this vulnerability. We are aware of publicly available proof-of-concept code that exploits this vulnerability.

II. Impact

A remote, unauthenticated attacker may be able to execute arbitrary code or cause a denial of service.

III. Solution

We are unaware of a solution to this problem. Until a solution becomes available the following workarounds are strongly encouraged:

Disable QuickTime in your web browser

An attacker may be able to exploit this vulnerability by persuading a user to access a specially crafted file with a web browser.
Disabling QuickTime in your web browser will defend against this attack vector. For more information, refer to the Securing Your Web Browser document.

Disable JavaScript

For instructions on how to disable JavaScript, please refer to the Securing Your Web Browser document.

Disable file association for QTL files

Disable the file association for QTL files to help prevent windows applications from using Apple QuickTime to open QTL files. This can be accomplished by deleting the following registry key:

HKEY_CLASSES_ROOT\.qtl

Note that this only prevents attacks that utilize files with a .QTL extension.

Do not access QuickTime files from untrusted sources

Attackers may host malicious QuickTime files on web sites. In order to convince users to visit their sites, those attackers often use a variety of techniques to create misleading links including URL encoding, IP address variations, long URLs, and intentional misspellings. Do not click on unsolicited links received in email, instant messages, web forums, or internet relay chat (IRC) channels. Type URLs directly into the browser to avoid these misleading links. While these are generally good security practices, following these behaviors will not prevent exploitation of this vulnerability in all cases, particularly if a trusted site has been compromised or allows cross-site scripting.

Systems Affected
Vendor Status Date Updated
Apple Computer, Inc. Vulnerable 2-Jan-2007

References

http://secunia.com/advisories/23540/
http://projects.info-pull.com/moab/MOAB-01-01-2007.html

Credit
This issue was reported in MOAB-01-01-2007.

This document was written by Chris Taschner.

Other Information
Date Public 02/01/2007
Date First Published 02/01/2007 14:44:58 Date Last Updated 02/01/2007
CERT Advisory
CVE Name CVE-2007-0015
Metric 27.00
Document Revision 19
  • Accessibility |
  • Terms and conditions |
  • Privacy statement |
  • Data protection act |
  • Freedom of information |