CVE-2003-0421
CVSS10.0
发布时间 :2003-08-27 00:00:00
修订时间 :2008-09-05 16:34:16
NMCOP    

[原文]Apple QuickTime / Darwin Streaming Server before 4.1.3f allows remote attackers to cause a denial of service (crash) via an MS-DOS device name (e.g. AUX) in a request to HTTP port 1220, a different vulnerability than CVE-2003-0502.


[CNNVD]Apple QuickTime / Darwin Streaming服务器服务拒绝漏洞(CNNVD-200308-162)

        Apple QuickTime / Darwin Streaming 服务器4.1.3f之前版本存在漏洞。远程攻击者可以借助对HTTP端口1220请求中的MS-DOS设备名(如AUX)导致服务拒绝(崩溃),该漏洞与CVE-2003-0502不同。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0421
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0421
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200308-162
(官方数据源) CNNVD

- 其它链接及资源

http://www.rapid7.com/advisories/R7-0015.html
(UNKNOWN)  MISC  http://www.rapid7.com/advisories/R7-0015.html
http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0040.html
(VENDOR_ADVISORY)  VULNWATCH  20030723 R7-0015: Multiple Vulnerabilities Apple QuickTime/Darwin Streaming Server

- 漏洞信息

Apple QuickTime / Darwin Streaming服务器服务拒绝漏洞
危急 未知
2003-08-27 00:00:00 2005-10-31 00:00:00
远程  
        Apple QuickTime / Darwin Streaming 服务器4.1.3f之前版本存在漏洞。远程攻击者可以借助对HTTP端口1220请求中的MS-DOS设备名(如AUX)导致服务拒绝(崩溃),该漏洞与CVE-2003-0502不同。

- 公告与补丁

        

- 漏洞信息 (F31422)

Rapid7 Security Advisory 15 (PacketStormID:F31422)
2003-07-23 00:00:00
Rapid7  rapid7.com
advisory,web,denial of service,root,vulnerability
apple
CVE-2003-0421,CVE-2003-0502,CVE-2003-0422,CVE-2003-0423,CVE-2003-0424,CVE-2003-0425,CVE-2003-0426
[点击下载]

Rapid7 Security Advisory - Several vulnerabilities have been found in the Apple QuickTime/Darwin Streaming Server, including denial of service, web root traversal, and script source disclosure.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________
                     Rapid7, Inc. Security Advisory
       Visit http://www.rapid7.com/ to download NeXpose,
        the world's most advanced vulnerability scanner.
      Linux and Windows 2000/XP versions are available now!
_______________________________________________________________________

Rapid7 Advisory R7-0015
Multiple Vulnerabilities Apple QuickTime/Darwin Streaming Server

   Published:  July 22, 2003
   Revision:   1.0
   http://www.rapid7.com/advisories/R7-0015.html

   CVE:    CAN-2003-0421, CAN-2003-0422, CAN-2003-0423, CAN-2003-0424,
           CAN-2003-0425, CAN-2003-0426, CAN-2003-0502

1. Affected system(s):

   KNOWN VULNERABLE:
    o QuickTime/Darwin Streaming Server v4.1.3 for MacOS X
    o QuickTime/Darwin Streaming Server v4.1.3 for Win32
    o QuickTime/Darwin Streaming Server v4.1.3 for Linux

   UNKNOWN/NOT TESTED:
    o other platforms (Solaris)

2. Summary

   Several vulnerabilities have been found in the Apple
   QuickTime/Darwin Streaming Server, including denial of service,
   web root traversal, and script source disclosure.

3. Vendor status and information

   Apple
   http://www.apple.com/

   The vendor has been notified and has released fixes for all but
   one of the issues, which is currently under investigation.

4. Solution

   Upgrade to version 4.1.3g or later of Darwin Streaming Server,
   which may be obtained as a free download from:

      http://developer.apple.com/darwin/projects/streaming/

   Please see the next section for detailed fix information.

5. Detailed analysis

   There are several vulnerabilities.

   Denial of Service by HTTP Request for DOS Device Name
   CVE ID: CAN-2003-0421
   Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only)
   Fixed: In version 4.1.3f (Win32)

      Requesting a DOS device name (e.g. AUX) over HTTP (port 1220)
      will cause a denial of service on the server.  An initial
      HTTP 404 response will be returned for the device request,
      but future requests will not be serviced.  For example:

      ==> GET /AUX HTTP/1.0

   Denial of Service by Request for ../ DOS Device Name
   CVE ID: CAN-2003-0502
   Affects: Darwin Streaming Server v4.1.3f and earlier (Win32 only)
   Fixed: In version 4.1.3g (Win32)

      This is a variant of CAN-2003-0421.  A fix for CAN-2003-0421
      was included in Streaming Server version, 4.1.3f, but further
      testing revealed that it was vulnerable to a variant where
      the device name was prefixed by dotdot slash (../), as in:

      ==> GET /../AUX HTTP/1.0

   Denial of Service by HTTP Request for /view_broadcast.cgi Script
   CVE ID: CAN-2003-0422
   Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only)
   Fixed: In version 4.1.3f (Win32)

      Requesting the /view_broadcast.cgi script over HTTP (port 1220)
      will cause a denial of service on the server if the required
      request parameters are not sent.  The connection will be
      closed midway through servicing the request and no new
      connections will be allowed to the server.

      Example:

      ==> GET /view_broadcast.cgi HTTP/1.0

      <== HTTP/1.0 200 OK
      <== Content-Type: video/quicktime
      <==
      <== rtsp://
                ^^ server drops connection

   Source Disclosure via HTTP Request for /parse_xml.cgi Script
   CVE ID: CAN-2003-0423
   Affects: Darwin Streaming Server v4.1.3g and earlier
   Fixed: No fix is available at this time.  Apple is aware of
          this issue and they are investigating it further.

      The source code of any file within the web root can be obtained
      by issuing a request for /parse_xml.cgi?filename=[file], where
      [file] is the file whose source code you wish to view.

      This is only a serious risk if the administrator has installed
      custom scripts on Darwin Streaming Server that need to be
      protected.

   Script Source Disclosure by Appending Special Characters
   CVE ID: CAN-2003-0424
   Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only)
   Fixed: In version 4.1.3f (Win32)

      The source code of any script can be obtained by appending the
      special characters %2e (period) or %20 (space) to an HTTP request
      for that script.  For example, requesting /view_broadcast.cgi%2e
      will reveal the source code for that script.
 
   Web Root Traversal and Arbitrary File Disclosure (Win32)
   CVE ID: CAN-2003-0425
   Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only)
   Fixed: In version 4.1.3f (Win32)

      Any file on the system can be retrieved by using three dots
      to break out of the web root.  For example, requesting
      /.../qtusers will return the QuickTime user/password file.

   Default Install Allows Remote User to Set Admin Password
   CVE ID: CAN-2003-0426
   Affects: Darwin Streaming Server v4.1.3e and earlier (Mac OS X only)
   Fixed: In version 4.1.3f (Mac OS X)
 
      When Darwin Streaming Server is first installed, the
      HTTP-based administration server (typically port 1220)
      presents a "Setup Assistant" page where the user is prompted
      to set a new administrator password.  This would allow any
      remote user to connect and set up an administrator password
      before the server administrator has had a chance to do so.

6. Contact Information

   Rapid7 Security Advisories
   Email:  advisory@rapid7.com
   Web:    http://www.rapid7.com/
   Phone:  +1 (212) 558-8700

7. Disclaimer and Copyright

   Rapid7, Inc. is not responsible for the misuse of the information
   provided in our security advisories.  These advisories are a service
   to the professional security community.  There are NO WARRANTIES
   with regard to this information.  Any application or distribution of
   this information constitutes acceptance AS IS, at the user's own
   risk.  This information is subject to change without notice.

   This advisory Copyright (C) 2003 Rapid7, Inc.  Permission is
   hereby granted to redistribute this advisory, providing that no
   changes are made and that the copyright notices and disclaimers
   remain intact.


-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPx3UVST52JC2U8wAEQLPIwCg2Ps9jBufF8N6dGgCaoxEMijMtbcAnRL8
793Plejp5hw/r1OkojX2CQaB
=OD0m
-----END PGP SIGNATURE-----
    

- 漏洞信息

2327
Apple Darwin Streaming Server Device Name DoS
Remote / Network Access Denial of Service
Loss of Availability
Exploit Public

- 漏洞描述

Darwin Streaming Server contains a flaw that allows a remote attacker to crash the service. The issue is due to the web server not properly handling requests that contain a DOS device name (such as AUX). If an attacker requests such a URL, the service will terminate.

- 时间线

2003-07-22 Unknow
2003-07-22 Unknow

- 解决方案

Upgrade to version 4.1.3g or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站