CVE-2003-0425
CVSS5.0
发布时间 :2003-08-27 00:00:00
修订时间 :2008-09-10 15:18:59
NMCOPS    

[原文]Directory traversal vulnerability in Apple QuickTime / Darwin Streaming Server before 4.1.3f allows remote attackers to read arbitrary files via a ... (triple dot) in an HTTP request.


[CNNVD]Apple QuickTime/Darwin Streaming Server目录遍历漏洞(CNNVD-200308-119)

        Apple QuickTime / Darwin Streaming Server 4.1.3f之前版本存在目录遍历漏洞。远程攻击者可以借助HTTP请求中的…(三倍点)读取任意文件。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0425
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0425
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200308-119
(官方数据源) CNNVD

- 其它链接及资源

http://www.rapid7.com/advisories/R7-0015.html
(UNKNOWN)  MISC  http://www.rapid7.com/advisories/R7-0015.html
http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0040.html
(VENDOR_ADVISORY)  VULNWATCH  20030723 R7-0015: Multiple Vulnerabilities Apple QuickTime/Darwin Streaming Server

- 漏洞信息

Apple QuickTime/Darwin Streaming Server目录遍历漏洞
中危 路径遍历
2003-08-27 00:00:00 2005-10-20 00:00:00
远程  
        Apple QuickTime / Darwin Streaming Server 4.1.3f之前版本存在目录遍历漏洞。远程攻击者可以借助HTTP请求中的…(三倍点)读取任意文件。

- 公告与补丁

        This vulnerability has reportedly been fixed in QuickTime/Darwin version 4.1.3f or later. Upgrades may be obtained from
        http://developer.apple.com/darwin/projects/streaming/

- 漏洞信息 (F31422)

Rapid7 Security Advisory 15 (PacketStormID:F31422)
2003-07-23 00:00:00
Rapid7  rapid7.com
advisory,web,denial of service,root,vulnerability
apple
CVE-2003-0421,CVE-2003-0502,CVE-2003-0422,CVE-2003-0423,CVE-2003-0424,CVE-2003-0425,CVE-2003-0426
[点击下载]

Rapid7 Security Advisory - Several vulnerabilities have been found in the Apple QuickTime/Darwin Streaming Server, including denial of service, web root traversal, and script source disclosure.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________
                     Rapid7, Inc. Security Advisory
       Visit http://www.rapid7.com/ to download NeXpose,
        the world's most advanced vulnerability scanner.
      Linux and Windows 2000/XP versions are available now!
_______________________________________________________________________

Rapid7 Advisory R7-0015
Multiple Vulnerabilities Apple QuickTime/Darwin Streaming Server

   Published:  July 22, 2003
   Revision:   1.0
   http://www.rapid7.com/advisories/R7-0015.html

   CVE:    CAN-2003-0421, CAN-2003-0422, CAN-2003-0423, CAN-2003-0424,
           CAN-2003-0425, CAN-2003-0426, CAN-2003-0502

1. Affected system(s):

   KNOWN VULNERABLE:
    o QuickTime/Darwin Streaming Server v4.1.3 for MacOS X
    o QuickTime/Darwin Streaming Server v4.1.3 for Win32
    o QuickTime/Darwin Streaming Server v4.1.3 for Linux

   UNKNOWN/NOT TESTED:
    o other platforms (Solaris)

2. Summary

   Several vulnerabilities have been found in the Apple
   QuickTime/Darwin Streaming Server, including denial of service,
   web root traversal, and script source disclosure.

3. Vendor status and information

   Apple
   http://www.apple.com/

   The vendor has been notified and has released fixes for all but
   one of the issues, which is currently under investigation.

4. Solution

   Upgrade to version 4.1.3g or later of Darwin Streaming Server,
   which may be obtained as a free download from:

      http://developer.apple.com/darwin/projects/streaming/

   Please see the next section for detailed fix information.

5. Detailed analysis

   There are several vulnerabilities.

   Denial of Service by HTTP Request for DOS Device Name
   CVE ID: CAN-2003-0421
   Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only)
   Fixed: In version 4.1.3f (Win32)

      Requesting a DOS device name (e.g. AUX) over HTTP (port 1220)
      will cause a denial of service on the server.  An initial
      HTTP 404 response will be returned for the device request,
      but future requests will not be serviced.  For example:

      ==> GET /AUX HTTP/1.0

   Denial of Service by Request for ../ DOS Device Name
   CVE ID: CAN-2003-0502
   Affects: Darwin Streaming Server v4.1.3f and earlier (Win32 only)
   Fixed: In version 4.1.3g (Win32)

      This is a variant of CAN-2003-0421.  A fix for CAN-2003-0421
      was included in Streaming Server version, 4.1.3f, but further
      testing revealed that it was vulnerable to a variant where
      the device name was prefixed by dotdot slash (../), as in:

      ==> GET /../AUX HTTP/1.0

   Denial of Service by HTTP Request for /view_broadcast.cgi Script
   CVE ID: CAN-2003-0422
   Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only)
   Fixed: In version 4.1.3f (Win32)

      Requesting the /view_broadcast.cgi script over HTTP (port 1220)
      will cause a denial of service on the server if the required
      request parameters are not sent.  The connection will be
      closed midway through servicing the request and no new
      connections will be allowed to the server.

      Example:

      ==> GET /view_broadcast.cgi HTTP/1.0

      <== HTTP/1.0 200 OK
      <== Content-Type: video/quicktime
      <==
      <== rtsp://
                ^^ server drops connection

   Source Disclosure via HTTP Request for /parse_xml.cgi Script
   CVE ID: CAN-2003-0423
   Affects: Darwin Streaming Server v4.1.3g and earlier
   Fixed: No fix is available at this time.  Apple is aware of
          this issue and they are investigating it further.

      The source code of any file within the web root can be obtained
      by issuing a request for /parse_xml.cgi?filename=[file], where
      [file] is the file whose source code you wish to view.

      This is only a serious risk if the administrator has installed
      custom scripts on Darwin Streaming Server that need to be
      protected.

   Script Source Disclosure by Appending Special Characters
   CVE ID: CAN-2003-0424
   Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only)
   Fixed: In version 4.1.3f (Win32)

      The source code of any script can be obtained by appending the
      special characters %2e (period) or %20 (space) to an HTTP request
      for that script.  For example, requesting /view_broadcast.cgi%2e
      will reveal the source code for that script.
 
   Web Root Traversal and Arbitrary File Disclosure (Win32)
   CVE ID: CAN-2003-0425
   Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only)
   Fixed: In version 4.1.3f (Win32)

      Any file on the system can be retrieved by using three dots
      to break out of the web root.  For example, requesting
      /.../qtusers will return the QuickTime user/password file.

   Default Install Allows Remote User to Set Admin Password
   CVE ID: CAN-2003-0426
   Affects: Darwin Streaming Server v4.1.3e and earlier (Mac OS X only)
   Fixed: In version 4.1.3f (Mac OS X)
 
      When Darwin Streaming Server is first installed, the
      HTTP-based administration server (typically port 1220)
      presents a "Setup Assistant" page where the user is prompted
      to set a new administrator password.  This would allow any
      remote user to connect and set up an administrator password
      before the server administrator has had a chance to do so.

6. Contact Information

   Rapid7 Security Advisories
   Email:  advisory@rapid7.com
   Web:    http://www.rapid7.com/
   Phone:  +1 (212) 558-8700

7. Disclaimer and Copyright

   Rapid7, Inc. is not responsible for the misuse of the information
   provided in our security advisories.  These advisories are a service
   to the professional security community.  There are NO WARRANTIES
   with regard to this information.  Any application or distribution of
   this information constitutes acceptance AS IS, at the user's own
   risk.  This information is subject to change without notice.

   This advisory Copyright (C) 2003 Rapid7, Inc.  Permission is
   hereby granted to redistribute this advisory, providing that no
   changes are made and that the copyright notices and disclaimers
   remain intact.


-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPx3UVST52JC2U8wAEQLPIwCg2Ps9jBufF8N6dGgCaoxEMijMtbcAnRL8
793Plejp5hw/r1OkojX2CQaB
=OD0m
-----END PGP SIGNATURE-----
    

- 漏洞信息

4226
Apple QuickTime / Darwin Streaming Server Triple Dot Traversal Arbitrary File Acces
Remote / Network Access Information Disclosure, Input Manipulation
Loss of Confidentiality
Exploit Public

- 漏洞描述

Darwin Streaming Server contains a flaw that allows a remote attacker to access arbitrary files outside of the web path. The issue is due to the server not properly sanitizing user input, specifically traversal style attacks (../../) supplied via URI.

- 时间线

2003-07-22 Unknow
2003-07-22 Unknow

- 解决方案

Upgrade to version 4.1.3g or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

Apple QuickTime/Darwin Streaming Server Directory Traversal Vulnerability
Input Validation Error 8258
Yes No
2003-07-23 12:00:00 2009-07-11 10:56:00
Discovery is credited to Rapid7.

- 受影响的程序版本

Apple Quicktime Streaming Server 4.1.3
+ Apple Mac OS X 10.3.2
+ Apple Mac OS X 10.2.8
+ Apple Mac OS X Server 10.3.2
+ Apple Mac OS X Server 10.3.1
+ Apple Mac OS X Server 10.3.1
+ Apple Mac OS X Server 10.3
+ Apple Mac OS X Server 10.3
+ Apple Mac OS X Server 10.2.8
+ Apple Mac OS X Server 10.2.8
Apple Darwin Streaming Server 4.1.3
+ Apple Mac OS X 10.3.2
+ Apple Mac OS X 10.2.8
+ Apple Mac OS X Server 10.3.2
+ Apple Mac OS X Server 10.3.1
+ Apple Mac OS X Server 10.3.1
+ Apple Mac OS X Server 10.3
+ Apple Mac OS X Server 10.3
+ Apple Mac OS X Server 10.2.8
+ Apple Mac OS X Server 10.2.8

- 漏洞讨论

It has been reported that QuickTime/Darwin Streaming Server is prone to a directory traversal vulnerability that may allow remote users to retrieve arbitrary files residing on the filesystem. This vulnerability may be possible to exploit using "/.../" sequences within the request sent to the server.

This vulnerability was reported to affect QuickTime/Darwin Streaming Server 4.1.3e and earlier on Windows.

- 漏洞利用

This vulnerability can be exploited with a web browser.

- 解决方案

This vulnerability has reportedly been fixed in QuickTime/Darwin version 4.1.3f or later. Upgrades may be obtained from http://developer.apple.com/darwin/projects/streaming/

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站