CVE-2004-0431
CVSS5.1
发布时间 :2004-07-07 00:00:00
修订时间 :2016-10-17 22:45:21
NMCOPS    

[原文]Integer overflow in Apple QuickTime (QuickTime.qts) before 6.5.1 allows attackers to execute arbitrary code via a large "number of entries" field in the sample-to-chunk table data for a .mov movie file, which leads to a heap-based buffer overflow.


[CNNVD]Apple QuickTime Sample-to-Chunk远程整数溢出漏洞(CNNVD-200407-012)

        
        Apple QuickTime是一款提供高质量声音和图象的媒体播放器。
        Apple QuickTime在处理畸形.mov文件时存在问题,远程攻击者可以利用这个漏洞触发缓冲区溢出,可能以进程权限在系统上执行任意指令。
        问题存在与QuickTime.qts文件中,QuickTime.qts文件负责处理从QuickTime格式电影中的'stsc'数据中拷贝Sample-to-Chunk表条目到分配的堆内存中,由于对"number of entries"字段数据缺少正确处理,提供值为0x0FFFFFFE或更大的数据,可引起整数溢出,精心构建提交数据可能以进程权限在系统上执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 5.1 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0431
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0431
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200407-012
(官方数据源) CNNVD

- 其它链接及资源

http://lists.apple.com/mhonarc/security-announce/msg00048.html
(UNKNOWN)  APPLE  APPLE-SA-2004-04-30
http://marc.info/?l=bugtraq&m=108360110618389&w=2
(UNKNOWN)  BUGTRAQ  20040502 EEYE: Apple QuickTime (QuickTime.qts) Heap Overflow
http://marc.info/?l=ntbugtraq&m=108356485013237&w=2
(UNKNOWN)  NTBUGTRAQ  20040502 EEYE: Apple QuickTime (QuickTime.qts) Heap Overflow
http://www.kb.cert.org/vuls/id/782958
(UNKNOWN)  CERT-VN  VU#782958
http://xforce.iss.net/xforce/xfdb/16026
(VENDOR_ADVISORY)  XF  quicktime-heap-bo(16026)

- 漏洞信息

Apple QuickTime Sample-to-Chunk远程整数溢出漏洞
中危 边界条件错误
2004-07-07 00:00:00 2005-10-20 00:00:00
远程  
        
        Apple QuickTime是一款提供高质量声音和图象的媒体播放器。
        Apple QuickTime在处理畸形.mov文件时存在问题,远程攻击者可以利用这个漏洞触发缓冲区溢出,可能以进程权限在系统上执行任意指令。
        问题存在与QuickTime.qts文件中,QuickTime.qts文件负责处理从QuickTime格式电影中的'stsc'数据中拷贝Sample-to-Chunk表条目到分配的堆内存中,由于对"number of entries"字段数据缺少正确处理,提供值为0x0FFFFFFE或更大的数据,可引起整数溢出,精心构建提交数据可能以进程权限在系统上执行任意指令。
        

- 公告与补丁

        厂商补丁:
        Apple
        -----
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        Apple Upgrade Quicktime 6.5.1
        
        http://www.apple.com/quicktime/download/

- 漏洞信息 (F33233)

eEye.quicktime.txt (PacketStormID:F33233)
2004-05-04 00:00:00
Karl Lynn  eeye.com
advisory,remote,arbitrary
apple
CVE-2004-0431
[点击下载]

eEye Security Advisory - eEye Digital Security has discovered a critical vulnerability in Apple's QuickTime Player. The vulnerability allows a remote attacker to reliably overwrite heap memory with user-controlled data and execute arbitrary code within the SYSTEM context. Versions affected are Apple QuickTime 6.5 and Apple iTunes 4.2.0.72.

Apple QuickTime (QuickTime.qts) Heap Overflow

Release Date:
May 02, 2004

Date Reported:
February 18, 2004

Severity:
High (Code Execution)

Vendor:
Apple

Systems Affected:
Apple QuickTime 6.5
Apple iTunes 4.2.0.72

Description:
The Apple QuickTime media player is used for playing, interacting with
or viewing video, audio, VR or graphics files.  Many popular web
browsers, media players, and other applications use their libraries to
play various QuickTime movie formats through their applications.

eEye Digital Security has discovered a critical vulnerability in
QuickTime Player. The vulnerability allows a remote attacker to reliably
overwrite heap memory with user-controlled data and execute arbitrary
code within the SYSTEM context.

This specific flaw exists within the QuickTime.qts file which many
applications access QuickTime's functionality through.  By specially
crafting atoms within a movie file, a direct heap overwrite is
triggered, and reliable code execution is then possible.

Technical Details:
The code in QuickTime.qts responsible for copying Sample-to-Chunk table
entries from the 'stsc' atom data in a QuickTime-format movie into an
array allocated on the heap.  According to developer.apple.com, the
format of the Sample-to-Chunk atom is as follows:

  Offset  Type    Description
  ------- ------- --------------------------------
  0000h   DWORD   atom size
  0004h   DWORD   atom type tag ('stsc')
  0008h   BYTE    version
  0009h   BYTE[3] flags
  000Ch   DWORD   number of entries
  0010h   ...     sample-to-chunk table data

The heap block intended to hold the sample-to-chunk table data is
allocated with a size equal to (number_of_entries + 2) * 16.  By
supplying the "number of entries" field with the value 0x0FFFFFFE or
greater, an absolutely classic integer overflow results that causes an
insufficiently-sized heap block to be allocated, resulting in an equally
classic complete heap memory overwrite.

It is difficult to express just how textbook this vulnerability scenario
really is.  Successful exploitation of the vulnerability is
self-evident, and therefore no further discussion is warranted.  It is
our sincere hope that the vendor will make an earnest effort to increase
the maturity of its security response capabilities, so that researchers
will be encouraged to continue to work with them amicably on future
security issues. Apple is doing a disservice to its customers by
incorrectly labeling this vulnerability as a "crash bug" rather than
stating correctly that attackers can compromise systems running the
affected Apple software.

References:
QuickTime: QuickTime File Format
http://developer.apple.com/documentation/QuickTime/QTFF/index.html

Vendor Status:
Apple has released a patch for this vulnerability. The patch is
available via the Updates section of the affected applications.

This vulnerability has been assigned the CVE identifier CAN-2004-0431.

Credit:
Karl Lynn

Additional Research:
Derek Soeder

Greetings:
Riley Hassell, Fuzen, Cubby, the ladies in the band MudBath, Zoe bird,
Michelle L., and of course the entire staff at eEye.

Copyright (c) 1998-2004 eEye Digital Security Permission is hereby
granted for the redistribution of this alert electronically. It is not
to be edited in any way without express consent of eEye. If you wish to
reprint the whole or any part of this alert in any other medium
excluding electronic medium, please email alert@eEye.com for permission.

Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties with regard to this information. In no event shall the
author be liable for any damages whatsoever arising out of or in
connection with the use or spread of this information. Any use of this
information is at the user's own risk.

Feedback
Please send suggestions, updates, and comments to:

eEye Digital Security
http://www.eEye.com
info@eEye.com
    

- 漏洞信息

5745
Apple QuickTime (QuickTime.qts) .mov File sample-to-chunk Table Data Handling Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Vendor Verified

- 漏洞描述

A remote overflow exists in Quicktime. The program fails to validate 'stsc' atom data in a Quicktime movie file resulting in a heap overflow. With a specially crafted media file, an attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2004-05-02 2004-02-18
Unknow 2004-05-02

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Apple has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

- 漏洞信息

Apple QuickTime Sample-to-Chunk Integer Overflow Vulnerability
Boundary Condition Error 10257
Yes No
2004-04-30 12:00:00 2009-07-12 04:07:00
Discovery is credited to eEye Digital Security.

- 受影响的程序版本

Apple QuickTime Player 6.5
Apple QuickTime Player 6.1
Apple QuickTime Player 5.0.2
- Apple Mac OS 9 9.2.2
- Apple Mac OS 9 9.2.2
- Apple Mac OS 9 9.2.1
- Apple Mac OS 9 9.2.1
- Apple Mac OS 9 9.2
- Apple Mac OS 9 9.2
- Apple Mac OS 9 9.1
- Apple Mac OS 9 9.1
- Apple Mac OS 9 9.0.4
- Apple Mac OS 9 9.0.4
- Apple Mac OS 9 9.0
- Apple Mac OS 9 9.0
- Apple Mac OS X 10.1.5
- Apple Mac OS X 10.1.5
- Apple Mac OS X 10.1.4
- Apple Mac OS X 10.1.4
- Apple Mac OS X 10.1.3
- Apple Mac OS X 10.1.3
- Apple Mac OS X 10.1.2
- Apple Mac OS X 10.1.2
- Apple Mac OS X 10.1.1
- Apple Mac OS X 10.1.1
- Apple Mac OS X 10.1
- Apple Mac OS X 10.1
- Apple Mac OS X 10.1
- Apple Mac OS X 10.1
- Apple Mac OS X 10.0.4
- Apple Mac OS X 10.0.4
- Apple Mac OS X 10.0.3
- Apple Mac OS X 10.0.3
- Apple Mac OS X 10.0.2
- Apple Mac OS X 10.0.1
- Apple Mac OS X 10.0.1
- Apple Mac OS X 10.0
- Apple Mac OS X 10.0
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 95 SR2
- Microsoft Windows 95 SR2
- Microsoft Windows 95
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows ME
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Terminal Server 4.0 SP6a
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows NT Workstation 4.0
Apple QuickTime Player 6
- Apple Mac OS 9 9.2.2
- Apple Mac OS 9 9.2.2
- Apple Mac OS 9 9.2.1
- Apple Mac OS 9 9.2.1
- Apple Mac OS 9 9.2
- Apple Mac OS 9 9.2
- Apple Mac OS 9 9.1
- Apple Mac OS 9 9.1
- Apple Mac OS 9 9.0.4
- Apple Mac OS 9 9.0.4
- Apple Mac OS 9 9.0
- Apple Mac OS 9 9.0
- Apple Mac OS X 10.1.5
- Apple Mac OS X 10.1.4
- Apple Mac OS X 10.1.4
- Apple Mac OS X 10.1.3
- Apple Mac OS X 10.1.3
- Apple Mac OS X 10.1.2
- Apple Mac OS X 10.1.2
- Apple Mac OS X 10.1.1
- Apple Mac OS X 10.1.1
- Apple Mac OS X 10.1
- Apple Mac OS X 10.1
- Apple Mac OS X 10.1
- Apple Mac OS X 10.1
- Apple Mac OS X 10.0.4
- Apple Mac OS X 10.0.4
- Apple Mac OS X 10.0.3
- Apple Mac OS X 10.0.3
- Apple Mac OS X 10.0.2
- Apple Mac OS X 10.0.2
- Apple Mac OS X 10.0.1
- Apple Mac OS X 10.0.1
- Apple Mac OS X 10.0
- Apple Mac OS X 10.0
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 95 SR2
- Microsoft Windows 95 SR2
- Microsoft Windows 95
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows ME
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Terminal Server 4.0 SP6a
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows NT Workstation 4.0
Apple iTunes 4.2 .72
Apple QuickTime Player 6.5.1

- 不受影响的程序版本

Apple QuickTime Player 6.5.1

- 漏洞讨论

Apple QuickTime Player is vulnerable to an integer overflow vulnerability.

This issue can be triggered by a malformed .mov file and is reported to be exploitable to execute arbitrary code on Microsoft Windows platforms. This issue could also cause the player to crash on other platforms. Conflicting information has been released by the vendor that suggests that this issue will only result in a denial of service on Mac OS X.

- 漏洞利用

The researchers who discovered this vulnerability have developed working exploit code for Microsoft Windows platforms. This exploit code is not publicly available or known to be circulating in the wild.

- 解决方案

Apple has released a new version of QuickTime:


Apple QuickTime Player 6

Apple QuickTime Player 5.0.2

Apple QuickTime Player 6.1

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站