CVE-2005-4092
CVSS7.5
发布时间 :2005-12-08 06:03:00
修订时间 :2011-03-07 00:00:00
NMCOPS    

[原文]Multiple heap-based buffer overflows in QuickTime.qts in Apple QuickTime Player 7.0.3 and iTunes 6.0.1 (3) and earlier allow remote attackers to cause a denial of service (crash) and execute arbitrary code via a .mov file with (1) a Movie Resource atom with a large size value, or (2) an stsd atom with a modified Sample Description Table size value, and possibly other vectors involving media files. NOTE: item 1 was originally identified by CVE-2005-4127 for a pre-patch announcement, and item 2 was originally identified by CVE-2005-4128 for a pre-patch announcement.


[CNNVD]Apple QuickTime STSD Atom堆溢出漏洞(CNNVD-200512-165)

        Apple QuickTime Player是QuickTime软件包的一个组件,可提供高质量声音和图象的媒体播放功能。
        很多应用程序都要通过QuickTime.qts文件来访问QuickTime的功能。QuickTime.qts中存在多个缓冲区溢出漏洞。攻击者利用该漏洞导致拒绝服务并执行任意的代码。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-119 [内存缓冲区边界内操作的限制不恰当]

- CPE (受影响的平台与产品)

cpe:/a:apple:itunes:6.0.1Apple iTunes 6.0.1
cpe:/a:apple:quicktime:7.0.3Apple Quicktime 7.0.3

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4092
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-4092
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200512-165
(官方数据源) CNNVD

- 其它链接及资源

http://www.us-cert.gov/cas/techalerts/TA06-011A.html
(UNKNOWN)  CERT  TA06-011A
http://www.kb.cert.org/vuls/id/921193
(UNKNOWN)  CERT-VN  VU#921193
http://www.vupen.com/english/advisories/2006/0128
(VENDOR_ADVISORY)  VUPEN  ADV-2006-0128
http://www.vupen.com/english/advisories/2005/3012
(VENDOR_ADVISORY)  VUPEN  ADV-2005-3012
http://www.securityfocus.com/bid/15732
(UNKNOWN)  BID  15732
http://www.securityfocus.com/archive/1/archive/1/421635/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060111 [EEYEB-20051117A] Apple QuickTime STSD Atom Heap Overflow
http://www.securityfocus.com/archive/1/archive/1/421569/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060111 [EEYEB-20051117B] Apple iTunes (QuickTime.qts) Heap Overflow
http://www.securityfocus.com/archive/1/archive/1/421547/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060111 Updated Advisories - Incorrect CVE Information
http://www.security-protocols.com/modules.php?name=News&file=article&sid=3133
(UNKNOWN)  MISC  http://www.security-protocols.com/modules.php?name=News&file=article&sid=3133
http://www.security-protocols.com/modules.php?name=News&file=article&sid=3109
(VENDOR_ADVISORY)  MISC  http://www.security-protocols.com/modules.php?name=News&file=article&sid=3109
http://www.security-protocols.com/advisory/sp-x21-advisory.txt
(UNKNOWN)  MISC  http://security-protocols.com/advisory/sp-x21-advisory.txt
http://www.eeye.com/html/research/upcoming/20051117b.html
(UNKNOWN)  MISC  http://www.eeye.com/html/research/upcoming/20051117b.html
http://www.eeye.com/html/research/upcoming/20051117a.html
(UNKNOWN)  MISC  http://www.eeye.com/html/research/upcoming/20051117a.html
http://securitytracker.com/id?1015397
(UNKNOWN)  SECTRACK  1015397
http://securitytracker.com/id?1015396
(UNKNOWN)  SECTRACK  1015396
http://securitytracker.com/id?1015356
(UNKNOWN)  SECTRACK  1015356
http://securityreason.com/securityalert/336
(UNKNOWN)  SREASON  336
http://securityreason.com/securityalert/334
(UNKNOWN)  SREASON  334
http://security-protocols.com/advisory/sp-x21-advisory.txt
(UNKNOWN)  MISC  http://security-protocols.com/advisory/sp-x21-advisory.txt
http://secunia.com/advisories/18370
(VENDOR_ADVISORY)  SECUNIA  18370
http://secunia.com/advisories/18149
(VENDOR_ADVISORY)  SECUNIA  18149
http://docs.info.apple.com/article.html?artnum=303101
(UNKNOWN)  APPLE  APPLE-SA-2006-01-10

- 漏洞信息

Apple QuickTime STSD Atom堆溢出漏洞
高危 缓冲区溢出
2005-12-08 00:00:00 2012-12-26 00:00:00
远程  
        Apple QuickTime Player是QuickTime软件包的一个组件,可提供高质量声音和图象的媒体播放功能。
        很多应用程序都要通过QuickTime.qts文件来访问QuickTime的功能。QuickTime.qts中存在多个缓冲区溢出漏洞。攻击者利用该漏洞导致拒绝服务并执行任意的代码。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        http://www.apple.com/itunes/download/
        http://www.apple.com/quicktime/

- 漏洞信息 (F43062)

Technical Cyber Security Alert 2006-11A (PacketStormID:F43062)
2006-01-15 00:00:00
US-CERT  us-cert.gov
advisory,denial of service,arbitrary,vulnerability
apple
CVE-2005-4092,CVE-2005-3707,CVE-2005-3710,CVE-2005-3713,CVE-2005-2340
[点击下载]

Technical Cyber Security Alert TA06-011A - Apple has released QuickTime 7.0.4 to correct multiple vulnerabilities. The impacts of these vulnerabilities include execution of arbitrary code and denial of service.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

   
                        National Cyber Alert System

                 Technical Cyber Security Alert TA06-011A


Apple QuickTime Vulnerabilities

   Original release date: January 11, 2006
   Last revised: January 11, 2006
   Source: US-CERT

Systems Affected

   Apple QuickTime on systems running

     * Apple Mac OS X
     * Microsoft Windows XP
     * Microsoft Windows 2000


Overview

   Apple has released QuickTime 7.0.4 to correct multiple
   vulnerabilities. The impacts of these vulnerabilities include
   execution of arbitrary code and denial of service.


I. Description

   Apple QuickTime 7.0.4 resolves a number of image and media file
   handling vulnerabilities. Further details are available in the
   following Vulnerability Notes:

   VU#629845 - Apple QuickTime image handling buffer overflow

   Apple QuickTime contains a heap overflow vulnerability that may allow
   an attacker to execute arbitrary code or cause a denial-of-service
   condition.
   (CAN-2005-2340)

   VU#921193 - Apple QuickTime fails to properly handle corrupt media
   files

   Apple QuickTime contains a heap overflow vulnerability in the handling
   of media files. This vulnerability may allow a remote, unauthenticated
   attacker to execute arbitrary code or cause a denial of service on a
   vulnerable system.
   (CAN-2005-4092)

   VU#115729 - Apple QuickTime fails to properly handle corrupt TGA
   images

   A flaw in the way Apple QuickTime handles Targa (TGA) image format
   files could allow a remote attacker to execute arbitrary code on a
   vulnerable system.
   (CAN-2005-3707)

   VU#150753 - Apple QuickTime fails to properly handle corrupt TIFF
   images

   Apple QuickTime contains an integer overflow vulnerability in the
   handling of TIFF images. This vulnerability may allow a remote,
   unauthenticated attacker to execute arbitrary code or cause a denial
   of service on a vulnerable system.
   (CAN-2005-3710)

   VU#913449 - Apple QuickTime fails to properly handle corrupt GIF
   images

   A flaw in the way Apple QuickTime handles Graphics Interchange Format
   (GIF) files could allow a remote attacker to execute arbitrary code on
   a vulnerable system.
   (CAN-2005-3713)


II. Impact

   The impacts of these vulnerabilities vary. For information about
   specific impacts, please see the Vulnerability Notes. Potential
   consequences include remote execution of arbitrary code or commands
   and denial of service.


III. Solution

Upgrade

   Upgrade to QuickTime 7.0.4.


Appendix A. References

     * US-CERT Vulnerability Note VU#629845 -
       <http://www.kb.cert.org/vuls/id/629845>

     * US-CERT Vulnerability Note VU#921193 -
       <http://www.kb.cert.org/vuls/id/921193>

     * US-CERT Vulnerability Note VU#115729 -
       <http://www.kb.cert.org/vuls/id/115729>

     * US-CERT Vulnerability Note VU#150753 -
       <http://www.kb.cert.org/vuls/id/150753>

     * US-CERT Vulnerability Note VU#913449 -
       <http://www.kb.cert.org/vuls/id/913449>

     * CVE-2005-2340 -
       <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2340>

     * CVE-2005-4092 -
       <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4092>

     * CVE-2005-3707 -
       <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3707>

     * CVE-2005-3710 -
       <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3710>

     * CVE-2005-3713 -
       <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3713>

     * Security Content for QuickTime 7.0.4 -
       <http://docs.info.apple.com/article.html?artnum=303101>

     * QuickTime 7.0.4 -
       <http://www.apple.com/support/downloads/quicktime704.html>

     * About the Mac OS X 10.4.4 Update (Delta) -
       <http://docs.info.apple.com/article.html?artnum=302810>


 ____________________________________________________________________

   The most recent version of this document can be found at:

     <http://www.us-cert.gov/cas/techalerts/TA06-011A.html>
 ____________________________________________________________________

   Feedback can be directed to US-CERT Technical Staff. Please send
   email to <cert@cert.org> with "TA06-011A Feedback VU#913449" in the
   subject.
 ____________________________________________________________________

   For instructions on subscribing to or unsubscribing from this
   mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
 ____________________________________________________________________

   Produced 2006 by US-CERT, a government organization.

   Terms of use:

     <http://www.us-cert.gov/legal.html>
 ____________________________________________________________________



Revision History

   January 11, 2006: Initial release


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBQ8V8iX0pj593lg50AQJ85wf+OuHVseQVzZ0uI8h8TnmtAJmjzV6tp3Cj
34jwpSLlvo5S8svIHChcX/BYOwKVL/uQZswsjk/mbEu+TrPcVKPd7VPCetxIXVey
AdC5hsAH1Wm0MnvY1LgvONo8IQ9RlT6Rj6fY7k7QhPUWsYxj/rDCWDAY9kgsHXc/
HpXWL/Cy5va35z8aYHrLVlxmofKrOWtX0PVa6lSKV8lIsY+TDihA5tYIb5wRDVxL
osieJ+MHSXGchXpjX2c0o6Ja6vhJNR61LEwelk9FMLT1JRTkp+wz9/AoVUSyZ/hy
0WBP0M8cwl8koWgijNcLXA18YX8QtDftAVRwpwHKMrbNCYdrWblYVw==
=5Kiq
-----END PGP SIGNATURE-----
    

- 漏洞信息 (F43059)

EEYEB-20051117A.txt (PacketStormID:F43059)
2006-01-15 00:00:00
Karl Lynn  eeye.com
advisory,remote,arbitrary,code execution
CVE-2005-4092
[点击下载]

eEye Security Advisory - eEye Digital Security has discovered a critical vulnerability in QuickTime Player. The vulnerability allows a remote attacker to reliably overwrite heap memory with user-controlled data and execute arbitrary code in the context of the user who executed the player or application hosting the QuickTime plug-in. This specific flaw exists within the QuickTime.qts file which many applications access QuickTime's functionality through. By specially crafting atoms within a movie file, a direct heap overwrite is triggered, and reliable code execution is then possible.

EEYEB-20051117A Apple QuickTime STSD Atom Heap Overflow

Release Date:
January 10, 2006

Date Reported:
November 17, 2005

Patch Development Time (In Days):
54 Days

Severity:
High (Code Execution)

Vendor:
Apple


Systems Affected:
Quicktime on Windows 2000
Quicktime on Windows XP
Quicktime on Mac OS X 10.3.9

Apple iTunes on Windows 2000
Apple iTunes on Windows XP
Apple iTunes on OS X 10.3.9

Overview:
eEye Digital Security has discovered a critical vulnerability in
QuickTime Player. The vulnerability allows a remote attacker to reliably
overwrite heap memory with user-controlled data and execute arbitrary
code in the context of the user who executed the player or application
hosting the QuickTime plug-in.

This specific flaw exists within the QuickTime.qts file which many
applications access QuickTime's functionality through. By specially
crafting atoms within a movie file, a direct heap overwrite is
triggered, and reliable code execution is then possible.

Technical Details:
Technical Description:
The code in QuickTime.qts responsible for the size of the Sample
Description Table entries from the 'stsd' atom in a QuickTime-format
movie on the heap. According to developer.apple.com, the format of the
Sample Description Atom is as follows:

Field	         	                Description
----------------------------------------------------------------
Size					32-bit int
Data Format				4 char code
Reserved				6 bytes that must be 0
Data Reference Index    		16-bit int
Hint Track Version      		16-bit unsigned int
Last compatible hint track version 	16-bit unsigned int
Max Packet Size				32-bit int
Additional Data Table			Variable

By setting the size of the Sample Description Table to a size of 00 15 -
00 D0 will cause a heap-based overflow. By supplying the "Last
compatible hint track version" field with the value of 00 05 - 00 09, an
insufficiently-sized heap block will be allocated, resulting in a
classic complete heap memory overwrite
during the RtlAllocateHeap() function and the attacker can control
memory with data taken from the filename of the .MOV file.  This
vulnerability can be successfully exploited via an embedded media player
in an HTML page, email, or HTML link.

References
QuickTime: QuickTime File Format
http://developer.apple.com/documentation/QuickTime/QTFF/index.html

Protection:
Retina Network Security Scanner has been updated to identify this
vulnerability.

Vendor Status:
Apple has released a patch for this vulnerability. The patch is
available via the Updates section of the affected applications.
This vulnerability has been assigned the CVE identifier CVE-2005-4092.

Credit:
Discovery: Karl Lynn

Greetings:
0x41414141

Copyright (c) 1998-2006 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express
consent of eEye. If you wish to reprint the whole or any part of this
alert in any other medium excluding electronic medium, please email
alert@eEye.com for permission.

Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are no warranties, implied or express, with regard to this information.
In no event shall the author be liable for any direct or indirect
damages whatsoever arising out of or in connection with the use or
spread of this information. Any use of this information is at the user's
own risk.
    

- 漏洞信息 (F43058)

EEYEB-20051117B.txt (PacketStormID:F43058)
2006-01-15 00:00:00
Karl Lynn  eeye.com
advisory,remote,arbitrary,code execution
CVE-2005-4092
[点击下载]

eEye Security Advisory - eEye Digital Security has discovered a critical vulnerability in QuickTime Player. The vulnerability allows a remote attacker to reliably overwrite heap memory with user-controlled data and execute arbitrary code in the context of the user who executed the player or application hosting the QuickTime plug-in. This specific flaw exists within the QuickTime.qts file which many applications access QuickTime's functionality through. By specially crafting atoms within a movie file, a direct heap overwrite is triggered, and reliable code execution is then possible.

EEYEB-20051117B Apple iTunes (QuickTime.qts) Heap Overflow

Release Date:
January 10, 2006

Date Reported:
November 17, 2005

Patch Development Time (In Days):
54 Days

Severity:
High (Code Execution)

Vendor:
Apple

Systems Affected:
Quicktime on Windows 2000
Quicktime on Windows XP
Quicktime on Mac OS X 10.3.9

Apple iTunes on Windows 2000
Apple iTunes on Windows XP
Apple iTunes on OS X 10.3.9

Overview:
eEye Digital Security has discovered a critical vulnerability in Apple
iTunes. The vulnerability allows an attacker to reliably overwrite heap
memory with user-controlled data and execute arbitrary code in the
context of the user who executed iTunes.

This specific flaw exists within the QuickTime.qts file which many
applications access QuickTime's functionality through. By specially
crafting atoms within a movie file, a direct heap overwrite is
triggered, and reliable code execution is then possible.

Technical Details:
The code in QuickTime.qts responsible for copying Movie Resource atom
type sizes in a QuickTime-format movie into an array allocated on the
heap. According to developer.apple.com, the format of the Movie Resource
atom is as follows:

Field           Description
---------------------------
Atom Size       4 bytes
Atom Type       4 bytes
Data            Variable

By supplying the .MOV file with a large atom size results in a
insufficiently-sized heap block to be allocated, resulting in a complete
heap memory overwrite ultimately failing in the List_Component()
function.  

References
QuickTime: QuickTime File Format
http://developer.apple.com/documentation/QuickTime/QTFF/index.html

Vendor Status:
Apple has released a patch for this vulnerability. The patch is
available via the Updates section of the affected applications.
This vulnerability has been assigned the CVE identifier CVE-2005-4092.

Credit:
Discovery: Karl Lynn

Copyright (c) 1998-2006 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express
consent of eEye. If you wish to reprint the whole or any part of this
alert in any other medium excluding electronic medium, please email
alert@eEye.com for permission.

Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are no warranties, implied or express, with regard to this information.
In no event shall the author be liable for any direct or indirect
damages whatsoever arising out of or in connection with the use or
spread of this information. Any use of this information is at the user's
own risk.
    

- 漏洞信息

21840
Apple QuickTime/iTunes QuickTime.qts Multiple atom Value Overflow
Input Manipulation
Loss of Integrity

- 漏洞描述

Unknown or Incomplete

- 时间线

2005-12-02 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Apple QuickTime/iTunes QuickTime.QTS Heap Overflow Vulnerability
Boundary Condition Error 15732
Yes No
2005-12-02 12:00:00 2006-01-11 06:56:00
Discovery is credited to Tom Ferris and Karl Lynn.

- 受影响的程序版本

Free-codecs.com QuickTime Alternative 1.67
Apple QuickTime Player 7.0.3
Apple iTunes 6.0.1
eSignal eSignal 6.0.2
Apple QuickTime Player 7.0.4

- 不受影响的程序版本

eSignal eSignal 6.0.2
Apple QuickTime Player 7.0.4

- 漏洞讨论

A heap-based buffer overflow vulnerability has been reported in Apple QuickTime and iTunes. This issue affects both Mac OS X and Microsoft Windows releases of the software.

This issue may be triggered when the application processes a malformed movie (.MOV) file.

Successful exploitation will result in execution of arbitrary code in the context of the currently logged in user.

This issue affects Apple QuickTime 7.0.3 and iTunes 6.0.1. Earlier versions may also be affected.

- 漏洞利用

The following example files were provided to demonstrate the vulnerability by crashing the application:

http://www.security-protocols.com/poc/sp-x21-1.mov <- crashes QuickTime
http://www.security-protocols.com/poc/sp-x21-2.mov <- crashes iTunes and QuickTime

Symantec has not tested the integrity of these files.

- 解决方案

Apple has released advisory APPLE-SA-2006-01-10 and fixes to address this issue.


Apple iTunes 6.0.1

Apple QuickTime Player 7.0.3

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站