MS-ISAC ADVISORY NUMBER:
2007-023
DATE(S) ISSUED:
11/28/2007
SUBJECT:
Apple QuickTime RTSP Response Header Remote Stack Based Buffer Overflow
OVERVIEW:
A new vulnerability in Apple Quicktime is actively being exploited on the
Internet. Apple Quicktime is a media player for the Mac OS X and Microsoft
Windows operating systems. The vulnerability can be exploited if a user
visits a malicious web site or opens a malicious e-mail attachment. If the
vulnerability is successfully exploited, an attacker may be able to execute
arbitrary code on a vulnerable system with the same rights of the logged-on
user. This may allow the attacker to gain complete control of the affected
system.
Note that there is currently no patch for this vulnerability.
SYSTEMS AFFECTED:
Apple QuickTime Player 7.3 and earlier
RISK:
Government:
- Large and medium government entities: High
- Small government entities: High
Businesses:
- Large and medium business entities: High
- Small business entities: High
Home users: High
DESCRIPTION:
Apple Quicktime is a media player for the Mac OS X and Microsoft Windows
operating systems.
A new vulnerability has been discovered in Quicktime that is currently being exploited on the Internet. Quicktime is prone to a remote buffer-overflow vulnerability because it fails to properly bounds-check user-supplied input before copying it to an insufficiently sized stack-based memory buffer. The issue occurs when handling specially crafted Real Time Streaming Protocol (RTSP) response headers.
RTSP is a protocol used by Quicktime to stream media content over the internet. By default, the protocol runs over ports 554 tcp/udp and 6970-6999 udp. The protocol also runs over an alternative port of 8554 tcp/udp. However, the protocol can be configured to run over any port which allows for firewalls to be circumvented by hosting the malicious RTSP server on 80/tcp or another commonly unfiltered port.
This vulnerability can be exploited if a user visits a specially crafted web page that hosts the malicious content or opens a malicious e-mail attachment. When the user views the content, the RTSP server would then send the exploit code designed to perform some action on the attacker's behalf. A successful attack would corrupt memory and execute arbitrary code providing the attacker with the same privileges as the logged-on user. If the user is logged-on with administrative privileges, the attacker can take complete control of the affected system, add/modify or delete user accounts and programs. A failed attack will likely cause denial-of-service conditions.
RECOMMENDATIONS:
We recommend the following actions be taken:
- Set the kill bit on the Class Identifiers (CLSID) {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} & {4063BE15-3B08-470D-A0D5-B37161CFFD69};
further instructions on how to set the kill bit can be found at the
following location:
( http://support.microsoft.com/kb/240797
) - Blocking the RTSP protocol with a proxy or firewall may help mitigate this vulnerability. Blocking outbound access to ports 554 tcp/udp, 6970-6999 udp and, 8554 tcp/udp may not be sufficient since RTSP can be configured to use a variety or ports.
- Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
- Do not visit unknown or un-trusted Web sites or follow links provided by unknown or un-trusted sources.
- Install the appropriate vendor patch as soon as it becomes available after appropriate testing.
REFERENCES:
Security Focus:
http://www.securityfocus.com/bid/26549
http://www.securityfocus.com/brief/633
US-CERT:
http://www.kb.cert.org/vuls/id/659761
eEye Digitial Security:
http://research.eeye.com/html/alerts/zeroday/20071123.html
This cyber advisory was issued by the Multi-State Information Sharing and Analysis Center (MS-ISAC) and was intended for government entities. The information may or may not be applicable to the general public and accordingly, the MS-ISAC does not warrant its use for any specific purposes.
-