Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
QuickTime/Darwin Streaming Server Administration Server Bugs Let Remote Users Execute Arbitrary Commands and May Yield Root Access
|
|
SecurityTracker Alert ID: 1006164
|
|
CVE Reference: CAN-2003-0050
, CAN-2003-0051
, CAN-2003-0052
, CAN-2003-0053
, CAN-2003-0054
, CAN-2003-0055
(Links to External Site)
|
Updated: Dec 8 2003
|
Original Entry Date: Feb 25 2003
|
Impact: Disclosure of system information, Disclosure of user information, Execution of arbitrary code via local system, Execution of arbitrary code via network, Modification of user information, Root access via local system, Root access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Advisory: @Stake - L0pht
|
Version(s): 4.1.1, 4.1.2
|
Description: Several vulnerabilities were reported in the QuickTime/Darwin Streaming Server in the Administration Server. A remote user can execute
arbitrary commands on the server with root privileges and can conduct cross-site scripting attacks against administrators. A local
user can also execute arbitrary code with root privileges.
According to the report, the Administration Server runs with root privileges. Several flaws were reported by @stake.
A remote
user can reportedly connect to the Administration Server on port 1220 and execute operating system commands on the server with root
privileges. In some cases, arbitrary parameters can be supplied.
It is reported that the parse_xml.cgi script passes user-supplied
input to a Perl open() function without properly validating the input. A remote user can supply a GET request with input containing
a pipe character ('|') to the QuickTime version of the Administration Server to cause arbitrary commands to be executed on the server.
In the Darwin version of the Administration Server, some checking is performed that makes it more difficult to pass command parameters.
On
a UNIX-based target system, a remote user can reportedly exploit this flaw to open the inode of a directory to obtain a listing
of the directory's contents.
A remote user can also determine the physical installation path by submitted a GET request to the
parse_xml.cgi script with a NULL character as the filename parameter.
A remote user can conduct cross-site scripting attacks
against administrators by submitting a GET request to the parse_xml.cgi script with a specially crafted filename parameter. Arbitrary
HTML code contained specified in the filename parameter will be displayed by the script's error message.
A remote user can create
a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's
browser. The code will originate from the site running the Administration Server and will run in the security context of that site.
As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with
the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the
target user. For example, the 'qtpassword' cookie reportedly contains a Base64-encoded copy of the administrative username and
password.
Also, it is reported that a remote user can make a request to port 7070 and supply a specially crafted value containing
HTML code as part of an argument to the rtsp DESCRIBE method to conduct cross-site scripting attacks. This will cause the HTML
code to be written to the log file. Then, when an administrator views the logs via the administrative interface, the code will
be executed on the administrator's browser.
It is also reported that a local user can trigger a buffer overflow to gain elevated
privileges on the system. According to the report, a buffer overflow in the streaming server's MP3 broadcasting module may allow
arbitrary code to be executed when an MP3 file with a filename longer than 256 bytes is loaded. A local user can load a specially
named MP3 file to execute arbitrary code with root privileges to gain root access on the server.
[Editor's note: Regrettably,
@stake does not permit us to reproduce their advisory, so we cannot provide you with the Source Message. You may view the advisory
on their web site: http://www.atstake.com/research/advisories/2003/a032403-1.txt]
|
Impact: A remote user can execute arbitrary commands with root privileges.
A remote user can view directory listings on the system.
A
remote user can determine the installation path.
A remote user can access the target user's cookies (including authentication
cookies), if any, associated with the site running the Administration Server, access data recently submitted by the target user
via web form to the site, or take actions on the site acting as the target user.
A local user can execute arbitrary code with
root privileges.
|
Solution: The vendor has reportedly released an update for Mac OS X (10.2.4).
For information on updating from Mac OS X Server 10.2.3, see
the following knowledge base article:
http://docs.info.apple.com/article.html?artnum=70171
For information on updating from
Mac OS X Server 10.2, 10.2.1, or 10.2.2, see the following knowledge base article:
http://docs.info.apple.com/article.html?artnum=70172
|
Vendor URL: www.apple.com/quicktime/products/qtss/ (Links to External Site)
|
Cause: Boundary error, Input validation error
|
Underlying OS: Linux (Any), UNIX (OS X), UNIX (Solaris - SunOS), Windows (NT), Windows (2000)
|
Reported By: "@stake Advisories" <advisories@atstake.com>
|
Message History:
None.
|
Source Message Contents
|
|
|
[Original Message Not Available for Viewing]
|
|
Go to the Top of This SecurityTracker Archive Page
|
