Details of VAR-200512-0643

ID

VAR-200512-0643

CVE

CVE-2005-2340

TITLE

Apple QuickTime fails to properly handle corrupt media files

Trust: 0.8

sources: CERT/CC: VU#921193

DESCRIPTION

Heap-based buffer overflow in Apple Quicktime before 7.0.4 allows remote attackers to execute arbitrary code via a crafted (1) QuickTime Image File (QTIF), (2) PICT, or (3) JPEG format image with a long data field. Apple's QuickTime is a player for files and streaming media in a variety of different formats. QuickTime is prone to a remote heap-based overflow vulnerability. This issue presents itself when the application processes a specially crafted QTIF (QuickTime Image) file. A successful attack can result in a remote compromise. Apple QuickTime is prone to a buffer-overflow vulnerability because the application fails to do proper bounds checking on user-supplied data before copying it to finite-sized process buffers. Unsuccessful exploit attempts will most likely crash the application. This issue affects QuickTime 6.5.2 and 7.0.3; other versions may also be vulnerable. QuickTime 7.0.4 may also be vulnerable, but this has not been confirmed. This issue may have previously been discussed in BID 16202 (Apple QuickTime Multiple Code Execution Vulnerabilities). Quicktime will copy to the stack byte by byte when processing the data field of the qtif format file, but it does not perform the correct check, so it will cause a stack overflow in memory. The original function pointer value is 0x44332211. Just overflow it to 0x08332211 and make sure it doesn't crash before overflowing 0x44 to 0x08, and the code will execute. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA06-011A Apple QuickTime Vulnerabilities Original release date: January 11, 2006 Last revised: January 11, 2006 Source: US-CERT Systems Affected Apple QuickTime on systems running * Apple Mac OS X * Microsoft Windows XP * Microsoft Windows 2000 Overview Apple has released QuickTime 7.0.4 to correct multiple vulnerabilities. The impacts of these vulnerabilities include execution of arbitrary code and denial of service. I. (CAN-2005-3713) II. Impact The impacts of these vulnerabilities vary. For information about specific impacts, please see the Vulnerability Notes. Potential consequences include remote execution of arbitrary code or commands and denial of service. III. Solution Upgrade Upgrade to QuickTime 7.0.4. Appendix A. References * US-CERT Vulnerability Note VU#629845 - <http://www.kb.cert.org/vuls/id/629845> * US-CERT Vulnerability Note VU#921193 - <http://www.kb.cert.org/vuls/id/921193> * US-CERT Vulnerability Note VU#115729 - <http://www.kb.cert.org/vuls/id/115729> * US-CERT Vulnerability Note VU#150753 - <http://www.kb.cert.org/vuls/id/150753> * US-CERT Vulnerability Note VU#913449 - <http://www.kb.cert.org/vuls/id/913449> * CVE-2005-2340 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2340> * CVE-2005-4092 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4092> * CVE-2005-3707 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3707> * CVE-2005-3710 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3710> * CVE-2005-3713 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3713> * Security Content for QuickTime 7.0.4 - <http://docs.info.apple.com/article.html?artnum=303101> * QuickTime 7.0.4 - <http://www.apple.com/support/downloads/quicktime704.html> * About the Mac OS X 10.4.4 Update (Delta) - <http://docs.info.apple.com/article.html?artnum=302810> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA06-011A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA06-011A Feedback VU#913449" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2006 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History January 11, 2006: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBQ8V8iX0pj593lg50AQJ85wf+OuHVseQVzZ0uI8h8TnmtAJmjzV6tp3Cj 34jwpSLlvo5S8svIHChcX/BYOwKVL/uQZswsjk/mbEu+TrPcVKPd7VPCetxIXVey AdC5hsAH1Wm0MnvY1LgvONo8IQ9RlT6Rj6fY7k7QhPUWsYxj/rDCWDAY9kgsHXc/ HpXWL/Cy5va35z8aYHrLVlxmofKrOWtX0PVa6lSKV8lIsY+TDihA5tYIb5wRDVxL osieJ+MHSXGchXpjX2c0o6Ja6vhJNR61LEwelk9FMLT1JRTkp+wz9/AoVUSyZ/hy 0WBP0M8cwl8koWgijNcLXA18YX8QtDftAVRwpwHKMrbNCYdrWblYVw== =5Kiq -----END PGP SIGNATURE-----

Trust: 5.94

sources: NVD: CVE-2005-2340 // CERT/CC: VU#921193 // CERT/CC: VU#629845 // CERT/CC: VU#115729 // CERT/CC: VU#150753 // CERT/CC: VU#913449 // CERT/CC: VU#687201 // BID: 16852 // BID: 16212 // VULHUB: VHN-13549 // PACKETSTORM: 43062

AFFECTED PRODUCTS

vendor:	apple computer	model:	-	scope:	-	version:	-	Trust: 4.8
vendor:	apple	model:	quicktime	scope:	eq	version:	7.0.2	Trust: 1.6
vendor:	apple	model:	quicktime	scope:	eq	version:	7.0	Trust: 1.6
vendor:	apple	model:	quicktime	scope:	eq	version:	7.0.1	Trust: 1.6
vendor:	apple	model:	quicktime	scope:	lte	version:	7.0.3	Trust: 1.0
vendor:	apple	model:	quicktime player	scope:	eq	version:	7.0.3	Trust: 0.6
vendor:	apple	model:	quicktime player	scope:	eq	version:	7.0.2	Trust: 0.6
vendor:	apple	model:	quicktime player	scope:	eq	version:	7.0.1	Trust: 0.6
vendor:	apple	model:	quicktime player	scope:	eq	version:	7.0	Trust: 0.6
vendor:	apple	model:	quicktime	scope:	eq	version:	7.0.3	Trust: 0.6
vendor:	apple	model:	quicktime player	scope:	ne	version:	7.0.4	Trust: 0.3
vendor:	apple	model:	quicktime player	scope:	eq	version:	7.0.4	Trust: 0.3
vendor:	apple	model:	quicktime player	scope:	eq	version:	6.5.2	Trust: 0.3
vendor:	apple	model:	quicktime player	scope:	eq	version:	6.4	Trust: 0.3

sources: CERT/CC: VU#921193 // CERT/CC: VU#629845 // CERT/CC: VU#115729 // CERT/CC: VU#150753 // CERT/CC: VU#913449 // CERT/CC: VU#687201 // BID: 16852 // BID: 16212 // CNNVD: CNNVD-200512-952 // NVD: CVE-2005-2340

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2005-2340
value:	HIGH
Trust: 1.0
CARNEGIE MELLON:	VU#921193
value:	43.88
Trust: 0.8
CARNEGIE MELLON:	VU#629845
value:	18.23
Trust: 0.8
CARNEGIE MELLON:	VU#115729
value:	3.85
Trust: 0.8
CARNEGIE MELLON:	VU#150753
value:	32.63
Trust: 0.8
CARNEGIE MELLON:	VU#913449
value:	3.85
Trust: 0.8
CARNEGIE MELLON:	VU#687201
value:	16.40
Trust: 0.8
CNNVD:	CNNVD-200512-952
value:	HIGH
Trust: 0.6
VULHUB:	VHN-13549
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2005-2340
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
VULHUB:	VHN-13549
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: CERT/CC: VU#921193 // CERT/CC: VU#629845 // CERT/CC: VU#115729 // CERT/CC: VU#150753 // CERT/CC: VU#913449 // CERT/CC: VU#687201 // VULHUB: VHN-13549 // CNNVD: CNNVD-200512-952 // NVD: CVE-2005-2340

PROBLEMTYPE DATA

problemtype:

CWE-119

Trust: 1.1

sources: VULHUB: VHN-13549 // NVD: CVE-2005-2340

THREAT TYPE

network

Trust: 0.6

sources: BID: 16852 // BID: 16212

TYPE

Boundary Condition Error

Trust: 0.6

sources: BID: 16852 // BID: 16212

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-13549

EXTERNAL IDS

db:	SECUNIA	id:	18370	Trust: 5.7
db:	CERT/CC	id:	VU#629845	Trust: 2.6
db:	BID	id:	16202	Trust: 2.5
db:	CERT/CC	id:	VU#687201	Trust: 2.5
db:	NVD	id:	CVE-2005-2340	Trust: 2.5
db:	BID	id:	16212	Trust: 2.0
db:	USCERT	id:	TA06-011A	Trust: 1.8
db:	OSVDB	id:	22334	Trust: 1.7
db:	OSVDB	id:	22335	Trust: 1.7
db:	OSVDB	id:	22333	Trust: 1.7
db:	SECTRACK	id:	1015463	Trust: 1.7
db:	VUPEN	id:	ADV-2006-0128	Trust: 1.7
db:	SREASON	id:	332	Trust: 1.7
db:	SECTRACK	id:	1015466	Trust: 1.6
db:	CERT/CC	id:	VU#921193	Trust: 0.9
db:	CERT/CC	id:	VU#115729	Trust: 0.9
db:	CERT/CC	id:	VU#150753	Trust: 0.9
db:	CERT/CC	id:	VU#913449	Trust: 0.9
db:	OSVDB	id:	22337	Trust: 0.8
db:	CNNVD	id:	CNNVD-200512-952	Trust: 0.7
db:	CERT/CC	id:	TA06-011A	Trust: 0.6
db:	FULLDISC	id:	20060111 [CIRT.DK] APPLE QUICKTIME 7.0.3 AND EARLIER - JPG/PICT BUFFER OVERFLOW	Trust: 0.6
db:	FULLDISC	id:	20060111 UPDATED ADVISORIES - INCORRECT CVE INFORMATION	Trust: 0.6
db:	FULLDISC	id:	20060111 [EEYEB-20051220] APPLE QUICKTIME QTIF STACK OVERFLOW	Trust: 0.6
db:	NSFOCUS	id:	8392	Trust: 0.6
db:	NSFOCUS	id:	8395	Trust: 0.6
db:	NSFOCUS	id:	8395※8392※8394※8393	Trust: 0.6
db:	NSFOCUS	id:	8393	Trust: 0.6
db:	NSFOCUS	id:	8394	Trust: 0.6
db:	APPLE	id:	APPLE-SA-2006-01-10	Trust: 0.6
db:	BUGTRAQ	id:	20060111 UPDATED ADVISORIES - INCORRECT CVE INFORMATION	Trust: 0.6
db:	BUGTRAQ	id:	20060111 [EEYEB-20051220] APPLE QUICKTIME QTIF STACK OVERFLOW	Trust: 0.6
db:	XF	id:	24054	Trust: 0.6
db:	BID	id:	16852	Trust: 0.4
db:	PACKETSTORM	id:	43054	Trust: 0.2
db:	EXPLOIT-DB	id:	27069	Trust: 0.1
db:	SEEBUG	id:	SSVID-80689	Trust: 0.1
db:	VULHUB	id:	VHN-13549	Trust: 0.1
db:	PACKETSTORM	id:	43062	Trust: 0.1

sources: CERT/CC: VU#921193 // CERT/CC: VU#629845 // CERT/CC: VU#115729 // CERT/CC: VU#150753 // CERT/CC: VU#913449 // CERT/CC: VU#687201 // VULHUB: VHN-13549 // BID: 16852 // BID: 16212 // PACKETSTORM: 43054 // PACKETSTORM: 43062 // CNNVD: CNNVD-200512-952 // NVD: CVE-2005-2340

REFERENCES

url:	http://docs.info.apple.com/article.html?artnum=303101	Trust: 5.7
url:	http://secunia.com/advisories/18370/	Trust: 4.0
url:	http://www.securityfocus.com/bid/16202	Trust: 2.5
url:	http://www.cirt.dk/advisories/cirt-41-advisory.pdf	Trust: 2.0
url:	http://www.securityfocus.com/bid/16212	Trust: 1.7
url:	http://www.us-cert.gov/cas/techalerts/ta06-011a.html	Trust: 1.7
url:	http://www.kb.cert.org/vuls/id/629845	Trust: 1.7
url:	http://www.kb.cert.org/vuls/id/687201	Trust: 1.7
url:	http://archives.neohapsis.com/archives/fulldisclosure/2006-01/0402.html	Trust: 1.7
url:	http://archives.neohapsis.com/archives/fulldisclosure/2006-01/0392.html	Trust: 1.7
url:	http://archives.neohapsis.com/archives/fulldisclosure/2006-01/0398.html	Trust: 1.7
url:	http://www.osvdb.org/22333	Trust: 1.7
url:	http://www.osvdb.org/22334	Trust: 1.7
url:	http://www.osvdb.org/22335	Trust: 1.7
url:	http://securitytracker.com/id?1015463	Trust: 1.7
url:	http://secunia.com/advisories/18370	Trust: 1.7
url:	http://securityreason.com/securityalert/332	Trust: 1.7
url:	http://securitytracker.com/alerts/2006/jan/1015466.html	Trust: 1.6
url:	http://www.securityfocus.com/archive/1/421547/100/0/threaded	Trust: 1.1
url:	http://www.securityfocus.com/archive/1/421566/100/0/threaded	Trust: 1.1
url:	http://www.vupen.com/english/advisories/2006/0128	Trust: 1.1
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/24054	Trust: 1.1
url:	http://www.eeye.com/html/research/advisories/ad20060111a.html	Trust: 0.8
url:	about vulnerability notes	Trust: 0.8
url:	contact us about this vulnerability	Trust: 0.8
url:	provide a vendor statement	Trust: 0.8
url:	http://www.osvdb.org/displayvuln.php?osvdb_id=22337	Trust: 0.8
url:	http://www.eeye.com/html/research/advisories/ad20060111d.html	Trust: 0.8
url:	http://www.eeye.com/html/research/advisories/ad20060111b.html	Trust: 0.8
url:	http://developer.apple.com/documentation/quicktime/ref/refimporter.4.htm	Trust: 0.8
url:	http://docs.info.apple.com/article.html?artnum=61798	Trust: 0.8
url:	http://www.apple.com/quicktime/	Trust: 0.6
url:	http://xforce.iss.net/xforce/xfdb/24054	Trust: 0.6
url:	http://www.frsirt.com/english/advisories/2006/0128	Trust: 0.6
url:	http://www.securityfocus.com/archive/1/archive/1/421566/100/0/threaded	Trust: 0.6
url:	http://www.securityfocus.com/archive/1/archive/1/421547/100/0/threaded	Trust: 0.6
url:	http://www.nsfocus.net/vulndb/8395※8392※8394※8393	Trust: 0.6
url:	/archive/1/421561	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2005-2340	Trust: 0.2
url:	-	Trust: 0.1
url:	http://www.kb.cert.org/vuls/id/913449>	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2005-3710	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2005-4092	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2005-4092>	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2005-3710>	Trust: 0.1
url:	http://www.kb.cert.org/vuls/id/629845>	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2005-3713>	Trust: 0.1
url:	http://www.us-cert.gov/cas/techalerts/ta06-011a.html>	Trust: 0.1
url:	http://www.us-cert.gov/cas/signup.html>.	Trust: 0.1
url:	http://docs.info.apple.com/article.html?artnum=302810>	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2005-3707>	Trust: 0.1
url:	http://www.kb.cert.org/vuls/id/115729>	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2005-2340>	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2005-3707	Trust: 0.1
url:	http://www.apple.com/support/downloads/quicktime704.html>	Trust: 0.1
url:	http://www.kb.cert.org/vuls/id/921193>	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2005-3713	Trust: 0.1
url:	http://www.kb.cert.org/vuls/id/150753>	Trust: 0.1
url:	http://docs.info.apple.com/article.html?artnum=303101>	Trust: 0.1
url:	http://www.us-cert.gov/legal.html>	Trust: 0.1

sources: CERT/CC: VU#921193 // CERT/CC: VU#629845 // CERT/CC: VU#115729 // CERT/CC: VU#150753 // CERT/CC: VU#913449 // CERT/CC: VU#687201 // VULHUB: VHN-13549 // BID: 16852 // BID: 16212 // PACKETSTORM: 43054 // PACKETSTORM: 43062 // CNNVD: CNNVD-200512-952 // NVD: CVE-2005-2340

CREDITS

Varun UppaleEye info@eEye.com

Trust: 0.6

sources: CNNVD: CNNVD-200512-952

SOURCES

db:	CERT/CC	id:	VU#921193
db:	CERT/CC	id:	VU#629845
db:	CERT/CC	id:	VU#115729
db:	CERT/CC	id:	VU#150753
db:	CERT/CC	id:	VU#913449
db:	CERT/CC	id:	VU#687201
db:	VULHUB	id:	VHN-13549
db:	BID	id:	16852
db:	BID	id:	16212
db:	PACKETSTORM	id:	43054
db:	PACKETSTORM	id:	43062
db:	CNNVD	id:	CNNVD-200512-952
db:	NVD	id:	CVE-2005-2340

LAST UPDATE DATE

2024-09-19T00:59:03.596000+00:00

SOURCES UPDATE DATE

db:	CERT/CC	id:	VU#921193	date:	2006-01-12T00:00:00
db:	CERT/CC	id:	VU#629845	date:	2006-01-13T00:00:00
db:	CERT/CC	id:	VU#115729	date:	2006-01-11T00:00:00
db:	CERT/CC	id:	VU#150753	date:	2006-01-13T00:00:00
db:	CERT/CC	id:	VU#913449	date:	2006-01-31T00:00:00
db:	CERT/CC	id:	VU#687201	date:	2006-01-20T00:00:00
db:	VULHUB	id:	VHN-13549	date:	2018-10-19T00:00:00
db:	BID	id:	16852	date:	2015-05-12T19:49:00
db:	BID	id:	16212	date:	2007-11-15T00:35:00
db:	CNNVD	id:	CNNVD-200512-952	date:	2006-05-24T00:00:00
db:	NVD	id:	CVE-2005-2340	date:	2018-10-19T15:32:44.720

SOURCES RELEASE DATE

db:	CERT/CC	id:	VU#921193	date:	2006-01-11T00:00:00
db:	CERT/CC	id:	VU#629845	date:	2006-01-11T00:00:00
db:	CERT/CC	id:	VU#115729	date:	2006-01-11T00:00:00
db:	CERT/CC	id:	VU#150753	date:	2006-01-11T00:00:00
db:	CERT/CC	id:	VU#913449	date:	2006-01-11T00:00:00
db:	CERT/CC	id:	VU#687201	date:	2006-01-11T00:00:00
db:	VULHUB	id:	VHN-13549	date:	2005-12-31T00:00:00
db:	BID	id:	16852	date:	2006-01-10T00:00:00
db:	BID	id:	16212	date:	2006-01-11T00:00:00
db:	PACKETSTORM	id:	43054	date:	2006-01-15T15:22:47
db:	PACKETSTORM	id:	43062	date:	2006-01-15T15:39:24
db:	CNNVD	id:	CNNVD-200512-952	date:	2005-12-31T00:00:00
db:	NVD	id:	CVE-2005-2340	date:	2005-12-31T05:00:00