ID

VAR-200603-0472


CVE

CVE-2006-1249


TITLE

Apple QuickTime FlashPix integer overflow

Trust: 0.8

sources: CERT/CC: VU#570689

DESCRIPTION

Integer overflow in Apple QuickTime Player 7.0.3 and 7.0.4 and iTunes 6.0.1 and 6.0.2 allows remote attackers to execute arbitrary code via a FlashPix (FPX) image that contains a field that specifies a large number of blocks. Apple QuickTime fails to properly handle FlashPix images. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary code or cause a denial of service condition. Two vulnerabilities have been reported in Apple QuickTime and iTunes: - an integer overflow - a heap-based buffer overflow These issues affect both Mac OS X and Microsoft Windows releases of the software. A successful exploit will result in the execution of arbitrary code in the context of the currently logged-in user. Apple QuickTime is a popular multimedia player that supports a wide variety of media formats. An attacker could exploit these vulnerabilities by convincing a user to access a specially crafted image or media file with a vulnerable version of QuickTime. Since QuickTime configures most web browsers to handle QuickTime media files, an attacker could exploit these vulnerabilities using a web page. For more information, please refer to the Vulnerability Notes. II. For further information, please see the Vulnerability Notes. III. Disable QuickTime in your web browser An attacker may be able to exploit this vulnerability by persuading a user to access a specially crafted file with a web browser. Disabling QuickTime in your web browser will defend against this attack vector. For more information, refer to the Securing Your Web Browser document. Appendix A. Please send email to <cert@cert.org> with "TA06-132B Feedback VU#289705" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2006 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History May 12, 2006: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBRGT7JH0pj593lg50AQI2Uwf/U3zGDrR8UkWK4ry6AYMS7HPMdbiF6Vmo 9gP9Luc6Kj8zzxCWhnNKNzEq2P0B1oD03WcPFaIPnwvQJGApeUDRimyhQj8RDjME yAUt/reWG7RZ0Z2w/qaiZP7pQ7SjyIUKkN2OCG8LMmGKqsiCdFXoss/Bu0yFMH11 uvgwibfvkOdRLAPmRTVWk+gJEAdw3xFySm9r92qmig6CxKi7GAIpi9Gf7MXcRsKg oG3y5f06Kiq8ACYszPKneHE7WNvLP1ewuaWmf7PHiNebAB+W5hfwA2yEh6e6PSV2 eBi5cpigfXBrsjXk4L7wYrD8UcRl7nN8iqzWpMwYJkSloUmcYL1BBg== =LsFu -----END PGP SIGNATURE----- . ____________________________________________________________________ McAfee, Inc. McAfee Avert\x99 Labs Security Advisory Public Release Date: 2006-05-11 Apple QuickDraw/QuickTime Multiple Vulnerabilities CVE-2006-1249, CVE-2006-1453, CVE-2006-1454, CVE-2006-1459, CVE-2006-1460, CVE-2006-1461, CVE-2006-1462, CVE-2006-1464, CVE-2006-1465 ______________________________________________________________________ * Synopsis Apple QuickTime and Apple QuickDraw are multimedia technologies used to process image, audio and video data. Two code execution vulnerabilities are present in QuickDraw PICT image format support. Twenty one code execution vulnerabilities are present in QuickTime support for various multimedia formats including: MOV, H.264, MPEG 4, AVI, FPX and SWF. In order for an attack to succeed user interaction is required and therefore the risk factor for these issues is medium. CVE-2006-1459 Seven integer overflow vulnerabilities are present in QuickTime MOV video format support. CVE-2006-1460 Five buffer overflow vulnerabilities are present in QuickTime MOV video format support. CVE-2006-1461 Two buffer overflow vulnerabilities are present in QuickTime Flash (SWF) support. CVE-2006-1462 Three integer overflow vulnerabilities are presenting QuickTime H.264 (M4V) video format support. CVE-2006-1464 One buffer overflow vulnerability is present in QuickTime MPEG4 (M4P) video format support. CVE-2006-1465 One buffer overflow vulnerability is present in QuickTime AVI video format support. ______________________________________________________________________ * Legal Notice Copyright (C) 2006 McAfee, Inc. The information contained within this advisory is provided for the convenience of McAfee\x92s customers, and may be redistributed provided that no fee is charged for distribution and that the advisory is not modified in any way. McAfee makes no representations or warranties regarding the accuracy of the information referenced in this document, or the suitability of that information for your purposes. McAfee, Inc. and/or its affiliated companies in the United States and/or other Countries. All other registered and unregistered trademarks in this document are the sole property of their respective owners. ______________________________________________________________________ . Technical Description: In an fpx file, there is a field that figures out how many blocks of data there are in that file. One block data size is 0x200, QuickTime Player will allocate memory relying on (number*0x200) but does not check the size value and an integer overflow can occur. If you set the block value to 0x800000 an integer overflow will occur which will then cause a heap overflow and write invalid memory. QuickTime: QuickTime File Format http://developer.apple.com/documentation/QuickTime/QTFF/index.html Protection: Retina Network Security Scanner has been updated to identify this vulnerability. Blink - Endpoint Vulnerability Prevention - preemptively protects from this vulnerability. Vendor Status: Apple has released a patch for this vulnerability information is available at http://docs.info.apple.com/article.html?artnum=61798 Credit: Discovery: Fang Xing Copyright (c) 1998-2006 eEye Digital Security Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. TITLE: QuickTime Multiple Code Execution Vulnerabilities SECUNIA ADVISORY ID: SA20069 VERIFY ADVISORY: http://secunia.com/advisories/20069/ CRITICAL: Highly critical IMPACT: DoS, System access WHERE: >From remote SOFTWARE: Apple Quicktime 4.x http://secunia.com/product/7923/ Apple Quicktime 5.x http://secunia.com/product/215/ Apple Quicktime 6.x http://secunia.com/product/810/ Apple QuickTime 7.x http://secunia.com/product/5090/ DESCRIPTION: Multiple vulnerabilities have been reported in QuickTime, which can be exploited by malicious people to compromise a user's system. 3) A boundary error within the processing of Flash movies can be exploited via a specially crafted Flash movie to crash the application and potentially execute arbitrary code. 4) An integer overflow and boundary error within the processing of H.264 movies can be exploited via a specially crafted H.264 movie to crash the application and potentially execute arbitrary code. 5) A boundary error within the processing of MPEG4 movies can be exploited via a specially crafted MPEG4 movie to crash the application and potentially execute arbitrary code. 7) A boundary error within the processing of AVI movies can be exploited via a specially crafted AVI movie to crash the application and potentially execute arbitrary code. 8) Two boundary errors within the processing of PICT images can be exploited to either cause a stack-based via a PICT image with specially crafted font information or a heap-based buffer overflow via a PICT image with specially crafted image data. This can be exploited to crash the application and potentially execute arbitrary code. 9) A boundary error within the processing of BMP images can be exploited via a specially crafted BMP image to crash the application and potentially execute arbitrary code. SOLUTION: Update to version 7.1. http://www.apple.com/support/downloads/quicktime71.html PROVIDED AND/OR DISCOVERED BY: 1) Reported by the vendor. 2) Mike Price of McAfee AVERT Labs and Sowhat of Nevis Labs. 3) Mike Price, McAfee AVERT Labs. 4) Mike Price of McAfee AVERT Labs and ATmaCA. 5) Mike Price, McAfee AVERT Labs. 6) Fang Xing of eEye Digital Security and Mike Price of McAfee AVERT Labs. 7) Mike Price, McAfee AVERT Labs. 8) Mike Price, McAfee AVERT Labs. 9) Tom Ferris ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=303752 eEye Digital Security: http://www.eeye.com/html/research/advisories/AD20060511.html Zero Day Initiative: http://www.zerodayinitiative.com/advisories/ZDI-06-015.html Sowhat: http://secway.org/advisory/AD20060512.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 2.34

sources: NVD: CVE-2006-1249 // CERT/CC: VU#570689 // BID: 17074 // VULHUB: VHN-17357 // PACKETSTORM: 46427 // PACKETSTORM: 46419 // PACKETSTORM: 46407 // PACKETSTORM: 46260

AFFECTED PRODUCTS

vendor:applemodel:itunesscope:eqversion:6.0.1

Trust: 1.9

vendor:applemodel:quicktimescope:eqversion:7.0.4

Trust: 1.6

vendor:applemodel:itunesscope:eqversion:6.0.2

Trust: 1.6

vendor:applemodel:quicktimescope:eqversion:7.0.3

Trust: 1.6

vendor:apple computermodel: - scope: - version: -

Trust: 0.8

vendor:esignalmodel:esignalscope:eqversion:6.0.2

Trust: 0.3

vendor:applemodel:quicktime playerscope:eqversion:7.0.4

Trust: 0.3

vendor:applemodel:quicktime playerscope:eqversion:7.0.3

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.4.6

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.4.5

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.4.4

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.4.3

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.4.2

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.4.1

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.4

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.9

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.4.6

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.4.5

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.4.4

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.4.3

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.4.2

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.4.1

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.4

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.3.9

Trust: 0.3

vendor:applemodel:quicktime playerscope:neversion:7.1

Trust: 0.3

sources: CERT/CC: VU#570689 // BID: 17074 // CNNVD: CNNVD-200603-296 // NVD: CVE-2006-1249

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2006-1249
value: MEDIUM

Trust: 1.0

CARNEGIE MELLON: VU#570689
value: 17.50

Trust: 0.8

CNNVD: CNNVD-200603-296
value: MEDIUM

Trust: 0.6

VULHUB: VHN-17357
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2006-1249
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

VULHUB: VHN-17357
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: CERT/CC: VU#570689 // VULHUB: VHN-17357 // CNNVD: CNNVD-200603-296 // NVD: CVE-2006-1249

PROBLEMTYPE DATA

problemtype:CWE-189

Trust: 1.1

sources: VULHUB: VHN-17357 // NVD: CVE-2006-1249

THREAT TYPE

remote

Trust: 0.7

sources: PACKETSTORM: 46427 // CNNVD: CNNVD-200603-296

TYPE

digital error

Trust: 0.6

sources: CNNVD: CNNVD-200603-296

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-17357

EXTERNAL IDS

db:CERT/CCid:VU#570689

Trust: 2.5

db:NVDid:CVE-2006-1249

Trust: 2.2

db:BIDid:17074

Trust: 2.0

db:SECUNIAid:20069

Trust: 1.9

db:USCERTid:TA06-132B

Trust: 1.8

db:SECTRACKid:1016067

Trust: 1.7

db:VUPENid:ADV-2006-1778

Trust: 1.7

db:CNNVDid:CNNVD-200603-296

Trust: 0.7

db:CERT/CCid:TA06-132B

Trust: 0.6

db:APPLEid:APPLE-SA-2006-05-11

Trust: 0.6

db:BUGTRAQid:20060512 APPLE QUICKDRAW/QUICKTIME MULTIPLE VULNERABILITIES

Trust: 0.6

db:BUGTRAQid:20060511 [EEYEB-20060307] APPLE QUICKTIME FPX INTEGER OVERFLOW

Trust: 0.6

db:XFid:26398

Trust: 0.6

db:PACKETSTORMid:46419

Trust: 0.2

db:PACKETSTORMid:46407

Trust: 0.2

db:VULHUBid:VHN-17357

Trust: 0.1

db:PACKETSTORMid:46427

Trust: 0.1

db:ZDIid:ZDI-06-015

Trust: 0.1

db:PACKETSTORMid:46260

Trust: 0.1

sources: CERT/CC: VU#570689 // VULHUB: VHN-17357 // BID: 17074 // PACKETSTORM: 46427 // PACKETSTORM: 46419 // PACKETSTORM: 46407 // PACKETSTORM: 46260 // CNNVD: CNNVD-200603-296 // NVD: CVE-2006-1249

REFERENCES

url:http://www.eeye.com/html/research/upcoming/20060307b.html

Trust: 2.0

url:http://lists.apple.com/archives/security-announce/2006/may/msg00002.html

Trust: 1.7

url:http://www.securityfocus.com/bid/17074

Trust: 1.7

url:http://www.us-cert.gov/cas/techalerts/ta06-132b.html

Trust: 1.7

url:http://www.kb.cert.org/vuls/id/570689

Trust: 1.7

url:http://securitytracker.com/id?1016067

Trust: 1.7

url:http://secunia.com/advisories/20069

Trust: 1.7

url:http://www.securityfocus.com/archive/1/433850/100/0/threaded

Trust: 1.1

url:http://www.securityfocus.com/archive/1/433831/100/0/threaded

Trust: 1.1

url:http://www.vupen.com/english/advisories/2006/1778

Trust: 1.1

url:https://exchange.xforce.ibmcloud.com/vulnerabilities/26398

Trust: 1.1

url:about vulnerability notes

Trust: 0.8

url:contact us about this vulnerability

Trust: 0.8

url:provide a vendor statement

Trust: 0.8

url:http://xforce.iss.net/xforce/xfdb/26398

Trust: 0.6

url:http://www.securityfocus.com/archive/1/archive/1/433850/100/0/threaded

Trust: 0.6

url:http://www.securityfocus.com/archive/1/archive/1/433831/100/0/threaded

Trust: 0.6

url:http://www.frsirt.com/english/advisories/2006/1778

Trust: 0.6

url:http://docs.info.apple.com/article.html?artnum=303752

Trust: 0.4

url:http://www.apple.com/quicktime/

Trust: 0.3

url:http://www.apple.com/itunes/

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2006-1249

Trust: 0.2

url:http://www.apple.com/quicktime/download/standalone.html>

Trust: 0.1

url:http://www.kb.cert.org/vuls/byid?searchview&query=quicktime_7.1>

Trust: 0.1

url:http://docs.info.apple.com/article.html?artnum=303752>

Trust: 0.1

url:http://www.us-cert.gov/cas/techalerts/ta06-132b.html>

Trust: 0.1

url:http://www.us-cert.gov/legal.html>

Trust: 0.1

url:http://docs.info.apple.com/article.html?artnum=106704>

Trust: 0.1

url:http://www.us-cert.gov/cas/signup.html>.

Trust: 0.1

url:http://www.apple.com/support/downloads/quicktime71.html>

Trust: 0.1

url:http://www.us-cert.gov/reading_room/securing_browser/>

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2006-1461

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2006-1464

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2006-1453

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2006-1462

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2006-1454

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2006-1465

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2006-1459

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2006-1460

Trust: 0.1

url:http://developer.apple.com/documentation/quicktime/qtff/index.html

Trust: 0.1

url:http://docs.info.apple.com/article.html?artnum=61798

Trust: 0.1

url:http://www.apple.com/support/downloads/quicktime71.html

Trust: 0.1

url:http://secunia.com/secunia_security_advisories/

Trust: 0.1

url:http://secunia.com/product/5090/

Trust: 0.1

url:http://www.zerodayinitiative.com/advisories/zdi-06-015.html

Trust: 0.1

url:http://secway.org/advisory/ad20060512.txt

Trust: 0.1

url:http://secunia.com/product/810/

Trust: 0.1

url:http://secunia.com/advisories/20069/

Trust: 0.1

url:http://www.eeye.com/html/research/advisories/ad20060511.html

Trust: 0.1

url:http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org

Trust: 0.1

url:http://secunia.com/product/7923/

Trust: 0.1

url:http://secunia.com/about_secunia_advisories/

Trust: 0.1

url:http://secunia.com/product/215/

Trust: 0.1

sources: CERT/CC: VU#570689 // VULHUB: VHN-17357 // BID: 17074 // PACKETSTORM: 46427 // PACKETSTORM: 46419 // PACKETSTORM: 46407 // PACKETSTORM: 46260 // CNNVD: CNNVD-200603-296 // NVD: CVE-2006-1249

CREDITS

eEye info@eEye.com

Trust: 0.6

sources: CNNVD: CNNVD-200603-296

SOURCES

db:CERT/CCid:VU#570689
db:VULHUBid:VHN-17357
db:BIDid:17074
db:PACKETSTORMid:46427
db:PACKETSTORMid:46419
db:PACKETSTORMid:46407
db:PACKETSTORMid:46260
db:CNNVDid:CNNVD-200603-296
db:NVDid:CVE-2006-1249

LAST UPDATE DATE

2024-11-23T19:32:49.723000+00:00


SOURCES UPDATE DATE

db:CERT/CCid:VU#570689date:2006-05-17T00:00:00
db:VULHUBid:VHN-17357date:2018-10-18T00:00:00
db:BIDid:17074date:2006-05-15T21:49:00
db:CNNVDid:CNNVD-200603-296date:2006-06-01T00:00:00
db:NVDid:CVE-2006-1249date:2024-11-21T00:08:25.297

SOURCES RELEASE DATE

db:CERT/CCid:VU#570689date:2006-05-15T00:00:00
db:VULHUBid:VHN-17357date:2006-03-19T00:00:00
db:BIDid:17074date:2006-03-11T00:00:00
db:PACKETSTORMid:46427date:2006-05-22T00:50:08
db:PACKETSTORMid:46419date:2006-05-21T22:28:33
db:PACKETSTORMid:46407date:2006-05-21T19:13:18
db:PACKETSTORMid:46260date:2006-05-17T05:39:52
db:CNNVDid:CNNVD-200603-296date:2006-03-18T00:00:00
db:NVDid:CVE-2006-1249date:2006-03-19T01:02:00