lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <OFD61D5766.60FE151E-ON88256D6C.0008536B-88256D6C.00085BB8@hq.rapid7.com>
Date: Tue, 22 Jul 2003 18:43:31 -0700
From: advisory@...id7.com
To: bugtraq@...urityfocus.com
Subject: R7-0015: Multiple Vulnerabilities Apple QuickTime/Darwin Streaming Server


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________
                     Rapid7, Inc. Security Advisory
       Visit http://www.rapid7.com/ to download NeXpose,
        the world's most advanced vulnerability scanner.
      Linux and Windows 2000/XP versions are available now!
_______________________________________________________________________

Rapid7 Advisory R7-0015
Multiple Vulnerabilities Apple QuickTime/Darwin Streaming Server

   Published:  July 22, 2003
   Revision:   1.0
   http://www.rapid7.com/advisories/R7-0015.html

   CVE:    CAN-2003-0421, CAN-2003-0422, CAN-2003-0423, CAN-2003-0424,
           CAN-2003-0425, CAN-2003-0426, CAN-2003-0502

1. Affected system(s):

   KNOWN VULNERABLE:
    o QuickTime/Darwin Streaming Server v4.1.3 for MacOS X
    o QuickTime/Darwin Streaming Server v4.1.3 for Win32
    o QuickTime/Darwin Streaming Server v4.1.3 for Linux

   UNKNOWN/NOT TESTED:
    o other platforms (Solaris)

2. Summary

   Several vulnerabilities have been found in the Apple
   QuickTime/Darwin Streaming Server, including denial of service,
   web root traversal, and script source disclosure.

3. Vendor status and information

   Apple
   http://www.apple.com/

   The vendor has been notified and has released fixes for all but
   one of the issues, which is currently under investigation.

4. Solution

   Upgrade to version 4.1.3g or later of Darwin Streaming Server,
   which may be obtained as a free download from:

      http://developer.apple.com/darwin/projects/streaming/

   Please see the next section for detailed fix information.

5. Detailed analysis

   There are several vulnerabilities.

   Denial of Service by HTTP Request for DOS Device Name
   CVE ID: CAN-2003-0421
   Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only)
   Fixed: In version 4.1.3f (Win32)

      Requesting a DOS device name (e.g. AUX) over HTTP (port 1220)
      will cause a denial of service on the server.  An initial
      HTTP 404 response will be returned for the device request,
      but future requests will not be serviced.  For example:

      ==> GET /AUX HTTP/1.0

   Denial of Service by Request for ../ DOS Device Name
   CVE ID: CAN-2003-0502
   Affects: Darwin Streaming Server v4.1.3f and earlier (Win32 only)
   Fixed: In version 4.1.3g (Win32)

      This is a variant of CAN-2003-0421.  A fix for CAN-2003-0421
      was included in Streaming Server version, 4.1.3f, but further
      testing revealed that it was vulnerable to a variant where
      the device name was prefixed by dotdot slash (../), as in:

      ==> GET /../AUX HTTP/1.0

   Denial of Service by HTTP Request for /view_broadcast.cgi Script
   CVE ID: CAN-2003-0422
   Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only)
   Fixed: In version 4.1.3f (Win32)

      Requesting the /view_broadcast.cgi script over HTTP (port 1220)
      will cause a denial of service on the server if the required
      request parameters are not sent.  The connection will be
      closed midway through servicing the request and no new
      connections will be allowed to the server.

      Example:

      ==> GET /view_broadcast.cgi HTTP/1.0

      <== HTTP/1.0 200 OK
      <== Content-Type: video/quicktime
      <==
      <== rtsp://
                ^^ server drops connection

   Source Disclosure via HTTP Request for /parse_xml.cgi Script
   CVE ID: CAN-2003-0423
   Affects: Darwin Streaming Server v4.1.3g and earlier
   Fixed: No fix is available at this time.  Apple is aware of
          this issue and they are investigating it further.

      The source code of any file within the web root can be obtained
      by issuing a request for /parse_xml.cgi?filename=[file], where
      [file] is the file whose source code you wish to view.

      This is only a serious risk if the administrator has installed
      custom scripts on Darwin Streaming Server that need to be
      protected.

   Script Source Disclosure by Appending Special Characters
   CVE ID: CAN-2003-0424
   Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only)
   Fixed: In version 4.1.3f (Win32)

      The source code of any script can be obtained by appending the
      special characters %2e (period) or %20 (space) to an HTTP request
      for that script.  For example, requesting /view_broadcast.cgi%2e
      will reveal the source code for that script.
 
   Web Root Traversal and Arbitrary File Disclosure (Win32)
   CVE ID: CAN-2003-0425
   Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only)
   Fixed: In version 4.1.3f (Win32)

      Any file on the system can be retrieved by using three dots
      to break out of the web root.  For example, requesting
      /.../qtusers will return the QuickTime user/password file.

   Default Install Allows Remote User to Set Admin Password
   CVE ID: CAN-2003-0426
   Affects: Darwin Streaming Server v4.1.3e and earlier (Mac OS X only)
   Fixed: In version 4.1.3f (Mac OS X)
 
      When Darwin Streaming Server is first installed, the
      HTTP-based administration server (typically port 1220)
      presents a "Setup Assistant" page where the user is prompted
      to set a new administrator password.  This would allow any
      remote user to connect and set up an administrator password
      before the server administrator has had a chance to do so.

6. Contact Information

   Rapid7 Security Advisories
   Email:  advisory@...id7.com
   Web:    http://www.rapid7.com/
   Phone:  +1 (212) 558-8700

7. Disclaimer and Copyright

   Rapid7, Inc. is not responsible for the misuse of the information
   provided in our security advisories.  These advisories are a service
   to the professional security community.  There are NO WARRANTIES
   with regard to this information.  Any application or distribution of
   this information constitutes acceptance AS IS, at the user's own
   risk.  This information is subject to change without notice.

   This advisory Copyright (C) 2003 Rapid7, Inc.  Permission is
   hereby granted to redistribute this advisory, providing that no
   changes are made and that the copyright notices and disclaimers
   remain intact.


-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPx3UVST52JC2U8wAEQLPIwCg2Ps9jBufF8N6dGgCaoxEMijMtbcAnRL8
793Plejp5hw/r1OkojX2CQaB
=OD0m
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ