Vulnerabilities > CVE-2007-0015 - Remote Buffer Overflow vulnerability in Apple Quicktime 7.1.3
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Buffer overflow in Apple QuickTime 7.1.3 allows remote attackers to execute arbitrary code via a long rtsp:// URI.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Exploit-Db
description Apple QuickTime 7.1.3 RTSP URI Buffer Overflow. CVE-2007-0015. Remote exploit for windows platform id EDB-ID:16527 last seen 2016-02-02 modified 2010-05-04 published 2010-05-04 reporter metasploit source https://www.exploit-db.com/download/16527/ title Apple QuickTime 7.1.3 RTSP URI Buffer Overflow id EDB-ID:3064
Metasploit
| description | This module exploits a buffer overflow in Apple QuickTime 7.1.3. This module was inspired by MOAB-01-01-2007. The Browser target for this module was tested against IE 6 and Firefox 1.5.0.3 on Windows XP SP0/2; Firefox 3 blacklists the QuickTime plugin. |
| id | MSF:EXPLOIT/WINDOWS/BROWSER/APPLE_QUICKTIME_RTSP |
| last seen | 2020-02-29 |
| modified | 2017-07-24 |
| published | 2007-02-18 |
| references | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0015 |
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/apple_quicktime_rtsp.rb |
| title | Apple QuickTime 7.1.3 RTSP URI Buffer Overflow |
Nessus
NASL family MacOS X Local Security Checks NASL id MACOSX_SECUPD2007-001.NASL description The remote host is running a version of Mac OS X 10.3 or 10.4 which does not have Security Update 2007-001 applied. This update fixes a flaw in QuickTime which may allow a rogue website to execute arbitrary code on the remote host by exploiting an overflow in the RTSP URL handler. last seen 2019-10-28 modified 2007-01-24 plugin id 24234 published 2007-01-24 reporter This script is Copyright (C) 2007-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24234 title Mac OS X Security Update 2007-001 code #TRUSTED 2a27bc82fb6558b5ef97295e262b092e58cb2be097e8cfe306bc6df20adf9a3fc2442903d0553e98bd5340129723ff476e8ef9837a0d2c8e2ba24da9a05d6d11589bacf98e37cec949528c9633e06c06bf539fd2da5f24913f0597b8a0399167424bb1b08b9ac744dc77c2762fe2cef358f353465c2a0f2ac15120133e9cb1bc7f557140b566f77e09067ddc7623d415eebe5914e6d4846ca11af83708859a4503efa4570d3d798fba46321e14610b359dcf7c40ab959d022bef4c4233e7296d43e4ef038a16c2b405b3e18528375a927457109bac3df68f1829e4ac60aa3557b0c8109bc44be9dfec2b434c65099a061c72271e62e13cc325e0c5798393c89924760ab0779b843fbfda50d8e6d43100f27fce897fe57cfd41d4df43b60a8b2c371340a7df25d8df4fb4e78867c5d79e034a5eec5f3d2704e55492c9869209c8536b5b200b150b7b65ec6cfb3ce54f7f96a311535f172a2c937c1ca7805438215551ce88418812ccb87949ec480d8aae6d9efb69a5cb0c7f07c908b86a09d72b54578b75ce4ca876bfc7e7bda9758f245e0cf119c136e8d2993ad379a40687b0cad6db767f77ef7739dcd049e9ad1d0bb73ed03b7f4a640374e39572ff0931639fc9b988858fafade5e00e2e52e714145d3c628f1b1f52cbc31e238cf5876bf83e3976cc7e4d0793faed0d9c5e5c903c790ce244092f4ea1f1ef2f425d944a53 # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(24234); script_version("1.21"); script_set_attribute(attribute:"plugin_modification_date", value:"2018/07/14"); script_cve_id("CVE-2007-0015"); script_bugtraq_id(21829); script_name(english:"Mac OS X Security Update 2007-001"); script_summary(english:"Check for the presence of the SecUpdate 2007-001"); script_set_attribute(attribute:"synopsis", value: "The remote host is missing a Mac OS X update which fixes a security issue."); script_set_attribute(attribute:"description", value: "The remote host is running a version of Mac OS X 10.3 or 10.4 which does not have Security Update 2007-001 applied. This update fixes a flaw in QuickTime which may allow a rogue website to execute arbitrary code on the remote host by exploiting an overflow in the RTSP URL handler."); script_set_attribute(attribute:"see_also", value:"http://docs.info.apple.com/article.html?artnum=304989"); # http://www.apple.com/support/downloads/securityupdate2007001universal.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?c80700ff"); script_set_attribute(attribute:"see_also", value:"http://www.apple.com/support/downloads/securityupdate2007001panther.html"); script_set_attribute(attribute:"solution", value:"Install Security Update 2007-001."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Apple QuickTime 7.1.3 RTSP URI Buffer Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"vuln_publication_date", value:"2007/01/01"); script_set_attribute(attribute:"patch_publication_date", value:"2007/01/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/01/24"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc."); script_family(english:"MacOS X Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/MacOSX/packages"); exit(0); } include("misc_func.inc"); include("ssh_func.inc"); include("macosx_func.inc"); if(sshlib::get_support_level() >= sshlib::SSH_LIB_SUPPORTS_COMMANDS) enable_ssh_wrappers(); else disable_ssh_wrappers(); function exec(cmd) { local_var buf, ret, soc; if ( islocalhost() ) buf = pread(cmd:"/bin/bash", argv:make_list("bash", "-c", cmd)); else { ret = ssh_open_connection(); if ( ! ret ) exit(0); buf = ssh_cmd(cmd:cmd); ssh_close_connection(); } if ( buf !~ "^[0-9]" ) exit(0); buf = chomp(buf); return buf; } # Look at the exact version of QuickTimeStreaming cmd = GetBundleVersionCmd(file:"QuickTimeStreaming.component", path:"/System/Library/Quicktime"); buf = exec(cmd:cmd); set_kb_item(name:"MacOSX/QuickTimeSteaming/Version", value:buf); version = split(buf, sep:'.', keep:FALSE); if (( int(version[0]) == 7 && int(version[1]) < 1 ) || ( int(version[0]) == 7 && int(version[1]) == 1 && int(version[2]) < 3 ) ) { security_warning( 0 ); exit(0); } else if ( int(version[0]) == 7 && int(version[1]) == 1 && int(version[2]) == 3 ) { cmd = _GetBundleVersionCmd(file:"QuickTimeStreaming.component", path:"/System/Library/Quicktime", label:"SourceVersion"); buf = exec(cmd:cmd); if ( int(buf) < 4650200 ) security_warning(0); }NASL family Windows NASL id QUICKTIME_RTSP_URL_HANDLER_OVERFLOW.NASL description A buffer overflow vulnerability exists in the RTSP URL handler in the version of QuickTime installed on the remote host. Using either HTML, JavaScript or a QTL file as an attack vector and an RTSP URL with a long path component, a remote attacker may be able to leverage this issue to execute arbitrary code on the remote host subject to the user last seen 2020-06-01 modified 2020-06-02 plugin id 24268 published 2007-02-02 reporter This script is Copyright (C) 2007-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24268 title QuickTime RTSP URL Handler Buffer Overflow (Windows) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(24268); script_version("1.23"); script_cve_id("CVE-2007-0015"); script_bugtraq_id(21829); script_xref(name:"CERT", value:"442497"); script_name(english:"QuickTime RTSP URL Handler Buffer Overflow (Windows)"); script_summary(english:"Checks version of QuickTime on Windows"); script_set_attribute(attribute:"synopsis", value: "The remote version of QuickTime is affected by a buffer overflow vulnerability." ); script_set_attribute(attribute:"description", value: "A buffer overflow vulnerability exists in the RTSP URL handler in the version of QuickTime installed on the remote host. Using either HTML, JavaScript or a QTL file as an attack vector and an RTSP URL with a long path component, a remote attacker may be able to leverage this issue to execute arbitrary code on the remote host subject to the user's privileges." ); # http://applefun.blogspot.com/2007/01/moab-01-01-2007-apple-quicktime-rtsp.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ebb12673" ); script_set_attribute(attribute:"see_also", value:"http://projects.info-pull.com/moab/MOAB-01-01-2007.html" ); script_set_attribute(attribute:"see_also", value:"http://docs.info.apple.com/article.html?artnum=304989" ); script_set_attribute(attribute:"see_also", value:"https://lists.apple.com/archives/Security-announce/2007/Jan/msg00000.html" ); script_set_attribute(attribute:"see_also", value:"https://blogs.flexera.com/vulnerability-management/2007/01/quicktime-update-me-and-stay-vulnerable/" ); script_set_attribute(attribute:"solution", value: "Apply Apple's Security Update 2007-001, which is available via the 'Apple Software Update' application, installed with the most recent version of QuickTime or iTunes." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Apple QuickTime 7.1.3 RTSP URI Buffer Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"plugin_publication_date", value: "2007/02/02"); script_set_attribute(attribute:"vuln_publication_date", value: "2007/01/01"); script_cvs_date("Date: 2018/11/15 20:50:28"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:apple:quicktime"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc."); script_dependencies("quicktime_installed.nasl"); script_require_keys("SMB/QuickTime/Version"); exit(0); } include("global_settings.inc"); ver_ui = get_kb_item("SMB/QuickTime/Version_UI"); ver = get_kb_item("SMB/QuickTime/Version"); if (isnull(ver)) exit(0); iver = split(ver, sep:'.', keep:FALSE); for (i=0; i<max_index(iver); i++) iver[i] = int(iver[i]); if ( iver[0] < 7 || ( iver[0] == 7 && ( iver[1] < 1 || ( iver[1] == 1 && ( iver[2] < 3 || (iver[2] == 3 && iver[3] < 191) ) ) ) ) ) { if (report_verbosity > 0 && ver_ui) { report = string( "\n", "QuickTime ", ver_ui, " is currently installed on the remote host.\n" ); security_warning(port:get_kb_item("SMB/transport"), extra:report); } else security_warning(get_kb_item("SMB/transport")); }
Packetstorm
data source https://packetstormsecurity.com/files/download/53412/MOAB-01-01-2007.rb.txt id PACKETSTORM:53412 last seen 2016-12-05 published 2007-01-04 reporter Kevin Finisterre source https://packetstormsecurity.com/files/53412/MOAB-01-01-2007.rb.txt.html title MOAB-01-01-2007.rb.txt data source https://packetstormsecurity.com/files/download/82966/apple_quicktime_rtsp.rb.txt id PACKETSTORM:82966 last seen 2016-12-05 published 2009-11-26 reporter MC source https://packetstormsecurity.com/files/82966/Apple-QuickTime-7.1.3-RTSP-URI-Buffer-Overflow.html title Apple QuickTime 7.1.3 RTSP URI Buffer Overflow
Saint
| bid | 21829 |
| description | QuickTime rtsp src URL buffer overflow |
| id | misc_quicktime |
| osvdb | 31023 |
| title | quicktime_rtsp_src |
| type | client |
References
- http://docs.info.apple.com/article.html?artnum=304989
- http://isc.sans.org/diary.html?storyid=2094
- http://landonf.bikemonkey.org/code/macosx/MOAB_Day_1.20070102060815.15950.zadder.local.html
- http://lists.apple.com/archives/Security-announce/2007/Jan/msg00000.html
- http://projects.info-pull.com/moab/MOAB-01-01-2007.html
- http://secunia.com/advisories/23540
- http://secunia.com/blog/7/
- http://securitytracker.com/id?1017461
- http://www.kb.cert.org/vuls/id/442497
- http://www.osvdb.org/31023
- http://www.securityfocus.com/bid/21829
- http://www.us-cert.gov/cas/techalerts/TA07-005A.html
- http://www.vupen.com/english/advisories/2007/0001
- https://exchange.xforce.ibmcloud.com/vulnerabilities/31203
- https://www.exploit-db.com/exploits/3064