Vulnerabilities > CVE-2007-2175 - Unspecified vulnerability in Apple Safari

CVSS 7.6 - HIGH

Attack vector

NETWORK

Attack complexity

HIGH

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

high complexity

apple

nessus

exploit available

metasploit

NVD

Published: 2007-04-24

Updated: 2018-10-16

Summary

Apple QuickTime Java extensions (QTJava.dll), as used in Safari and other browsers, and when Java is enabled, allows remote attackers to execute arbitrary code via parameters to the toQTPointer method in quicktime.util.QTHandleRef, which can be used to modify arbitrary memory when creating QTPointerRef objects, as demonstrated during the "PWN 2 0WN" contest at CanSecWest 2007.

Vulnerable Configurations

Part	Description	Count
Application	Apple Apple Safari *	1

Exploit-Db

description	Apple QTJava toQTPointer() Arbitrary Memory Access. CVE-2007-2175. Remote exploits for multiple platform
id	EDB-ID:16295
last seen	2016-02-01
modified	2010-09-20
published	2010-09-20
reporter	metasploit
source	https://www.exploit-db.com/download/16295/
title	Apple QTJava toQTPointer Arbitrary Memory Access

description	Apple Quicktime for Java 7 Memory Access. CVE-2007-2175. Remote exploits for multiple platform
id	EDB-ID:9943
last seen	2016-02-01
modified	2007-04-23
published	2007-04-23
reporter	H D Moore
source	https://www.exploit-db.com/download/9943/
title	Apple Quicktime for Java 7 - Memory Access

description	Apple Quicktime 7.1.5 QTJava toQTPointer() Java Handling Arbitrary Code Execution Vulnerability. CVE-2007-2175. Remote exploits for multiple platform
id	EDB-ID:29884
last seen	2016-02-03
modified	2007-04-23
published	2007-04-23
reporter	Shane Macaulay
source	https://www.exploit-db.com/download/29884/
title	Apple Quicktime <= 7.1.5 QTJava toQTPointer Java Handling Arbitrary Code Execution Vulnerability

Metasploit

description	This module exploits an arbitrary memory access vulnerability in the Quicktime for Java API provided with Quicktime 7.
id	MSF:EXPLOIT/MULTI/BROWSER/QTJAVA_POINTER
last seen	2020-06-14
modified	2017-07-24
published	2007-05-29
references	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2175
reporter	Rapid7
source	https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/browser/qtjava_pointer.rb
title	Apple QTJava toQTPointer() Arbitrary Memory Access

Nessus

NASL family	Windows
NASL id	QUICKTIME_716.NASL
description	According to its version, the installation of QuickTime on the remote Windows host contains a bug that might allow a rogue Java program to write anywhere in the heap. An attacker may be able to leverage this issue to execute arbitrary code on the remote host by luring a victim into visiting a rogue page containing a malicious Java applet.
last seen	2020-06-01
modified	2020-06-02
plugin id	25123
published	2007-05-02
reporter	This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/25123
title	QuickTime < 7.1.6 quicktime.util.QTHandleRef toQTPointer Method Arbitrary Code Execution (Windows)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(25123); script_version("1.15"); script_cve_id("CVE-2007-2175"); script_bugtraq_id(23608); script_name(english:"QuickTime < 7.1.6 quicktime.util.QTHandleRef toQTPointer Method Arbitrary Code Execution (Windows)"); script_summary(english:"Checks version of QuickTime on Windows"); script_set_attribute(attribute:"synopsis", value: "The remote Windows host contains an application that is prone to multiple attacks." ); script_set_attribute(attribute:"description", value: "According to its version, the installation of QuickTime on the remote Windows host contains a bug that might allow a rogue Java program to write anywhere in the heap. An attacker may be able to leverage this issue to execute arbitrary code on the remote host by luring a victim into visiting a rogue page containing a malicious Java applet." ); script_set_attribute(attribute:"see_also", value:"https://support.apple.com/?artnum=305446" ); script_set_attribute(attribute:"solution", value: "Upgrade to QuickTime version 7.1.6 or later." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Apple QTJava toQTPointer() Arbitrary Memory Access'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value: "2007/05/02"); script_set_attribute(attribute:"vuln_publication_date", value: "2007/04/24"); script_cvs_date("Date: 2018/11/15 20:50:28"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:apple:quicktime"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc."); script_dependencies("quicktime_installed.nasl"); script_require_keys("SMB/QuickTime/Version"); exit(0); } ver = get_kb_item("SMB/QuickTime/Version"); if ( ver && ver =~ "^([0-6]\.\|7\.(0\.\|1\.[0-5]([^0-9]\|$)))" ) security_hole(get_kb_item("SMB/transport"));

NASL family	MacOS X Local Security Checks
NASL id	MACOSX_QUICKTIME716.NASL
description	According to its version, the installation of Quicktime on the remote Mac OS X host which contains a bug which might allow a rogue Java program to write anywhere in the heap. An attacker may be able to leverage these issues to execute arbitrary code on the remote host by luring a victim into visiting a rogue page containing a malicious Java applet.
last seen	2020-06-01
modified	2020-06-02
plugin id	25122
published	2007-05-02
reporter	This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/25122
title	Quicktime < 7.1.6 quicktime.util.QTHandleRef toQTPointer Method Arbitrary Code Execution (Mac OS X)

Packetstorm

data source	https://packetstormsecurity.com/files/download/82265/qtjava_pointer.rb.txt
id	PACKETSTORM:82265
last seen	2016-12-05
published	2009-10-27
reporter	H D Moore
source	https://packetstormsecurity.com/files/82265/Apple-QTJava-toQTPointer-Arbitrary-Memory-Access.html
title	Apple QTJava toQTPointer() Arbitrary Memory Access

Summary

Vulnerable Configurations

Exploit-Db

Metasploit

Nessus

Packetstorm

References