Vulnerabilities > CVE-2011-0257 - Numeric Errors vulnerability in Apple Quicktime
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Integer signedness error in Apple QuickTime before 7.7 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted PnSize opcode in a PICT file that triggers a stack-based buffer overflow.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Exploit-Db
| description | Apple QuickTime PICT PnSize Buffer Overflow. CVE-2011-0257. Local exploit for windows platform |
| file | exploits/windows/local/17777.rb |
| id | EDB-ID:17777 |
| last seen | 2016-02-02 |
| modified | 2011-09-03 |
| platform | windows |
| port | |
| published | 2011-09-03 |
| reporter | metasploit |
| source | https://www.exploit-db.com/download/17777/ |
| title | Apple QuickTime PICT PnSize Buffer Overflow |
| type | local |
Metasploit
| description | This module exploits a vulnerability in Apple QuickTime Player 7.60.92.0. When opening a .mov file containing a specially crafted PnSize value, an attacker may be able to execute arbitrary code. |
| id | MSF:EXPLOIT/WINDOWS/FILEFORMAT/APPLE_QUICKTIME_PNSIZE |
| last seen | 2020-06-07 |
| modified | 2020-01-15 |
| published | 2011-09-03 |
| references | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0257 |
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/fileformat/apple_quicktime_pnsize.rb |
| title | Apple QuickTime PICT PnSize Buffer Overflow |
Nessus
NASL family MacOS X Local Security Checks NASL id MACOSX_QUICKTIME77.NASL description The version of QuickTime installed on the remote Mac OS X host is older than 7.7. As such, it reportedly may be affected by the following vulnerabilities : - A buffer overflow in QuickTime last seen 2020-06-01 modified 2020-06-02 plugin id 55763 published 2011-08-04 reporter This script is Copyright (C) 2011-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/55763 title QuickTime < 7.7 Multiple Vulnerabilities (Mac OS X) code # # (C) Tenable Network Security, Inc. # if (NASL_LEVEL < 3000) exit(0); include("compat.inc"); if (description) { script_id(55763); script_version("1.19"); script_cvs_date("Date: 2018/07/14 1:59:35"); script_cve_id( "CVE-2011-0186", "CVE-2011-0187", "CVE-2011-0209", "CVE-2011-0210", "CVE-2011-0211", "CVE-2011-0213", "CVE-2011-0245", "CVE-2011-0249", "CVE-2011-0250", "CVE-2011-0251", "CVE-2011-0252", "CVE-2011-0256", "CVE-2011-0257" ); script_bugtraq_id( 46992, 46995, 48419, 48420, 48430, 48442, 49028, 49034, 49035, 49036, 49038, 49144, 49170 ); script_name(english:"QuickTime < 7.7 Multiple Vulnerabilities (Mac OS X)"); script_summary(english:"Checks version of QuickTime on Mac OS X"); script_set_attribute( attribute:"synopsis", value: "The remote Mac OS X host contains an application that may be affected by multiple vulnerabilities." ); script_set_attribute( attribute:"description", value: "The version of QuickTime installed on the remote Mac OS X host is older than 7.7. As such, it reportedly may be affected by the following vulnerabilities : - A buffer overflow in QuickTime's handling of pict files may lead to an application crash or arbitrary code execution. (CVE-2011-0245) - A buffer overflow in QuickTime's handling of JPEG2000 files may lead to an application crash or arbitrary code execution. (CVE-2011-0186) - A cross-origin issue in QuickTime plug-in's handling of cross-site redirects may lead to disclosure of video data from another site. (CVE-2011-0187) - An integer overflow in QuickTime's handling of RIFF WAV files may lead to an application crash or arbitrary code execution. (CVE-2011-0209) - A memory corruption issue in QuickTime's handling of sample tables in QuickTime movie files may lead to an application crash or arbitrary code execution. (CVE-2011-0210) - An integer overflow in QuickTime's handling of audio channels in movie files may lead to an application crash or arbitrary code execution. (CVE-2011-0211) - A buffer overflow in QuickTime's handling of JPEG files may lead to an application crash or arbitrary code execution. (CVE-2011-0213) - A heap-based buffer overflow in QuickTime's handling of STSC atoms in QuickTime movie files may lead to an application crash or arbitrary code execution. (CVE-2011-0249) - A heap-based buffer overflow in QuickTime's handling of STSS atoms in QuickTime movie files may lead to an application crash or arbitrary code execution. (CVE-2011-0250) - A heap-based buffer overflow in QuickTime's handling of STSZ atoms in QuickTime movie files may lead to an application crash or arbitrary code execution. (CVE-2011-0251) - A heap-based buffer overflow in QuickTime's handling of STTS atoms in QuickTime movie files may lead to an application crash or arbitrary code execution. (CVE-2011-0252) - A stack-based buffer overflow in QuickTime's handling of PICT files may lead to an application crash or arbitrary code execution. (CVE-2011-0257) - An integer overflow in QuickTime's handling of track run atoms in QuickTime movie files may lead to an application crash or arbitrary code execution. (CVE-2011-0256)" ); script_set_attribute( attribute:"see_also", value:"http://www.zerodayinitiative.com/advisories/ZDI-11-254/" ); script_set_attribute( attribute:"see_also", value:"http://www.zerodayinitiative.com/advisories/ZDI-11-257/" ); script_set_attribute( attribute:"see_also", value:"http://www.zerodayinitiative.com/advisories/ZDI-11-258/" ); script_set_attribute( attribute:"see_also", value:"http://www.zerodayinitiative.com/advisories/ZDI-11-259/" ); script_set_attribute( attribute:"see_also", value:"http://support.apple.com/kb/HT4826" ); script_set_attribute( attribute:"see_also", value:"http://lists.apple.com/archives/security-announce/2011/Aug/msg00000.html" ); script_set_attribute( attribute:"solution", value:"Upgrade to QuickTime 7.7 or later." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Apple QuickTime PICT PnSize Buffer Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'White_Phosphorus'); script_set_attribute(attribute:"vuln_publication_date", value:"2011/06/23"); script_set_attribute(attribute:"patch_publication_date", value:"2011/08/03"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/08/04"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:apple:quicktime"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"MacOS X Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc."); script_dependencies("macosx_Quicktime652.nasl", "ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/MacOSX/Version", "MacOSX/QuickTime/Version"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled."); # Mac OS X 10.5 only. os = get_kb_item("Host/MacOSX/Version"); if (!os) exit(0, "The host does not appear to be running Mac OS X."); if (!ereg(pattern:"Mac OS X 10\.5([^0-9]|$)", string:os)) exit(0, "The host is running "+os+" and therefore is not affected."); version = get_kb_item_or_exit("MacOSX/QuickTime/Version"); fixed_version = "7.7"; if (ver_compare(ver:version, fix:fixed_version, strict:FALSE) == -1) { if (report_verbosity > 0) { report = '\n Installed version : ' + version + '\n Fixed version : ' + fixed_version + '\n'; security_hole(port:0, extra:report); } else security_hole(0); } else exit(0, "The remote host is not affected since QuickTime "+version+" is installed.");NASL family Windows NASL id QUICKTIME_77.NASL description The version of QuickTime installed on the remote Windows host is older than 7.7. As such, it reportedly may be affected by the following vulnerabilities : - A buffer overflow in QuickTime last seen 2020-06-01 modified 2020-06-02 plugin id 55764 published 2011-08-04 reporter This script is Copyright (C) 2011-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/55764 title QuickTime < 7.7 Multiple Vulnerabilities (Windows) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(55764); script_version("1.24"); script_cvs_date("Date: 2018/11/15 20:50:28"); script_cve_id( "CVE-2011-0186", "CVE-2011-0187", "CVE-2011-0209", "CVE-2011-0210", "CVE-2011-0211", "CVE-2011-0213", "CVE-2011-0245", "CVE-2011-0246", "CVE-2011-0247", "CVE-2011-0248", "CVE-2011-0249", "CVE-2011-0250", "CVE-2011-0251", "CVE-2011-0252", "CVE-2011-0256", "CVE-2011-0257", "CVE-2011-0258" ); script_bugtraq_id( 46992, 46995, 48419, 48420, 48430, 48442, 49028, 49029, 49030, 49031, 49034, 49035, 49036, 49038, 49144, 49170, 49396 ); script_name(english:"QuickTime < 7.7 Multiple Vulnerabilities (Windows)"); script_summary(english:"Checks version of QuickTime on Windows"); script_set_attribute( attribute:"synopsis", value: "The remote Windows host contains an application that may be affected by multiple vulnerabilities." ); script_set_attribute( attribute:"description", value: "The version of QuickTime installed on the remote Windows host is older than 7.7. As such, it reportedly may be affected by the following vulnerabilities : - A buffer overflow in QuickTime's handling of pict files may lead to an application crash or arbitrary code execution. (CVE-2011-0245) - A buffer overflow in QuickTime's handling of JPEG2000 files may lead to an application crash or arbitrary code execution. (CVE-2011-0186) - A cross-origin issue in QuickTime plug-in's handling of cross-site redirects may lead to disclosure of video data from another site. (CVE-2011-0187) - An integer overflow in QuickTime's handling of RIFF WAV files may lead to an application crash or arbitrary code execution. (CVE-2011-0209) - A memory corruption issue in QuickTime's handling of sample tables in QuickTime movie files may lead to an application crash or arbitrary code execution. (CVE-2011-0210) - An integer overflow in QuickTime's handling of audio channels in movie files may lead to an application crash or arbitrary code execution. (CVE-2011-0211) - A buffer overflow in QuickTime's handling of JPEG files may lead to an application crash or arbitrary code execution. (CVE-2011-0213) - A heap-based buffer overflow in QuickTime's handling of GIF files may lead to an application crash or arbitrary code execution. (CVE-2011-0246) - Multiple stack-based buffer overflows in QuickTime's handling of H.264 encoded movie files may lead to an application crash or arbitrary code execution. (CVE-2011-0247) - A stack-based buffer overflow in the QuickTime ActiveX's handling of QTL files may lead to an application crash or arbitrary code execution. (CVE-2011-0248) - A heap-based buffer overflow in QuickTime's handling of STSC atoms in QuickTime movie files may lead to an application crash or arbitrary code execution. (CVE-2011-0249) - A heap-based buffer overflow in QuickTime's handling of STSS atoms in QuickTime movie files may lead to an application crash or arbitrary code execution. (CVE-2011-0250) - A heap-based buffer overflow in QuickTime's handling of STSZ atoms in QuickTime movie files may lead to an application crash or arbitrary code execution. (CVE-2011-0251) - A heap-based buffer overflow in QuickTime's handling of STTS atoms in QuickTime movie files may lead to an application crash or arbitrary code execution. (CVE-2011-0252) - A stack-based buffer overflow in QuickTime's handling of PICT files may lead to an application crash or arbitrary code execution. (CVE-2011-0257) - An integer overflow in QuickTime's handling of track run atoms in QuickTime movie files may lead to an application crash or arbitrary code execution. (CVE-2011-0256) - Memory corruption in Quicktime's handling of mp4v codec information. (CVE-2011-0258)" ); script_set_attribute( attribute:"see_also", value:"http://www.zerodayinitiative.com/advisories/ZDI-11-254/" ); script_set_attribute( attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-11-255/" ); script_set_attribute( attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-11-256/" ); script_set_attribute( attribute:"see_also", value:"http://www.zerodayinitiative.com/advisories/ZDI-11-257/" ); script_set_attribute( attribute:"see_also", value:"http://www.zerodayinitiative.com/advisories/ZDI-11-258/" ); script_set_attribute( attribute:"see_also", value:"http://www.zerodayinitiative.com/advisories/ZDI-11-259/" ); script_set_attribute( attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-11-277/" ); script_set_attribute( attribute:"see_also", value:"http://support.apple.com/kb/HT4826" ); script_set_attribute( attribute:"see_also", value:"http://lists.apple.com/archives/security-announce/2011/Aug/msg00000.html" ); script_set_attribute( attribute:"solution", value:"Upgrade to QuickTime 7.7 or later." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Apple QuickTime PICT PnSize Buffer Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'White_Phosphorus'); script_set_attribute(attribute:"vuln_publication_date", value:"2011/06/23"); script_set_attribute(attribute:"patch_publication_date", value:"2011/08/03"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/08/04"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:apple:quicktime"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc."); script_dependencies("quicktime_installed.nasl"); script_require_keys("SMB/QuickTime/Version"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); kb_base = "SMB/QuickTime/"; version = get_kb_item_or_exit(kb_base+"Version"); version_ui = get_kb_item(kb_base+"Version_UI"); if (isnull(version_ui)) version_report = version; else version_report = version_ui; fixed_version = "7.70.80.34"; fixed_version_ui = "7.7 (1680.34)"; if (ver_compare(ver:version, fix:fixed_version) == -1) { if (report_verbosity > 0) { path = get_kb_item(kb_base+"Path"); if (isnull(path)) path = 'n/a'; report = '\n Path : '+path+ '\n Installed version : '+version_report+ '\n Fixed version : '+fixed_version_ui+'\n'; security_hole(port:get_kb_item("SMB/transport"), extra:report); } else security_hole(get_kb_item("SMB/transport")); } else exit(0, "The host is not affected since QuickTime "+version_report+" is installed.");
Oval
| accepted | 2013-07-29T04:00:29.942-04:00 | ||||||||||||
| class | vulnerability | ||||||||||||
| contributors |
| ||||||||||||
| definition_extensions |
| ||||||||||||
| description | Integer signedness error in Apple QuickTime before 7.7 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted PnSize opcode in a PICT file that triggers a stack-based buffer overflow. | ||||||||||||
| family | windows | ||||||||||||
| id | oval:org.mitre.oval:def:16059 | ||||||||||||
| status | accepted | ||||||||||||
| submitted | 2012-12-11T16:37:33.623-05:00 | ||||||||||||
| title | in a PICT file | ||||||||||||
| version | 7 |
Packetstorm
data source https://packetstormsecurity.com/files/download/107175/qqplayer-overflow.rb.txt id PACKETSTORM:107175 last seen 2016-12-05 published 2011-11-21 reporter hellok source https://packetstormsecurity.com/files/107175/QQPLAYER-PICT-PnSize-Buffer-Overflow.html title QQPLAYER PICT PnSize Buffer Overflow data source https://packetstormsecurity.com/files/download/104783/apple_quicktime_pnsize.rb.txt id PACKETSTORM:104783 last seen 2016-12-05 published 2011-09-04 reporter MC source https://packetstormsecurity.com/files/104783/Apple-QuickTime-PICT-PnSize-Buffer-Overflow.html title Apple QuickTime PICT PnSize Buffer Overflow
Saint
| bid | 49144 |
| description | QuickTime PICT PnSize Stack Overflow |
| id | misc_quicktime |
| osvdb | 74687 |
| title | quicktime_pict_pnsize |
| type | client |
Seebug
bulletinFamily exploit description No description provided by source. id SSV:72057 last seen 2017-11-19 modified 2014-07-01 published 2014-07-01 reporter Root source https://www.seebug.org/vuldb/ssvid-72057 title Apple QuickTime PICT PnSize Buffer Overflow bulletinFamily exploit description No description provided by source. id SSV:24227 last seen 2017-11-19 modified 2011-11-21 published 2011-11-21 reporter Root source https://www.seebug.org/vuldb/ssvid-24227 title QQPLAYER PICT PnSize Buffer Overflow WIN7 DEP_ASLR BYPASS bulletinFamily exploit description Bugtraq ID: 49144 CVE ID:CVE-2011-0257 Apple QuickTime是一款流行的多媒体播放器。 Apple QuickTime处理PnSize PICT代码存在缺陷。它把无符号的16位值转换为32位值,此值之后用于内存拷贝函数的大小参数,用于把文件拷贝到栈中。结果可导致基于栈的缓冲区溢出,允许以当前用户上下文执行任意代码。 Apple QuickTime Player 7.6.8 Apple QuickTime Player 7.6.7 Apple QuickTime Player 7.6.6 (1671) Apple QuickTime Player 7.6.6 Apple QuickTime Player 7.6.5 Apple QuickTime Player 7.6.4 Apple QuickTime Player 7.6.2 Apple QuickTime Player 7.6.1 Apple QuickTime Player 7.5.5 + Apple Mac OS X 10.4.9 + Apple Mac OS X 10.3.9 + Apple Mac OS X 10.5 + Apple Mac OS X Server 10.4.9 + Apple Mac OS X Server 10.3.9 + Apple Mac OS X Server 10.5 Apple QuickTime Player 7.4.5 + Apple Mac OS X 10.4.9 + Apple Mac OS X 10.3.9 + Apple Mac OS X 10.5 + Apple Mac OS X Server 10.4.9 + Apple Mac OS X Server 10.3.9 + Apple Mac OS X Server 10.5 Apple QuickTime Player 7.4.1 Apple QuickTime Player 7.64.17.73 Apple QuickTime Player 7.6.9 Apple QuickTime Player 7.6 Apple QuickTime Player 7.5 Apple QuickTime Player 7.4 厂商解决方案 Apple QuickTime Player 7.7已经修复此漏洞,建议用户下载使用: http://support.apple.com/kb/HT4826 id SSV:20850 last seen 2017-11-19 modified 2011-08-15 published 2011-08-15 reporter Root title Apple QuickTime PICT文件栈缓冲区溢出漏洞