Vulnerabilities > CVE-2012-3722 - Resource Management Errors vulnerability in Apple mac OS X

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN

Summary

The Sorenson codec in QuickTime in Apple Mac OS X before 10.7.5, and in CoreMedia in iOS before 6, accesses uninitialized memory locations, which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted movie file with Sorenson encoding.

Vulnerable Configurations

Part Description Count
OS
Apple
251

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyGain a shell remotely
    NASL idAPPLETV_5_1.NASL
    descriptionAccording to its banner, the remote Apple TV 2nd generation or later device has a version of iOS that is prior to 5.1. It is, therefore, reportedly affected by several vulnerabilities : - An uninitialized memory access issue in the handling of Sorenson encoded movie files could lead to arbitrary code execution. (CVE-2012-3722) - Following the DNAv4 protocol, the device may broadcast MAC addresses of previously accessed networks when connecting to a Wi-Fi network. (CVE-2012-3725) - A buffer overflow in libtiff
    last seen2020-06-01
    modified2020-06-02
    plugin id62357
    published2012-09-27
    reporterThis script is Copyright (C) 2012-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/62357
    titleApple TV < 5.1 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(62357);
      script_version("1.18");
      script_cvs_date("Date: 2018/11/15 20:50:22");
    
      script_cve_id(
        "CVE-2011-1167",
        "CVE-2011-1944",
        "CVE-2011-2821",
        "CVE-2011-2834",
        "CVE-2011-3026",
        "CVE-2011-3048",
        "CVE-2011-3328",
        "CVE-2011-3919",
        "CVE-2011-4599",
        "CVE-2012-0682",
        "CVE-2012-0683",
        "CVE-2012-1173",
        "CVE-2012-3589",
        "CVE-2012-3590",
        "CVE-2012-3591",
        "CVE-2012-3592",
        "CVE-2012-3678",
        "CVE-2012-3679",
        "CVE-2012-3722",
        "CVE-2012-3725",
        "CVE-2012-3726"
      );
      script_bugtraq_id(
        46951,
        48056,
        49279,
        49658,
        49744,
        51006,
        51300,
        52049,
        52830,
        52891,
        54680,
        56264,
        56268,
        56273
      );
      script_xref(name:"APPLE-SA", value:"APPLE-SA-2012-09-24-1");
    
      script_name(english:"Apple TV < 5.1 Multiple Vulnerabilities");
      script_summary(english:"Checks version in banner");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote device is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "According to its banner, the remote Apple TV 2nd generation or later
    device has a version of iOS that is prior to 5.1. It is, therefore,
    reportedly affected by several vulnerabilities :
    
      - An uninitialized memory access issue in the handling of
        Sorenson encoded movie files could lead to arbitrary
        code execution. (CVE-2012-3722)
    
      - Following the DNAv4 protocol, the device may broadcast
        MAC addresses of previously accessed networks when
        connecting to a Wi-Fi network. (CVE-2012-3725)
    
      - A buffer overflow in libtiff's handling of ThunderScan
        encoded TIFF images could lead to arbitrary code
        execution. (CVE-2011-1167)
    
      - Multiple memory corruption issues in libpng's handling
        of PNG images could lead to arbitrary code execution.
        (CVE-2011-3026 / CVE-2011-3048 / CVE-2011-3328)
    
      - A double free issue in ImageIO's handling of JPEG
        images could lead to arbitrary code execution.
        (CVE-2012-3726)
    
      - An integer overflow issue in libTIFF's handling of TIFF
        images could lead to arbitrary code execution.
        (CVE-2012-1173)
    
      - A stack-based buffer overflow in the handling of ICU
        locale IDs could lead to arbitrary code execution.
        (CVE-2011-4599)
    
      - Multiple vulnerabilities in libxml could have a variety
        of impacts, including arbitrary code execution.
        (CVE-2011-1944 / CVE-2011-2821 / CVE-2011-2834 /
        CVE-2011-3919)
    
      - Multiple memory corruption issues in JavaScriptCore
        could lead to arbitrary code execution.
        (CVE-2012-0682 / CVE-2012-0683 / CVE-2012-3589 /
        CVE-2012-3590 / CVE-2012-3591 / CVE-2012-3592 /
        CVE-2012-3678 / CVE-2012-3679)");
      script_set_attribute(attribute:"see_also", value:"https://support.apple.com/en-us/HT202614");
      script_set_attribute(attribute:"see_also", value:"https://lists.apple.com/archives/security-announce/2012/Sep/msg00006.html");
      script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/524229/30/0/threaded");
      script_set_attribute(attribute:"solution", value:"Upgrade the Apple TV to iOS 5.1 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2011/03/21");
      script_set_attribute(attribute:"patch_publication_date", value:"2012/09/24");
      script_set_attribute(attribute:"plugin_publication_date", value:"2012/09/27");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:apple:apple_tv");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Gain a shell remotely");
    
      script_copyright(english:"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.");
    
      script_dependencies("appletv_detect.nasl");
      script_require_keys("www/appletv");
      script_require_ports(3689);
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("http.inc");
    
    
    port = 3689;
    banner = get_http_banner(port:port, broken:TRUE, exit_on_fail:TRUE);
    if (
      "DAAP-Server: iTunes/" >!< banner &&
      "RIPT-Server: iTunesLib/" >!< banner
    ) audit(AUDIT_WRONG_WEB_SERVER, port, 'iTunes');
    
    pat = "^DAAP-Server: iTunes/([0-9][0-9.]+)[a-z]([0-9]+) \((Mac )?OS X\)";
    if (
      "DAAP-Server: iTunes/" >< banner &&
      !egrep(pattern:pat, string:banner)
    ) exit(0, "The web server listening on port "+port+" does not appear to be from iTunes on an Apple TV.");
    
    
    fixed_major = "11.0";
    fixed_minor = "46";
    
    report = "";
    
    # Check first for 3rd gen and recent 2nd gen models.
    matches = egrep(pattern:pat, string:banner);
    if (matches)
    {
      foreach line (split(matches, keep:FALSE))
      {
        match = eregmatch(pattern:pat, string:line);
        if (!isnull(match))
        {
          major = match[1];
          minor = match[2];
    
          if (
            ver_compare(ver:major, fix:fixed_major, strict:FALSE) < 0 ||
            (
              ver_compare(ver:major, fix:fixed_major, strict:FALSE) == 0 &&
              int(minor) < int(fixed_minor)
            )
          )
          {
            report = '\n  Source                   : ' + line +
                     '\n  Installed iTunes version : ' + major + 'd' + minor +
                     '\n  Fixed iTunes version     : ' + fixed_major + 'd' + fixed_minor +
                     '\n';
          }
          break;
        }
      }
    }
    else
    {
      pat2 = "^RIPT-Server: iTunesLib/([0-9]+)\.";
      matches = egrep(pattern:pat2, string:banner);
      if (matches)
      {
        foreach line (split(matches, keep:FALSE))
        {
          match = eregmatch(pattern:pat2, string:line);
          if (!isnull(match))
          {
            major = int(match[1]);
            if (major < 4) exit(0, "The web server listening on port "+port+" is from iTunes on a 1st generation Apple TV, which is no longer supported.");
            else if (major >= 4 && major <= 9)
            {
              report = '\n  Source : ' + line +
                       '\n';
            }
            break;
          }
        }
      }
    }
    
    
    if (report)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:report);
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_SECUPD2012-004.NASL
    descriptionThe remote host is running a version of Mac OS X 10.6 that does not have Security Update 2012-004 applied. This update contains multiple security-related fixes for the following components : - Apache - Data Security - DirectoryService - ImageIO - International Components for Unicode - Mail - PHP - QuickLook - QuickTime - Ruby
    last seen2020-06-01
    modified2020-06-02
    plugin id62213
    published2012-09-20
    reporterThis script is Copyright (C) 2012-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/62213
    titleMac OS X Multiple Vulnerabilities (Security Update 2012-004) (BEAST)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    
    include("compat.inc");
    
    
    if (description)
    {
      script_id(62213);
      script_version("1.26");
      script_cvs_date("Date: 2018/07/16 12:48:31");
    
      script_cve_id(
        "CVE-2011-3026",
        "CVE-2011-3048",
        "CVE-2011-3368",
        "CVE-2011-3389",
        "CVE-2011-3607",
        "CVE-2011-4317",
        "CVE-2011-4599",
        "CVE-2012-0021",
        "CVE-2012-0031",
        "CVE-2012-0053",
        "CVE-2012-0650",
        "CVE-2012-0668",
        "CVE-2012-0670",
        "CVE-2012-0671",
        "CVE-2012-0831",
        "CVE-2012-1172",
        "CVE-2012-1173",
        "CVE-2012-1667",
        "CVE-2012-1823",
        "CVE-2012-2143",
        "CVE-2012-2311",
        "CVE-2012-2386",
        "CVE-2012-2688",
        "CVE-2012-3719",
        "CVE-2012-3722"
      );
      script_bugtraq_id(
        47545,
        49778,
        49957,
        50494,
        50802,
        51006,
        51407,
        51705,
        51706,
        51954,
        52049,
        52830,
        52891,
        53388,
        53403,
        53579,
        53582,
        53584,
        53729,
        53772,
        54638,
        56240,
        56241
      );
      script_xref(name:"APPLE-SA", value:"APPLE-SA-2012-09-19-2");
      script_xref(name:"CERT", value:"864643");
    
      script_name(english:"Mac OS X Multiple Vulnerabilities (Security Update 2012-004) (BEAST)");
      script_summary(english:"Check for the presence of Security Update 2012-004.");
    
      script_set_attribute(
        attribute:"synopsis",
        value:
    "The remote host is missing a Mac OS X update that fixes multiple
    security vulnerabilities."
      );
      script_set_attribute(
        attribute:"description",
        value:
    "The remote host is running a version of Mac OS X 10.6 that does not
    have Security Update 2012-004 applied. This update contains multiple
    security-related fixes for the following components :
    
      - Apache
      - Data Security
      - DirectoryService
      - ImageIO
      - International Components for Unicode
      - Mail
      - PHP
      - QuickLook
      - QuickTime
      - Ruby"
      );
      script_set_attribute(attribute:"see_also", value:"http://www.zerodayinitiative.com/advisories/ZDI-12-185/");
      script_set_attribute(attribute:"see_also", value:"http://seclists.org/fulldisclosure/2012/Nov/111");
      script_set_attribute(attribute:"see_also", value:"http://support.apple.com/kb/HT5501");
      script_set_attribute(attribute:"see_also", value:"http://lists.apple.com/archives/security-announce/2012/Sep/msg00004.html");
      script_set_attribute(attribute:"see_also", value:"https://www.imperialviolet.org/2011/09/23/chromeandbeast.html");
      script_set_attribute(attribute:"see_also", value:"https://www.openssl.org/~bodo/tls-cbc.txt");
      script_set_attribute(attribute:"solution", value:"Install Security Update 2012-004 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'PHP CGI Argument Injection');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2011/07/15");
      script_set_attribute(attribute:"patch_publication_date", value:"2012/09/19");
      script_set_attribute(attribute:"plugin_publication_date", value:"2012/09/20");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x");
      script_set_attribute(attribute:"in_the_news", value:"true");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"MacOS X Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/MacOSX/Version", "Host/MacOSX/packages/boms");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    os = get_kb_item("Host/MacOSX/Version");
    if (!os) audit(AUDIT_OS_NOT, "Mac OS X");
    if (!ereg(pattern:"Mac OS X 10\.6([^0-9]|$)", string:os)) audit(AUDIT_OS_NOT, "Mac OS X 10.6");
    
    packages = get_kb_item_or_exit("Host/MacOSX/packages/boms", exit_code:1);
    if (
      egrep(pattern:"^com\.apple\.pkg\.update\.security\.(2012\.00[4-9]|201[3-9]\.[0-9]+)(\.snowleopard[0-9.]*)?\.bom", string:packages) ||
      egrep(pattern:"^com\.apple\.pkg\.update\.security\.2012\.004(\.snowleopard)?\.1\.0\.bom", string:packages)
    ) exit(0, "The host has Security Update 2012-004 or later installed and is therefore not affected.");
    else
    {
      if (report_verbosity > 0)
      {
        security_boms = egrep(pattern:"^com\.apple\.pkg\.update\.security", string:packages);
    
        report = '\n  Installed security updates : ';
        if (security_boms) report += str_replace(find:'\n', replace:'\n                               ', string:security_boms);
        else report += 'n/a';
        report += '\n';
    
        security_hole(port:0, extra:report);
      }
      else security_hole(0);
    }
    
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_10_7_5.NASL
    descriptionThe remote host is running a version of Mac OS X 10.7.x that is prior to 10.7.5. The newer version contains multiple security-related fixes for the following components : - Apache - BIND - CoreText - Data Security - ImageIO - Installer - International Components for Unicode - Kernel - Mail - PHP - Profile Manager - QuickLook - QuickTime - Ruby - USB
    last seen2020-06-01
    modified2020-06-02
    plugin id62214
    published2012-09-20
    reporterThis script is Copyright (C) 2012-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/62214
    titleMac OS X 10.7.x < 10.7.5 Multiple Vulnerabilities (BEAST)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(62214);
      script_version("1.23");
      script_cvs_date("Date: 2018/07/16 12:48:31");
    
      script_cve_id(
        "CVE-2011-3026",
        "CVE-2011-3048",
        "CVE-2011-3368",
        "CVE-2011-3389",
        "CVE-2011-3607",
        "CVE-2011-4313",
        "CVE-2011-4317",
        "CVE-2011-4599",
        "CVE-2012-0021",
        "CVE-2012-0031",
        "CVE-2012-0053",
        "CVE-2012-0643",
        "CVE-2012-0652",
        "CVE-2012-0668",
        "CVE-2012-0670",
        "CVE-2012-0671",
        "CVE-2012-0831",
        "CVE-2012-1172",
        "CVE-2012-1173",
        "CVE-2012-1667",
        "CVE-2012-1823",
        "CVE-2012-2143",
        "CVE-2012-2311",
        "CVE-2012-2386",
        "CVE-2012-2688",
        "CVE-2012-3716",
        "CVE-2012-3719",
        "CVE-2012-3721",
        "CVE-2012-3722",
        "CVE-2012-3723"
      );
      script_bugtraq_id(
        47545,
        49778,
        49957,
        50494,
        50690,
        50802,
        51006,
        51407,
        51705,
        51706,
        51954,
        52049,
        52364,
        52830,
        52891,
        53388,
        53403,
        53445,
        53457,
        53579,
        53582,
        53584,
        53729,
        53772,
        54638,
        56241,
        56244,
        56246,
        56247
      );
      script_xref(name:"CERT", value:"864643");
    
      script_name(english:"Mac OS X 10.7.x < 10.7.5 Multiple Vulnerabilities (BEAST)");
      script_summary(english:"Check the version of Mac OS X.");
    
      script_set_attribute(
        attribute:"synopsis",
        value:
    "The remote host is missing a Mac OS X update that fixes multiple
    security vulnerabilities."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote host is running a version of Mac OS X 10.7.x that is prior
    to 10.7.5. The newer version contains multiple security-related fixes
    for the following components :
    
      - Apache
      - BIND
      - CoreText
      - Data Security
      - ImageIO
      - Installer
      - International Components for Unicode
      - Kernel
      - Mail
      - PHP
      - Profile Manager
      - QuickLook
      - QuickTime
      - Ruby
      - USB"
      );
      script_set_attribute(attribute:"see_also", value:"http://seclists.org/bugtraq/2012/Sep/94");
      script_set_attribute(attribute:"see_also", value:"http://support.apple.com/kb/HT5501");
      script_set_attribute(attribute:"see_also", value:"http://lists.apple.com/archives/security-announce/2012/Sep/msg00004.html");
      script_set_attribute(attribute:"see_also", value:"https://www.imperialviolet.org/2011/09/23/chromeandbeast.html");
      script_set_attribute(attribute:"see_also", value:"https://www.openssl.org/~bodo/tls-cbc.txt");
      script_set_attribute(attribute:"solution", value:"Upgrade to Mac OS X 10.7.5 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'PHP CGI Argument Injection');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2011/07/15");
      script_set_attribute(attribute:"patch_publication_date", value:"2012/09/19");
      script_set_attribute(attribute:"plugin_publication_date", value:"2012/09/20");
    
      script_set_attribute(attribute:"plugin_type", value:"combined");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x");
      script_set_attribute(attribute:"in_the_news", value:"true");
      script_end_attributes();
     
      script_category(ACT_GATHER_INFO);
      script_family(english:"MacOS X Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.");
     
      script_dependencies("ssh_get_info.nasl", "os_fingerprint.nasl");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    
    os = get_kb_item("Host/MacOSX/Version");
    if (!os)
    {
      os = get_kb_item_or_exit("Host/OS");
      if ("Mac OS X" >!< os) audit(AUDIT_OS_NOT, "Mac OS X");
    
      c = get_kb_item("Host/OS/Confidence");
      if (c <= 70) exit(1, "Can't determine the host's OS with sufficient confidence.");
    }
    if (!os) audit(AUDIT_OS_NOT, "Mac OS X");
    
    if (ereg(pattern:"Mac OS X 10\.7($|\.[0-4]([^0-9]|$))", string:os)) security_hole(0);
    else exit(0, "The host is not affected as it is running "+os+".");