Vulnerabilities > CVE-2012-3722 - Resource Management Errors vulnerability in Apple Iphone OS, mac OS X and mac OS X Server
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
The Sorenson codec in QuickTime in Apple Mac OS X before 10.7.5, and in CoreMedia in iOS before 6, accesses uninitialized memory locations, which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted movie file with Sorenson encoding.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family Gain a shell remotely NASL id APPLETV_5_1.NASL description According to its banner, the remote Apple TV 2nd generation or later device has a version of iOS that is prior to 5.1. It is, therefore, reportedly affected by several vulnerabilities : - An uninitialized memory access issue in the handling of Sorenson encoded movie files could lead to arbitrary code execution. (CVE-2012-3722) - Following the DNAv4 protocol, the device may broadcast MAC addresses of previously accessed networks when connecting to a Wi-Fi network. (CVE-2012-3725) - A buffer overflow in libtiff last seen 2020-06-01 modified 2020-06-02 plugin id 62357 published 2012-09-27 reporter This script is Copyright (C) 2012-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/62357 title Apple TV < 5.1 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(62357); script_version("1.18"); script_cvs_date("Date: 2018/11/15 20:50:22"); script_cve_id( "CVE-2011-1167", "CVE-2011-1944", "CVE-2011-2821", "CVE-2011-2834", "CVE-2011-3026", "CVE-2011-3048", "CVE-2011-3328", "CVE-2011-3919", "CVE-2011-4599", "CVE-2012-0682", "CVE-2012-0683", "CVE-2012-1173", "CVE-2012-3589", "CVE-2012-3590", "CVE-2012-3591", "CVE-2012-3592", "CVE-2012-3678", "CVE-2012-3679", "CVE-2012-3722", "CVE-2012-3725", "CVE-2012-3726" ); script_bugtraq_id( 46951, 48056, 49279, 49658, 49744, 51006, 51300, 52049, 52830, 52891, 54680, 56264, 56268, 56273 ); script_xref(name:"APPLE-SA", value:"APPLE-SA-2012-09-24-1"); script_name(english:"Apple TV < 5.1 Multiple Vulnerabilities"); script_summary(english:"Checks version in banner"); script_set_attribute(attribute:"synopsis", value: "The remote device is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its banner, the remote Apple TV 2nd generation or later device has a version of iOS that is prior to 5.1. It is, therefore, reportedly affected by several vulnerabilities : - An uninitialized memory access issue in the handling of Sorenson encoded movie files could lead to arbitrary code execution. (CVE-2012-3722) - Following the DNAv4 protocol, the device may broadcast MAC addresses of previously accessed networks when connecting to a Wi-Fi network. (CVE-2012-3725) - A buffer overflow in libtiff's handling of ThunderScan encoded TIFF images could lead to arbitrary code execution. (CVE-2011-1167) - Multiple memory corruption issues in libpng's handling of PNG images could lead to arbitrary code execution. (CVE-2011-3026 / CVE-2011-3048 / CVE-2011-3328) - A double free issue in ImageIO's handling of JPEG images could lead to arbitrary code execution. (CVE-2012-3726) - An integer overflow issue in libTIFF's handling of TIFF images could lead to arbitrary code execution. (CVE-2012-1173) - A stack-based buffer overflow in the handling of ICU locale IDs could lead to arbitrary code execution. (CVE-2011-4599) - Multiple vulnerabilities in libxml could have a variety of impacts, including arbitrary code execution. (CVE-2011-1944 / CVE-2011-2821 / CVE-2011-2834 / CVE-2011-3919) - Multiple memory corruption issues in JavaScriptCore could lead to arbitrary code execution. (CVE-2012-0682 / CVE-2012-0683 / CVE-2012-3589 / CVE-2012-3590 / CVE-2012-3591 / CVE-2012-3592 / CVE-2012-3678 / CVE-2012-3679)"); script_set_attribute(attribute:"see_also", value:"https://support.apple.com/en-us/HT202614"); script_set_attribute(attribute:"see_also", value:"https://lists.apple.com/archives/security-announce/2012/Sep/msg00006.html"); script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/524229/30/0/threaded"); script_set_attribute(attribute:"solution", value:"Upgrade the Apple TV to iOS 5.1 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2011/03/21"); script_set_attribute(attribute:"patch_publication_date", value:"2012/09/24"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/09/27"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:apple:apple_tv"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Gain a shell remotely"); script_copyright(english:"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc."); script_dependencies("appletv_detect.nasl"); script_require_keys("www/appletv"); script_require_ports(3689); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); port = 3689; banner = get_http_banner(port:port, broken:TRUE, exit_on_fail:TRUE); if ( "DAAP-Server: iTunes/" >!< banner && "RIPT-Server: iTunesLib/" >!< banner ) audit(AUDIT_WRONG_WEB_SERVER, port, 'iTunes'); pat = "^DAAP-Server: iTunes/([0-9][0-9.]+)[a-z]([0-9]+) \((Mac )?OS X\)"; if ( "DAAP-Server: iTunes/" >< banner && !egrep(pattern:pat, string:banner) ) exit(0, "The web server listening on port "+port+" does not appear to be from iTunes on an Apple TV."); fixed_major = "11.0"; fixed_minor = "46"; report = ""; # Check first for 3rd gen and recent 2nd gen models. matches = egrep(pattern:pat, string:banner); if (matches) { foreach line (split(matches, keep:FALSE)) { match = eregmatch(pattern:pat, string:line); if (!isnull(match)) { major = match[1]; minor = match[2]; if ( ver_compare(ver:major, fix:fixed_major, strict:FALSE) < 0 || ( ver_compare(ver:major, fix:fixed_major, strict:FALSE) == 0 && int(minor) < int(fixed_minor) ) ) { report = '\n Source : ' + line + '\n Installed iTunes version : ' + major + 'd' + minor + '\n Fixed iTunes version : ' + fixed_major + 'd' + fixed_minor + '\n'; } break; } } } else { pat2 = "^RIPT-Server: iTunesLib/([0-9]+)\."; matches = egrep(pattern:pat2, string:banner); if (matches) { foreach line (split(matches, keep:FALSE)) { match = eregmatch(pattern:pat2, string:line); if (!isnull(match)) { major = int(match[1]); if (major < 4) exit(0, "The web server listening on port "+port+" is from iTunes on a 1st generation Apple TV, which is no longer supported."); else if (major >= 4 && major <= 9) { report = '\n Source : ' + line + '\n'; } break; } } } } if (report) { if (report_verbosity > 0) security_hole(port:0, extra:report); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family MacOS X Local Security Checks NASL id MACOSX_SECUPD2012-004.NASL description The remote host is running a version of Mac OS X 10.6 that does not have Security Update 2012-004 applied. This update contains multiple security-related fixes for the following components : - Apache - Data Security - DirectoryService - ImageIO - International Components for Unicode - Mail - PHP - QuickLook - QuickTime - Ruby last seen 2020-06-01 modified 2020-06-02 plugin id 62213 published 2012-09-20 reporter This script is Copyright (C) 2012-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/62213 title Mac OS X Multiple Vulnerabilities (Security Update 2012-004) (BEAST) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(62213); script_version("1.26"); script_cvs_date("Date: 2018/07/16 12:48:31"); script_cve_id( "CVE-2011-3026", "CVE-2011-3048", "CVE-2011-3368", "CVE-2011-3389", "CVE-2011-3607", "CVE-2011-4317", "CVE-2011-4599", "CVE-2012-0021", "CVE-2012-0031", "CVE-2012-0053", "CVE-2012-0650", "CVE-2012-0668", "CVE-2012-0670", "CVE-2012-0671", "CVE-2012-0831", "CVE-2012-1172", "CVE-2012-1173", "CVE-2012-1667", "CVE-2012-1823", "CVE-2012-2143", "CVE-2012-2311", "CVE-2012-2386", "CVE-2012-2688", "CVE-2012-3719", "CVE-2012-3722" ); script_bugtraq_id( 47545, 49778, 49957, 50494, 50802, 51006, 51407, 51705, 51706, 51954, 52049, 52830, 52891, 53388, 53403, 53579, 53582, 53584, 53729, 53772, 54638, 56240, 56241 ); script_xref(name:"APPLE-SA", value:"APPLE-SA-2012-09-19-2"); script_xref(name:"CERT", value:"864643"); script_name(english:"Mac OS X Multiple Vulnerabilities (Security Update 2012-004) (BEAST)"); script_summary(english:"Check for the presence of Security Update 2012-004."); script_set_attribute( attribute:"synopsis", value: "The remote host is missing a Mac OS X update that fixes multiple security vulnerabilities." ); script_set_attribute( attribute:"description", value: "The remote host is running a version of Mac OS X 10.6 that does not have Security Update 2012-004 applied. This update contains multiple security-related fixes for the following components : - Apache - Data Security - DirectoryService - ImageIO - International Components for Unicode - Mail - PHP - QuickLook - QuickTime - Ruby" ); script_set_attribute(attribute:"see_also", value:"http://www.zerodayinitiative.com/advisories/ZDI-12-185/"); script_set_attribute(attribute:"see_also", value:"http://seclists.org/fulldisclosure/2012/Nov/111"); script_set_attribute(attribute:"see_also", value:"http://support.apple.com/kb/HT5501"); script_set_attribute(attribute:"see_also", value:"http://lists.apple.com/archives/security-announce/2012/Sep/msg00004.html"); script_set_attribute(attribute:"see_also", value:"https://www.imperialviolet.org/2011/09/23/chromeandbeast.html"); script_set_attribute(attribute:"see_also", value:"https://www.openssl.org/~bodo/tls-cbc.txt"); script_set_attribute(attribute:"solution", value:"Install Security Update 2012-004 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'PHP CGI Argument Injection'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"vuln_publication_date", value:"2011/07/15"); script_set_attribute(attribute:"patch_publication_date", value:"2012/09/19"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/09/20"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x"); script_set_attribute(attribute:"in_the_news", value:"true"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"MacOS X Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/MacOSX/Version", "Host/MacOSX/packages/boms"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); os = get_kb_item("Host/MacOSX/Version"); if (!os) audit(AUDIT_OS_NOT, "Mac OS X"); if (!ereg(pattern:"Mac OS X 10\.6([^0-9]|$)", string:os)) audit(AUDIT_OS_NOT, "Mac OS X 10.6"); packages = get_kb_item_or_exit("Host/MacOSX/packages/boms", exit_code:1); if ( egrep(pattern:"^com\.apple\.pkg\.update\.security\.(2012\.00[4-9]|201[3-9]\.[0-9]+)(\.snowleopard[0-9.]*)?\.bom", string:packages) || egrep(pattern:"^com\.apple\.pkg\.update\.security\.2012\.004(\.snowleopard)?\.1\.0\.bom", string:packages) ) exit(0, "The host has Security Update 2012-004 or later installed and is therefore not affected."); else { if (report_verbosity > 0) { security_boms = egrep(pattern:"^com\.apple\.pkg\.update\.security", string:packages); report = '\n Installed security updates : '; if (security_boms) report += str_replace(find:'\n', replace:'\n ', string:security_boms); else report += 'n/a'; report += '\n'; security_hole(port:0, extra:report); } else security_hole(0); }NASL family MacOS X Local Security Checks NASL id MACOSX_10_7_5.NASL description The remote host is running a version of Mac OS X 10.7.x that is prior to 10.7.5. The newer version contains multiple security-related fixes for the following components : - Apache - BIND - CoreText - Data Security - ImageIO - Installer - International Components for Unicode - Kernel - Mail - PHP - Profile Manager - QuickLook - QuickTime - Ruby - USB last seen 2020-06-01 modified 2020-06-02 plugin id 62214 published 2012-09-20 reporter This script is Copyright (C) 2012-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/62214 title Mac OS X 10.7.x < 10.7.5 Multiple Vulnerabilities (BEAST) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(62214); script_version("1.23"); script_cvs_date("Date: 2018/07/16 12:48:31"); script_cve_id( "CVE-2011-3026", "CVE-2011-3048", "CVE-2011-3368", "CVE-2011-3389", "CVE-2011-3607", "CVE-2011-4313", "CVE-2011-4317", "CVE-2011-4599", "CVE-2012-0021", "CVE-2012-0031", "CVE-2012-0053", "CVE-2012-0643", "CVE-2012-0652", "CVE-2012-0668", "CVE-2012-0670", "CVE-2012-0671", "CVE-2012-0831", "CVE-2012-1172", "CVE-2012-1173", "CVE-2012-1667", "CVE-2012-1823", "CVE-2012-2143", "CVE-2012-2311", "CVE-2012-2386", "CVE-2012-2688", "CVE-2012-3716", "CVE-2012-3719", "CVE-2012-3721", "CVE-2012-3722", "CVE-2012-3723" ); script_bugtraq_id( 47545, 49778, 49957, 50494, 50690, 50802, 51006, 51407, 51705, 51706, 51954, 52049, 52364, 52830, 52891, 53388, 53403, 53445, 53457, 53579, 53582, 53584, 53729, 53772, 54638, 56241, 56244, 56246, 56247 ); script_xref(name:"CERT", value:"864643"); script_name(english:"Mac OS X 10.7.x < 10.7.5 Multiple Vulnerabilities (BEAST)"); script_summary(english:"Check the version of Mac OS X."); script_set_attribute( attribute:"synopsis", value: "The remote host is missing a Mac OS X update that fixes multiple security vulnerabilities." ); script_set_attribute( attribute:"description", value: "The remote host is running a version of Mac OS X 10.7.x that is prior to 10.7.5. The newer version contains multiple security-related fixes for the following components : - Apache - BIND - CoreText - Data Security - ImageIO - Installer - International Components for Unicode - Kernel - Mail - PHP - Profile Manager - QuickLook - QuickTime - Ruby - USB" ); script_set_attribute(attribute:"see_also", value:"http://seclists.org/bugtraq/2012/Sep/94"); script_set_attribute(attribute:"see_also", value:"http://support.apple.com/kb/HT5501"); script_set_attribute(attribute:"see_also", value:"http://lists.apple.com/archives/security-announce/2012/Sep/msg00004.html"); script_set_attribute(attribute:"see_also", value:"https://www.imperialviolet.org/2011/09/23/chromeandbeast.html"); script_set_attribute(attribute:"see_also", value:"https://www.openssl.org/~bodo/tls-cbc.txt"); script_set_attribute(attribute:"solution", value:"Upgrade to Mac OS X 10.7.5 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'PHP CGI Argument Injection'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"vuln_publication_date", value:"2011/07/15"); script_set_attribute(attribute:"patch_publication_date", value:"2012/09/19"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/09/20"); script_set_attribute(attribute:"plugin_type", value:"combined"); script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x"); script_set_attribute(attribute:"in_the_news", value:"true"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"MacOS X Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc."); script_dependencies("ssh_get_info.nasl", "os_fingerprint.nasl"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); os = get_kb_item("Host/MacOSX/Version"); if (!os) { os = get_kb_item_or_exit("Host/OS"); if ("Mac OS X" >!< os) audit(AUDIT_OS_NOT, "Mac OS X"); c = get_kb_item("Host/OS/Confidence"); if (c <= 70) exit(1, "Can't determine the host's OS with sufficient confidence."); } if (!os) audit(AUDIT_OS_NOT, "Mac OS X"); if (ereg(pattern:"Mac OS X 10\.7($|\.[0-4]([^0-9]|$))", string:os)) security_hole(0); else exit(0, "The host is not affected as it is running "+os+".");