9.3 - VU#751808

Executive Summary

This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.

Summary
Title	Apple QuickTime remote command execution vulnerability

Informations
Name	VU#751808	First vendor Publication	2007-09-13
Vendor	VU-CERT	Last vendor Modification	2007-10-04
Severity (Vendor)	N/A	Revision	M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score	9.3	Attack Range	Network
Cvss Impact Score	10	Attack Complexity	Medium
Cvss Expoit Score	8.6	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#751808

Apple QuickTime remote command execution vulnerability

Overview

Apple QuickTime contains a vulnerability that may allow an attacker to pass arbitrary commands to other applications.

I. Description

Apple QuickTime is a media player that is available for Microsoft Windows and Apple OS X. Apple QuickTime includes browser plugins for Internet Explorer, Safari, and Netscape-compatible browsers.

QuickTime includes the ability for developers to control how QuickTime movies are launched, what controls are displayed to the user, and other actions. To specify these parameters, developers can create QuickTime link (.qtl) files. QuickTime link files can be embedded in web pages and launched automatically when a user visits a website.

The qtnext parameter can be used in QuickTime link files to specify the url of a multimedia file to load and play. The multimedia file may be hosted on a web page or stored locally.

Apple QuickTime incorrectly determines the command line used to launch the default web browser on Microsoft Windows systems. Rather than using the ShellExecute method, QuickTime determines the default handler for .HTM files and then crafts its own command line for the registered application. Any protective flags in the registered file handler are stripped out by QuickTime.

Current proof-of-concept code targets systems where Mozilla Firefox is the default handler for .HTM files. Other applications are also affected by this vulnerability, although the impact may vary based on what command line parameters the application accepts.

II. Impact

By convincing a user to open a specially crafted QuickTime file, a remote, unauthenticated attacker may be able execute arbitrary commands on a vulnerable system.

III. Solution

Apple has released an update to address this issue. Mozilla has released Firefox 2.0.0.7 which reduces the impact of this vulnerability.

Restrict access to QuickTime Movies

Until updates can be applied, the following workarounds may mitigate this vulnerability. Some web sites may allow anonymous users to upload QuickTime movies that exploit this vulnerability.

Workarounds for users

Mozilla has released Firefox 2.0.0.7 which may prevent exploitation of this vulnerability by removing Firefox's ability to run arbitrary scripts which are provided by command line arguments. Users are encouraged to upgrade as soon as possible.
Using the NoScript Firefox extension to whitelist web sites that can run scripts and access installed plugins will mitigate this vulnerability. See the NoScript FAQ for more information.
Running Firefox with a limited user account may prevent an attacker from accessing or overwriting files that the limited user account does not have write access to.

Workarounds for administrators
Proxy servers or intrusion prevention systems may be able to filter QuickTime files and partially mitigate this vulnerability. Note that this workaround is not likely to mitigate or stop all attack vectors.

Systems Affected

Vendor	Status	Date Updated
Apple Computer, Inc.	Vulnerable	4-Oct-2007
Mozilla	Vulnerable	20-Sep-2007

References

http://docs.info.apple.com/article.html?artnum=306560
http://www.gnucitizen.org/blog/0day-quicktime-pwns-firefox
http://www.mozilla.org/security/announce/2007/mfsa2007-28.html
http://blog.mozilla.com/security/2007/09/18/firefox-2.0.0.7-now-available/
http://secunia.com/advisories/26881/
http://docs.info.apple.com/article.html?artnum=305149
http://developer.apple.com/quicktime/quicktimeintro/tools/embed2.html
http://noscript.net/features#contentblocking
http://noscript.net
http://msdn2.microsoft.com/en-us/library/ms647732.aspx
http://support.microsoft.com/kb/224816

Credit

This vulnerability was disclosed by pdp on the GNUCITIZEN website.

This document was written by Ryan Giobbi and Will Dormann.

Other Information

Date Public	09/12/2007
Date First Published	09/13/2007 05:00:24 PM
Date Last Updated	10/04/2007
CERT Advisory
CVE Name	CVE-2007-4673
Metric	35.11
Document Revision	51

Original Source

Url : http://www.kb.cert.org/vuls/id/751808

CWE : Common Weakness Enumeration

%	Id	Name
50 %	CWE-94	Failure to Control Generation of Code ('Code Injection')
50 %	CWE-78	Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection') (CWE/SANS Top 25)

CPE : Common Platform Enumeration

Type	Description	Count
Application	Apple Quicktime cpe:2.3:a:apple:quicktime:7.2::windows_sp_2::::: cpe:2.3:a:apple:quicktime:7.2::windows_vista::::: cpe:2.3:a:apple:quicktime:7.1.3:::::::*	3

OpenVAS Exploits

Date	Description
2009-10-10	Name : SLES9: Security update for Mozilla File : nvt/sles9p5018527.nasl
2009-01-28	Name : SuSE Update for MozillaFirefox,mozilla,seamonkey SUSE-SA:2007:057 File : nvt/gb_suse_2007_057.nasl
2008-09-04	Name : FreeBSD Ports: firefox File : nvt/freebsd_firefox28.nasl

Open Source Vulnerability Database (OSVDB)

Id	Description
40434	Apple Quicktime for Windows Crafted QTL File qtnext Field Remote Command Exec...
29064	Apple QuickTime Plug-In .qtl File qtnext Field XCS

Snort® IPS/IDS

Date	Description
2014-01-10	Apple QuickTime Movie link file URI security bypass attempt RuleID : 9430 - Revision : 14 - Type : FILE-MULTIMEDIA
2014-01-10	Apple QuickTime Movie link scripting security bypass attempt RuleID : 9429 - Revision : 9 - Type : FILE-MULTIMEDIA
2014-01-10	Apple Quicktime Plug-In Security Bypass RuleID : 17290 - Revision : 7 - Type : WEB-CLIENT

Nessus® Vulnerability Scanner

Date	Description
2007-12-13	Name : The remote SuSE 10 host is missing a security-related patch. File : suse_MozillaFirefox-4570.nasl - Type : ACT_GATHER_INFO
2007-10-26	Name : The remote openSUSE host is missing a security update. File : suse_seamonkey-4596.nasl - Type : ACT_GATHER_INFO
2007-10-25	Name : The remote openSUSE host is missing a security update. File : suse_seamonkey-4594.nasl - Type : ACT_GATHER_INFO
2007-10-24	Name : The remote openSUSE host is missing a security update. File : suse_MozillaFirefox-4572.nasl - Type : ACT_GATHER_INFO
2007-10-24	Name : The remote openSUSE host is missing a security update. File : suse_MozillaFirefox-4574.nasl - Type : ACT_GATHER_INFO
2007-10-04	Name : The remote Windows host contains an application that allows remote code execu... File : quicktime_72_secupd.nasl - Type : ACT_GATHER_INFO
2007-09-24	Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_3ce8c7e266cf11dcb25f02e0185f8d72.nasl - Type : ACT_GATHER_INFO
2007-09-20	Name : The remote Windows host contains a web browser that may allow arbitrary code ... File : mozilla_firefox_2007.nasl - Type : ACT_GATHER_INFO
2007-03-06	Name : The remote Windows host contains an application that is prone to multiple att... File : quicktime_715.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.

Date	Informations
2013-05-11 12:26:43	Multiple Updates

Global Informations

Type	Count
CWE ID(s)	2
CPE ID(s)	3
osvdb(s)	2
Openvas Exploit(s)	3
Snort® Rule(s)	3
Nessus® Exploit(s)	9

	Related
9.3	CVE-2007-4673
5	CVE-2006-4965
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 2 more Alert(s)