Карточка уязвимости
Характеристики уязвимости
Уровень опасности
Оценка CVSS
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
Производитель ПО
Наименование ПО
QuickTime Player
(7.3.1, 7.4.1)
Описание
Переполнение буфера в Apple Quicktime Player, когда включено RTSP tunneling, позволяет злоумышленникам, действующим удаленно, выполнить произвольный код, используя длинный ответ Reason-Phrase на запрос rtsp:// request, как показано на примере с использованием сообщения об ошибке 404.
Как исправить
Для устранения уязвимости необходимо установить последнюю версию продукта, соответствующую используемой платформе. Необходимую информацию можно получить по адресу:
http://www.apple.com/
http://www.apple.com/
Ссылки
BUGTRAQ (20080110 Buffer-overflow in Quicktime Player 7.3.1.70): http://www.securityfocus.com/archive/1/archive/1/486091/100/0/threaded
BUGTRAQ (20080110 Re: Buffer-overflow in Quicktime Player 7.3.1.70): http://www.securityfocus.com/archive/1/archive/1/486114/100/0/threaded
MILW0RM (4885): http://www.milw0rm.com/exploits/4885
CERT-VN (VU#112179): http://www.kb.cert.org/vuls/id/112179
BID (27225): http://www.securityfocus.com/bid/27225
BUGTRAQ (20080111 Re: Buffer-overflow in Quicktime Player 7.3.1.70): http://www.securityfocus.com/archive/1/archive/1/486174/100/0/threaded
BUGTRAQ (20080111 Re: Re: Buffer-overflow in Quicktime Player 7.3.1.70): http://www.securityfocus.com/archive/1/archive/1/486161/100/0/threaded
BUGTRAQ (20080112 Re: Buffer-overflow in Quicktime Player 7.3.1.70): http://www.securityfocus.com/archive/1/archive/1/486268/100/0/threaded
BUGTRAQ (20080112 Re: Re: Buffer-overflow in Quicktime Player 7.3.1.70): http://www.securityfocus.com/archive/1/archive/1/486241/100/0/threaded
BUGTRAQ (20080114 Re: [Full-disclosure] Buffer-overflow in Quicktime Player 7.3.1.70): http://www.securityfocus.com/archive/1/archive/1/486238/100/0/threaded
MILW0RM (4906): http://www.milw0rm.com/exploits/4906
FRSIRT (ADV-2008-0107): http://www.frsirt.com/english/advisories/2008/0107
SECTRACK (1019178): http://www.securitytracker.com/id?1019178
XF (quicktime-rtsp-responses-bo(39601)): http://xforce.iss.net/xforce/xfdb/39601
APPLE (APPLE-SA-2008-02-06): http://lists.apple.com/archives/security-announce/2008/Feb/msg00001.html
BUGTRAQ (20080110 Re: Buffer-overflow in Quicktime Player 7.3.1.70): http://www.securityfocus.com/archive/1/archive/1/486114/100/0/threaded
MILW0RM (4885): http://www.milw0rm.com/exploits/4885
CERT-VN (VU#112179): http://www.kb.cert.org/vuls/id/112179
BID (27225): http://www.securityfocus.com/bid/27225
BUGTRAQ (20080111 Re: Buffer-overflow in Quicktime Player 7.3.1.70): http://www.securityfocus.com/archive/1/archive/1/486174/100/0/threaded
BUGTRAQ (20080111 Re: Re: Buffer-overflow in Quicktime Player 7.3.1.70): http://www.securityfocus.com/archive/1/archive/1/486161/100/0/threaded
BUGTRAQ (20080112 Re: Buffer-overflow in Quicktime Player 7.3.1.70): http://www.securityfocus.com/archive/1/archive/1/486268/100/0/threaded
BUGTRAQ (20080112 Re: Re: Buffer-overflow in Quicktime Player 7.3.1.70): http://www.securityfocus.com/archive/1/archive/1/486241/100/0/threaded
BUGTRAQ (20080114 Re: [Full-disclosure] Buffer-overflow in Quicktime Player 7.3.1.70): http://www.securityfocus.com/archive/1/archive/1/486238/100/0/threaded
MILW0RM (4906): http://www.milw0rm.com/exploits/4906
FRSIRT (ADV-2008-0107): http://www.frsirt.com/english/advisories/2008/0107
SECTRACK (1019178): http://www.securitytracker.com/id?1019178
XF (quicktime-rtsp-responses-bo(39601)): http://xforce.iss.net/xforce/xfdb/39601
APPLE (APPLE-SA-2008-02-06): http://lists.apple.com/archives/security-announce/2008/Feb/msg00001.html