HighProventia Server IPS for Microsoft Windows technology, BlackICE Server Protection, BlackICE PC Protection, RealSecure Server Sensor, RealSecure Network, Proventia Server IPS for Linux technology, Proventia-G 1.1 and earlier, Proventia Network MFS, Proventia Desktop, Proventia Network IPS:
This signature looks for an excessively long Content-Type in a Realtime Streaming Protocol (RTSP) message that could lead to remote code execution in QuickTime.
High
Proventia Server IPS for Microsoft Windows technology: 1.0.914.2130, BlackICE Server Protection: 3.6.cqs, BlackICE PC Protection: 3.6cqs, RealSecure Server Sensor: XPU 27.120, RealSecure Network: XPU 27.120, Proventia Server IPS for Linux technology: 27.120, Proventia-G 1.1 and earlier: XPU 27.120, Proventia Network MFS: XPU 27.120, Proventia Desktop: 2130, Proventia Network IPS: XPU 27.120
Gentoo Linux, Microsoft Windows XP: SP2, Apple Mac OS X: 10.3.9, Microsoft Windows Vista, Apple Mac OS X: 10.4.9, Apple QuickTime: 7.2, Apple Mac OS X: 10.5, Apple QuickTime: 7.3
Unauthorized Access Attempt
Apple QuickTime is vulnerable to a stack-based buffer overflow, caused by improper bounds checking of the Real Time Streaming Protocol (RTSP) Content-Type header. By persuading a victim to connect to a specially-crafted RTSP stream, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
Upgrade to the latest version of Apple QuickTime (7.3.1 or later), available from the Apple Web site. See References.
milw0rm.com [2007-11-23]
Apple QuickTime 7.3 RTSP Response Remote SEH Overwrite PoC
http://milw0rm.com/exploits/4648
milw0rm.com [2007-11-24]
Apple QuickTime 7.3 RTSP Response Universal Exploit (Vista / XP)
http://milw0rm.com/exploits/4657
milw0rm.com [2007-11-24]
Apple Quicktime 7.2/7.3 (RSTP Response) Code Exec Exploit (Vista/XP)
http://milw0rm.com/exploits/4651
Sunnet Beskering Security Portal
QuickTime - Remote hacker automatic control
http://www.beskerming.com/security/2007/11/25/74/QuickTime_-_Remote_hacker_automatic_control
milw0rm.com [2007-11-27]
Apple QuickTime 7.2/7.3 RSTP Response Universal Exploit (cool)
http://milw0rm.com/exploits/4664
milw0rm.com [2007-11-29]
Apple QuickTime 7.2/7.3 RSTP Response Universal Exploit (win/osx)
http://milw0rm.com/exploits/4673
IBM Internet Security Systems Protection Alert Dec 11, 2007
Apple QuickTime RTSP Content-Type Remote Code Execution
http://www.iss.net/threats/281.html
milw0rm.com [2008-07-06]
Safari + Quicktime <= 7.3 RTSP Content-Type Remote BOF Exploit
http://milw0rm.com/exploits/6013
ISS X-Force
Apple QuickTime RTSP Content-Type header buffer overflow
http://www.iss.net/security_center/static/38604.php
CVE
CVE-2007-6166
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6166