Home

Apple QuickTime RTSP Content-Type Remote Code Execution

Notification Type:	IBM Internet Security Systems Protection Alert
Notification Date:	Dec. 11, 2007
Notification Version:	1.1

Name:	Apple QuickTime RTSP Content-Type Remote Code Execution
Public disclosure/ In the wild date:	Nov. 23, 2007 (vuln disclosure), Nov. 23, 2007 (PoC), Nov. 24, 2007 (Functional Exploit)
CVE:	CVE-2007-6166
Description:	Apple QuickTime is vulnerable to a stack-based buffer overflow, caused by improper bounds checking of the Real Time Streaming Protocol (RTSP) Content-Type header.

ISS Coverage

Product	Content Version
Network Sensor 7.0 Proventia A Proventia IPS (G/GX) Server Sensor 7.0 Proventia Multifunction Appliance Proventia Server (Linux)	27.120
Proventia Server (Windows) Proventia Desktop	x.x.x.2130
BlackICE PC Protection 3.6	CQS

Propagation Techniques	ISS Protection	Available
remote exploit	RTSP_Content_Type_Overflow	Dec 11, 2007

Detailed Description

Business Impact:	Apple QuickTime is a common software program used to view multimedia files and is installed by default on Apple Mac operating systems. Although this vulnerability requires a user to click a link or visit a malicious web page, a successful exploit would result in remote code execution and possibly complete compromise of the system. Public exploitation of this vulnerability has already been reported.
CVSS:	Base Score:		9.3
		Access Vector:	Network
		Access Complexity:	Medium
		Authentication:	None
		Confidentiality Impact:	Complete
		Integrity Impact:	Complete
		Availability Impact:	Complete

	Adjusted Temporal Score:		7.7
		Exploitability:	Functional
		Remediation Level:	Official-fix
		Report Confidence:	Confirmed
Affected Products:	For a full list of affected versions, see references below.
Technical Description:	Apple QuickTime is vulnerable to a stack-based buffer overflow, caused by improper bounds checking of the Real Time Streaming Protocol (RTSP) Content-Type header. By persuading a victim to connect to a specially-crafted RTSP stream, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
Remediation:	Apple released a patch for this issue on Dec. 13, 2007. See References for details.

References

XFDB:	http://xforce.iss.net/xforce/xfdb/38604
Apple:	http://docs.info.apple.com/article.html?artnum=307176

Revision History

1.0
1.1

Initial publication.
Updated patch information. Modified business impact and CVSS to reflect the availability of the patch.

About IBM Internet Security Systems
IBM Internet Security Systems is the trusted security advisor to thousands of the world's leading businesses and governments, providing pre-emptive protection for networks, desktops and servers. An established leader in security since 1994, the IBM Proventia® integrated security platform is designed to automatically protect against both known and unknown threats, helping to keep networks up and running and shielding customers from online attacks before they impact business assets. IBM Internet Security Systems products and services are based on the proactive security intelligence of its X-Force® research and development team – the unequivocal world authority in vulnerability and threat research. The Internet Security Systems product line is also complemented by comprehensive Managed Security Services and Professional Security Services. For more information, visit the Internet Security Systems Web site at www.iss.net or call 800-776-2362.