[ISN] Flaws Found in Apple Streaming Servers

From: InfoSec News (isnat_private)
Date: Wed Feb 26 2003 - 00:17:43 PST

  • Next message: InfoSec News: "[ISN] DOD wireless policy delayed"

    By Dennis Fisher
    February 25, 2003 
    There are several security vulnerabilities in recent versions of Apple
    Computer Inc.'s popular QuickTime Streaming Server and Darwin
    Streaming Server that give attackers the ability to execute code on
    remote machines.
    The flaws affect version 4.1.2 of the Darwin server and 4.1.1 of the
    QuickTime server. Apple, based in Cupertino, Calif., has released
    updated versions of both servers that fix the problems.
    QuickTime Streaming Server and Darwin Streaming Server are
    enterprise-class servers designed to deliver thousands of simultaneous
    Of the six vulnerabilities found by researchers at @Stake Inc., in
    Cambridge, Mass., the most serious is a condition in the CGI
    application used to authenticate and interface with users that allows
    an attacker to pass unvalidated input to the open() function on the
    streaming server. By inserting a specific character in the command,
    the attacker can bypass a file existence check designed to protect
    against such operations.
    The vulnerability would not allow the attacker to add any further
    command-line parameters to his input. But, if the attacker has a
    non-root account on the machine, he could use this vulnerability to
    gain root privileges, the @stake advisory says.
    A second vulnerability within the same CGI application enables an
    attacker to cause the application to disclose the physical path to the
    Darwin/QuickTime administration server.
    Another flaw in the CGI application gives attackers the ability to use
    the open() function to open the inode of a directory as a file on Unix
    to obtain a directory listing.
    There are also two minor cross-site scripting vulnerabilities. One of
    the flaws is related to the way that the parse_xml.cgi application
    generates error messages when a file that does not exist is requested.  
    The second involves an attacker making an unauthenticated request to
    port 7070 and supplying scripting code as part of the request. The
    request is then written to the log file and the code will execute when
    the administrator views the logs.
    The final vulnerability is a buffer overrun in the MP3 broadcast
    module within the streaming servers. Any MP3 file with a name longer
    than 256 bytes will cause the buffer overrun and can allow local or
    FTP users to escalate their privileges on vulnerable machines.
    The update for machines running Mac OS X Server 10.2.3 is here [1].
    [1] http://docs.info.apple.com/article.html?artnum=70171
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Wed Feb 26 2003 - 02:44:26 PST