Details of VAR-200703-0019

ID

VAR-200703-0019

CVE

CVE-2007-0718

TITLE

Apple QuickTime 3GP integer overflow

Trust: 0.8

sources: CERT/CC: VU#568689

DESCRIPTION

Heap-based buffer overflow in Apple QuickTime before 7.1.5 allows remote user-assisted attackers to cause a denial of service (crash) and possibly execute arbitrary code via a QTIF file with a Video Sample Description containing a Color table ID of 0, which triggers memory corruption when QuickTime assumes that a color table exists. The Apple QuickTime player contains a heap buffer overflow vulnerability. This vulnerability may allow an attacker to execute arbitrary code or create a denial-of-service condition. Apple QuickTime is prone to multiple unspecified remote code-execution vulnerabilities including mulitple heap and stack-based buffer-overflow and integer-overflow issues. These issues arise when the application handles specially crafted 3GP, MIDI, MOV, PICT, and QTIF files. Successful attacks can result in the compromise of the applicaiton or can cause denial-of-service conditions. Few details regarding these issues are currently available. Separate BIDs for each issue will be created as new information becomes available. QuickTime versions prior to 7.1.5 are vulnerable. QuickTime is prone to a heap-overflow vulnerability because it fails to perform adequate bounds checking on user-supplied data. There are multiple buffer overflow vulnerabilities in QuickTime's processing of various media formats. Remote attackers may exploit these vulnerabilities to control the user's machine by enticing the user to open and process malformed media files. (CVE-2007-0718). BACKGROUND Quicktime is Apple's media player product used to render video and other media. For more information visit http://www.apple.com/quicktime/ II. The vulnerability specifically exists in QuickTime players handling of Video media atoms. A byte swap process is then performed on the memory following the description, regardless if a table is present or not. Heap corruption will occur in the case when the memory following the description is not part of the heap chunk being processed. III. In order to exploit this vulnerability, an attacker must persuade a victim into opening a specially crafted media file. This could be accomplished by either a direct link or referenced from a website under the attacker's control. No further interaction is required in the default configuration. IV. DETECTION iDefense Labs confirmed this vulnerability exists in version 7.1.3 of QuickTime on Windows. V. WORKAROUND iDefense is currently unaware of any effective workarounds for this vulnerability. VI. More information can be found in Apple Advisory APPLE-SA-2007-03-05 at the following URL. http://docs.info.apple.com/article.html?artnum=305149 VII. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 12/06/2006 Initial vendor notification 12/11/2007 Initial vendor response 02/01/2007 Second vendor notification 03/05/2007 Coordinated public disclosure IX. CREDIT This vulnerability was reported to iDefense by Ruben Santamarta of Reversemode Labs (www.reversemode.com). Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright \xa9 2007 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

Trust: 8.1

sources: NVD: CVE-2007-0718 // CERT/CC: VU#568689 // CERT/CC: VU#880561 // CERT/CC: VU#822481 // CERT/CC: VU#861817 // CERT/CC: VU#448745 // CERT/CC: VU#313225 // CERT/CC: VU#410993 // CERT/CC: VU#642433 // JVNDB: JVNDB-2007-000198 // BID: 22827 // BID: 22839 // VULHUB: VHN-24080 // PACKETSTORM: 54931

AFFECTED PRODUCTS

vendor:	apple computer	model:	-	scope:	-	version:	-	Trust: 6.4
vendor:	apple	model:	quicktime	scope:	eq	version:	7.1.1	Trust: 1.6
vendor:	apple	model:	quicktime	scope:	eq	version:	7.0.4	Trust: 1.6
vendor:	apple	model:	quicktime	scope:	eq	version:	7.1.2	Trust: 1.6
vendor:	apple	model:	quicktime	scope:	eq	version:	7.1	Trust: 1.6
vendor:	apple	model:	quicktime	scope:	eq	version:	7.1.4	Trust: 1.6
vendor:	apple	model:	quicktime	scope:	eq	version:	7.0.1	Trust: 1.6
vendor:	apple	model:	quicktime	scope:	eq	version:	7.0.2	Trust: 1.6
vendor:	apple	model:	quicktime	scope:	eq	version:	7.0.3	Trust: 1.6
vendor:	apple	model:	quicktime	scope:	eq	version:	7.1.3	Trust: 1.6
vendor:	apple	model:	quicktime	scope:	eq	version:	7.0	Trust: 1.6
vendor:	apple	model:	quicktime	scope:	lte	version:	7.1.4	Trust: 0.8
vendor:	apple	model:	quicktime player	scope:	eq	version:	7.1.3	Trust: 0.6
vendor:	apple	model:	quicktime player	scope:	ne	version:	7.1.5	Trust: 0.6
vendor:	apple	model:	quicktime player	scope:	eq	version:	7.1.4	Trust: 0.3
vendor:	apple	model:	quicktime player	scope:	eq	version:	7.1.2	Trust: 0.3
vendor:	apple	model:	quicktime player	scope:	eq	version:	7.1.1	Trust: 0.3
vendor:	apple	model:	quicktime player	scope:	eq	version:	7.0.4	Trust: 0.3
vendor:	apple	model:	quicktime player	scope:	eq	version:	7.0.3	Trust: 0.3
vendor:	apple	model:	quicktime player	scope:	eq	version:	7.0.2	Trust: 0.3
vendor:	apple	model:	quicktime player	scope:	eq	version:	7.0.1	Trust: 0.3
vendor:	apple	model:	quicktime player	scope:	eq	version:	7.0	Trust: 0.3
vendor:	apple	model:	quicktime player	scope:	eq	version:	6.5.2	Trust: 0.3
vendor:	apple	model:	quicktime player	scope:	eq	version:	6.5.1	Trust: 0.3
vendor:	apple	model:	quicktime player	scope:	eq	version:	6.5	Trust: 0.3
vendor:	apple	model:	quicktime player	scope:	eq	version:	6.1	Trust: 0.3
vendor:	apple	model:	quicktime player	scope:	eq	version:	5.0.2	Trust: 0.3
vendor:	apple	model:	quicktime player	scope:	eq	version:	7.1	Trust: 0.3
vendor:	apple	model:	quicktime player	scope:	eq	version:	6	Trust: 0.3

sources: CERT/CC: VU#568689 // CERT/CC: VU#880561 // CERT/CC: VU#822481 // CERT/CC: VU#861817 // CERT/CC: VU#448745 // CERT/CC: VU#313225 // CERT/CC: VU#410993 // CERT/CC: VU#642433 // BID: 22827 // BID: 22839 // JVNDB: JVNDB-2007-000198 // CNNVD: CNNVD-200703-165 // NVD: CVE-2007-0718

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2007-0718
value:	MEDIUM
Trust: 1.0
CARNEGIE MELLON:	VU#568689
value:	16.20
Trust: 0.8
CARNEGIE MELLON:	VU#880561
value:	6.64
Trust: 0.8
CARNEGIE MELLON:	VU#822481
value:	9.00
Trust: 0.8
CARNEGIE MELLON:	VU#861817
value:	17.36
Trust: 0.8
CARNEGIE MELLON:	VU#448745
value:	4.81
Trust: 0.8
CARNEGIE MELLON:	VU#313225
value:	17.72
Trust: 0.8
CARNEGIE MELLON:	VU#410993
value:	16.20
Trust: 0.8
CARNEGIE MELLON:	VU#642433
value:	16.20
Trust: 0.8
NVD:	CVE-2007-0718
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-200703-165
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-24080
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2007-0718
severity:	MEDIUM
baseScore:	5.8
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-24080
severity:	MEDIUM
baseScore:	5.8
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: CERT/CC: VU#568689 // CERT/CC: VU#880561 // CERT/CC: VU#822481 // CERT/CC: VU#861817 // CERT/CC: VU#448745 // CERT/CC: VU#313225 // CERT/CC: VU#410993 // CERT/CC: VU#642433 // VULHUB: VHN-24080 // JVNDB: JVNDB-2007-000198 // CNNVD: CNNVD-200703-165 // NVD: CVE-2007-0718

PROBLEMTYPE DATA

problemtype:

CWE-119

Trust: 1.1

sources: VULHUB: VHN-24080 // NVD: CVE-2007-0718

THREAT TYPE

remote

Trust: 0.7

sources: PACKETSTORM: 54931 // CNNVD: CNNVD-200703-165

TYPE

Boundary Condition Error

Trust: 0.6

sources: BID: 22827 // BID: 22839

CONFIGURATIONS

sources: JVNDB: JVNDB-2007-000198

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-24080

PATCH

title:	QuickTime 7.1.5 for Mac	url:	http://www.apple.com/support/downloads/quicktime715formac.html	Trust: 0.8
title:	QuickTime 7.1.5 for Windows	url:	http://www.apple.com/support/downloads/quicktime715forwindows.html	Trust: 0.8
title:	QuickTime 7.1.5	url:	http://docs.info.apple.com/article.html?artnum=305149	Trust: 0.8
title:	QuickTime 7.1.5	url:	http://docs.info.apple.com/article.html?artnum=305149-ja	Trust: 0.8
title:	アップル - QuickTime	url:	http://www.apple.com/jp/quicktime/download/win.html	Trust: 0.8
title:	QuickTime 7.1.5 for Windows	url:	http://www.apple.com/jp/ftp-info/reference/quicktime715forwindows.html	Trust: 0.8
title:	QuickTime 7.1.5 for Mac	url:	http://www.apple.com/jp/ftp-info/reference/quicktime715formac.html	Trust: 0.8

sources: JVNDB: JVNDB-2007-000198

EXTERNAL IDS

db:	BID	id:	22827	Trust: 9.2
db:	SECUNIA	id:	24359	Trust: 8.9
db:	SECTRACK	id:	1017725	Trust: 8.1
db:	AUSCERT	id:	AL-2007.0031	Trust: 6.4
db:	CERT/CC	id:	VU#313225	Trust: 3.9
db:	NVD	id:	CVE-2007-0718	Trust: 3.2
db:	BID	id:	22839	Trust: 2.8
db:	USCERT	id:	TA07-065A	Trust: 2.8
db:	VUPEN	id:	ADV-2007-0825	Trust: 1.7
db:	XF	id:	32826	Trust: 1.4
db:	CERT/CC	id:	VU#568689	Trust: 1.1
db:	CERT/CC	id:	VU#880561	Trust: 1.1
db:	CERT/CC	id:	VU#822481	Trust: 1.1
db:	CERT/CC	id:	VU#861817	Trust: 1.1
db:	CERT/CC	id:	VU#448745	Trust: 1.1
db:	CERT/CC	id:	VU#410993	Trust: 1.1
db:	CERT/CC	id:	VU#642433	Trust: 1.1
db:	BID	id:	22843	Trust: 0.8
db:	BID	id:	22844	Trust: 0.8
db:	ZDI	id:	ZDI-07-010	Trust: 0.8
db:	USCERT	id:	SA07-065A	Trust: 0.8
db:	JVNDB	id:	JVNDB-2007-000198	Trust: 0.8
db:	CNNVD	id:	CNNVD-200703-165	Trust: 0.7
db:	BUGTRAQ	id:	20070306 [REVERSEMODE ADVISORY] APPLE QUICKTIME COLOR ID REMOTE HEAP CORRUPTION	Trust: 0.6
db:	CERT/CC	id:	TA07-065A	Trust: 0.6
db:	APPLE	id:	APPLE-SA-2007-03-05	Trust: 0.6
db:	IDEFENSE	id:	20070305 APPLE QUICKTIME COLOR TABLE ID HEAP CORRUPTION VULNERABILITY	Trust: 0.6
db:	PACKETSTORM	id:	54931	Trust: 0.2
db:	VULHUB	id:	VHN-24080	Trust: 0.1

sources: CERT/CC: VU#568689 // CERT/CC: VU#880561 // CERT/CC: VU#822481 // CERT/CC: VU#861817 // CERT/CC: VU#448745 // CERT/CC: VU#313225 // CERT/CC: VU#410993 // CERT/CC: VU#642433 // VULHUB: VHN-24080 // BID: 22827 // BID: 22839 // PACKETSTORM: 54931 // JVNDB: JVNDB-2007-000198 // CNNVD: CNNVD-200703-165 // NVD: CVE-2007-0718

REFERENCES

url:	http://www.securityfocus.com/bid/22827	Trust: 8.9
url:	http://docs.info.apple.com/article.html?artnum=305149	Trust: 8.2
url:	http://secunia.com/advisories/24359/	Trust: 6.4
url:	http://www.auscert.org.au/7356	Trust: 6.4
url:	http://www.ciac.org/ciac/bulletins/r-171.shtml	Trust: 6.4
url:	http://securitytracker.com/id?1017725	Trust: 5.6
url:	http://www.kb.cert.org/vuls/id/313225	Trust: 3.1
url:	http://www.us-cert.gov/cas/techalerts/ta07-065a.html	Trust: 2.8
url:	http://www.apple.com/quicktime/download/	Trust: 2.7
url:	http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=486	Trust: 2.5
url:	http://www.securityfocus.com/bid/22839	Trust: 2.5
url:	http://www.securitytracker.com/id?1017725	Trust: 2.5
url:	http://secunia.com/advisories/24359	Trust: 2.5
url:	http://www.us-cert.gov/cas/tips/st04-010.html	Trust: 2.4
url:	http://support.microsoft.com/default.aspx?scid=kb;en-us;q294676	Trust: 2.4
url:	http://www.cert.org/tech_tips/before_you_plug_in.html	Trust: 2.4
url:	http://www.mozilla.org/support/firefox/faq	Trust: 2.4
url:	http://lists.apple.com/archives/security-announce/2007/mar/msg00000.html	Trust: 1.7
url:	http://www.apple.com/itunes/	Trust: 1.6
url:	http://www.frsirt.com/english/advisories/2007/0825	Trust: 1.4
url:	http://xforce.iss.net/xforce/xfdb/32826	Trust: 1.4
url:	http://www.securityfocus.com/archive/1/462012/100/0/threaded	Trust: 1.1
url:	http://www.vupen.com/english/advisories/2007/0825	Trust: 1.1
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/32826	Trust: 1.1
url:	http://www.piotrbania.com/all/adv/quicktime-heap-adv-7.1.txt	Trust: 0.8
url:	http://en.wikipedia.org/wiki/.mov	Trust: 0.8
url:	http://www.securityfocus.com/bid/22843	Trust: 0.8
url:	http://en.wikipedia.org/wiki/musical_instrument_digital_interface	Trust: 0.8
url:	http://developer.apple.com/documentation/quicktime/qtff/index.html	Trust: 0.8
url:	http://developer.apple.com/documentation/quicktime/qtff/qtffchap2/chapter_3_section_2.html	Trust: 0.8
url:	http://secway.org/advisory/ad20070306.txt	Trust: 0.8
url:	http://secway.org/advisory/ad20060512.txt	Trust: 0.8
url:	http://www.zerodayinitiative.com/advisories/zdi-07-010.html	Trust: 0.8
url:	http://www.securityfocus.com/bid/22844	Trust: 0.8
url:	http://en.wikipedia.org/wiki/pict	Trust: 0.8
url:	http://www.reversemode.com/index.php?option=com_remository&itemid=2&func=fileinfo&id=46	Trust: 0.8
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2007-0718	Trust: 0.8
url:	http://jvn.jp/cert/jvnta07-065a/index.html	Trust: 0.8
url:	http://jvn.jp/tr/trta07-065a/index.html	Trust: 0.8
url:	http://nvd.nist.gov/nvd.cfm?cvename=cve-2007-0718	Trust: 0.8
url:	http://www.us-cert.gov/cas/alerts/sa07-065a.html	Trust: 0.8
url:	http://www.cyberpolice.go.jp/important/2007/20070306_153534.html	Trust: 0.8
url:	http://www.apple.com/quicktime/	Trust: 0.7
url:	msg://bugtraq/45ec9719.10206@idefense.com	Trust: 0.6
url:	http://www.securityfocus.com/archive/1/archive/1/462012/100/0/threaded	Trust: 0.6
url:	http://www.kb.cert.org/vuls/id/410993	Trust: 0.3
url:	http://www.kb.cert.org/vuls/id/448745	Trust: 0.3
url:	http://www.kb.cert.org/vuls/id/568689	Trust: 0.3
url:	http://www.kb.cert.org/vuls/id/642433	Trust: 0.3
url:	http://www.kb.cert.org/vuls/id/822481	Trust: 0.3
url:	http://www.kb.cert.org/vuls/id/861817	Trust: 0.3
url:	http://www.kb.cert.org/vuls/id/880561	Trust: 0.3
url:	/archive/1/462012	Trust: 0.3
url:	http://cve.mitre.org/),	Trust: 0.1
url:	http://secunia.com/	Trust: 0.1
url:	http://labs.idefense.com/intelligence/vulnerabilities/	Trust: 0.1
url:	http://labs.idefense.com/methodology/vulnerability/vcp.php	Trust: 0.1
url:	https://www.reversemode.com).	Trust: 0.1
url:	http://labs.idefense.com/	Trust: 0.1
url:	http://lists.grok.org.uk/full-disclosure-charter.html	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2007-0718	Trust: 0.1

sources: CERT/CC: VU#568689 // CERT/CC: VU#880561 // CERT/CC: VU#822481 // CERT/CC: VU#861817 // CERT/CC: VU#448745 // CERT/CC: VU#313225 // CERT/CC: VU#410993 // CERT/CC: VU#642433 // VULHUB: VHN-24080 // BID: 22827 // BID: 22839 // PACKETSTORM: 54931 // JVNDB: JVNDB-2007-000198 // CNNVD: CNNVD-200703-165 // NVD: CVE-2007-0718

CREDITS

JJ Reyes Mike Price iotr Bania Artur Ogloza Piotr Bania※ bania.piotr@gmail.com※Sowhat※ smaillist@gmail.com※http://www.zerodayinitiative.com/

Trust: 0.6

sources: CNNVD: CNNVD-200703-165

SOURCES

db:	CERT/CC	id:	VU#568689
db:	CERT/CC	id:	VU#880561
db:	CERT/CC	id:	VU#822481
db:	CERT/CC	id:	VU#861817
db:	CERT/CC	id:	VU#448745
db:	CERT/CC	id:	VU#313225
db:	CERT/CC	id:	VU#410993
db:	CERT/CC	id:	VU#642433
db:	VULHUB	id:	VHN-24080
db:	BID	id:	22827
db:	BID	id:	22839
db:	PACKETSTORM	id:	54931
db:	JVNDB	id:	JVNDB-2007-000198
db:	CNNVD	id:	CNNVD-200703-165
db:	NVD	id:	CVE-2007-0718

LAST UPDATE DATE

2025-07-06T21:09:48.367000+00:00

SOURCES UPDATE DATE

db:	CERT/CC	id:	VU#568689	date:	2007-03-19T00:00:00
db:	CERT/CC	id:	VU#880561	date:	2007-03-19T00:00:00
db:	CERT/CC	id:	VU#822481	date:	2007-03-19T00:00:00
db:	CERT/CC	id:	VU#861817	date:	2007-03-19T00:00:00
db:	CERT/CC	id:	VU#448745	date:	2007-03-09T00:00:00
db:	CERT/CC	id:	VU#313225	date:	2007-03-19T00:00:00
db:	CERT/CC	id:	VU#410993	date:	2007-03-19T00:00:00
db:	CERT/CC	id:	VU#642433	date:	2007-03-19T00:00:00
db:	VULHUB	id:	VHN-24080	date:	2018-10-16T00:00:00
db:	BID	id:	22827	date:	2007-03-06T21:05:00
db:	BID	id:	22839	date:	2007-03-06T00:00:00
db:	JVNDB	id:	JVNDB-2007-000198	date:	2007-04-19T00:00:00
db:	CNNVD	id:	CNNVD-200703-165	date:	2007-06-27T00:00:00
db:	NVD	id:	CVE-2007-0718	date:	2025-04-09T00:30:58.490

SOURCES RELEASE DATE

db:	CERT/CC	id:	VU#568689	date:	2007-03-06T00:00:00
db:	CERT/CC	id:	VU#880561	date:	2007-03-06T00:00:00
db:	CERT/CC	id:	VU#822481	date:	2007-03-06T00:00:00
db:	CERT/CC	id:	VU#861817	date:	2007-03-06T00:00:00
db:	CERT/CC	id:	VU#448745	date:	2007-03-06T00:00:00
db:	CERT/CC	id:	VU#313225	date:	2007-03-06T00:00:00
db:	CERT/CC	id:	VU#410993	date:	2007-03-06T00:00:00
db:	CERT/CC	id:	VU#642433	date:	2007-03-06T00:00:00
db:	VULHUB	id:	VHN-24080	date:	2007-03-05T00:00:00
db:	BID	id:	22827	date:	2007-03-05T00:00:00
db:	BID	id:	22839	date:	2007-03-06T00:00:00
db:	PACKETSTORM	id:	54931	date:	2007-03-08T23:27:30
db:	JVNDB	id:	JVNDB-2007-000198	date:	2007-04-19T00:00:00
db:	CNNVD	id:	CNNVD-200703-165	date:	2007-03-05T00:00:00
db:	NVD	id:	CVE-2007-0718	date:	2007-03-05T22:19:00