Details of VAR-201003-0141

ID

VAR-201003-0141

CVE

CVE-2010-0062

TITLE

Apple Mac OS X of CoreMedia and QuickTime Heap-based buffer overflow vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2010-001245

DESCRIPTION

Heap-based buffer overflow in quicktime.qts in CoreMedia and QuickTime in Apple Mac OS X before 10.6.3 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a malformed .3g2 movie file with H.263 encoding that triggers an incorrect buffer length calculation. The code within QuickTime trusts various values from MDAT structures and uses them during operations on heap memory. By crafting specific values the corruption can be leveraged to execute remote code under the context of the user running the application. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple QuickTime. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within quicktime.qts when parsing sample data from a malformed .3g2 file that is utilizing the h.263 codec. While parsing data to render the video stream, the application will miscalculate the length of a buffer. Later when decompressing data to the heap chunk, the application will overflow the under allocated buffer leading to code execution under the context of the currently logged in user. Failed exploit attempts will likely result in a denial-of-service condition. NOTE: This issue was previously covered in BID 39020 (Apple Mac OS X APPLE-SA-2010-03-29-1 Multiple Security Vulnerabilities) but has been assigned its own record to better document it. Mac OS X is the operating system used by the Apple family of machines. -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://support.apple.com/kb/HT4077 -- Disclosure Timeline: 2009-08-10 - Vulnerability reported to vendor 2010-04-02 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Damian Put * Anonymous -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

Trust: 3.42

sources: NVD: CVE-2010-0062 // JVNDB: JVNDB-2010-001245 // ZDI: ZDI-10-068 // ZDI: ZDI-10-036 // BID: 39167 // VULHUB: VHN-42667 // PACKETSTORM: 87993 // PACKETSTORM: 88210

AFFECTED PRODUCTS

vendor:	apple	model:	mac os x	scope:	eq	version:	10.6.2	Trust: 1.6
vendor:	apple	model:	mac os x server	scope:	eq	version:	10.6.2	Trust: 1.6
vendor:	apple	model:	mac os x	scope:	eq	version:	10.6.1	Trust: 1.6
vendor:	apple	model:	mac os x server	scope:	eq	version:	10.6.1	Trust: 1.6
vendor:	apple	model:	mac os x	scope:	eq	version:	10.6.0	Trust: 1.6
vendor:	apple	model:	mac os x server	scope:	eq	version:	10.6.0	Trust: 1.6
vendor:	apple	model:	quicktime	scope:	-	version:	-	Trust: 1.4
vendor:	apple	model:	mac os x	scope:	eq	version:	v10.5.8	Trust: 0.8
vendor:	apple	model:	mac os x	scope:	eq	version:	v10.6 to v10.6.2	Trust: 0.8
vendor:	apple	model:	mac os x server	scope:	eq	version:	v10.6 to v10.6.2	Trust: 0.8
vendor:	apple	model:	quicktime	scope:	lt	version:	7.6.6	Trust: 0.8
vendor:	apple	model:	quicktime player	scope:	eq	version:	7.6.5	Trust: 0.3
vendor:	apple	model:	quicktime player	scope:	eq	version:	7.6.4	Trust: 0.3
vendor:	apple	model:	quicktime player	scope:	eq	version:	7.6.2	Trust: 0.3
vendor:	apple	model:	quicktime player	scope:	eq	version:	7.6.1	Trust: 0.3
vendor:	apple	model:	quicktime player	scope:	eq	version:	7.6	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.6.2	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.6.1	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.6	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.6.2	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.6.1	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.6	Trust: 0.3
vendor:	apple	model:	quicktime player	scope:	ne	version:	7.6.6	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	ne	version:	x10.6.3	Trust: 0.3
vendor:	apple	model:	mac os	scope:	ne	version:	x10.6.3	Trust: 0.3

sources: ZDI: ZDI-10-068 // ZDI: ZDI-10-036 // BID: 39167 // JVNDB: JVNDB-2010-001245 // CNNVD: CNNVD-201003-456 // NVD: CVE-2010-0062

CVSS

SEVERITY

CVSSV2

CVSSV3

ZDI:	CVE-2010-0062
value:	HIGH
Trust: 1.4
nvd@nist.gov:	CVE-2010-0062
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2010-0062
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201003-456
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-42667
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2010-0062
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
ZDI:	CVE-2010-0062
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.4
VULHUB:	VHN-42667
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: ZDI: ZDI-10-068 // ZDI: ZDI-10-036 // VULHUB: VHN-42667 // JVNDB: JVNDB-2010-001245 // CNNVD: CNNVD-201003-456 // NVD: CVE-2010-0062

PROBLEMTYPE DATA

problemtype:

CWE-119

Trust: 1.9

sources: VULHUB: VHN-42667 // JVNDB: JVNDB-2010-001245 // NVD: CVE-2010-0062

THREAT TYPE

remote

Trust: 0.8

sources: PACKETSTORM: 87993 // PACKETSTORM: 88210 // CNNVD: CNNVD-201003-456

TYPE

buffer overflow

Trust: 0.6

sources: CNNVD: CNNVD-201003-456

CONFIGURATIONS

sources: JVNDB: JVNDB-2010-001245

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-42667

PATCH

title:	HT4104	url:	http://support.apple.com/kb/HT4104	Trust: 2.2
title:	HT4077	url:	http://support.apple.com/kb/HT4077	Trust: 0.8
title:	HT4077	url:	http://support.apple.com/kb/HT4077?viewlocale=ja_JP	Trust: 0.8
title:	HT4104	url:	http://support.apple.com/kb/HT4104?viewlocale=ja_JP	Trust: 0.8

sources: ZDI: ZDI-10-068 // ZDI: ZDI-10-036 // JVNDB: JVNDB-2010-001245

EXTERNAL IDS

db:	NVD	id:	CVE-2010-0062	Trust: 4.4
db:	ZDI	id:	ZDI-10-036	Trust: 2.2
db:	ZDI	id:	ZDI-10-068	Trust: 1.1
db:	JVNDB	id:	JVNDB-2010-001245	Trust: 0.8
db:	ZDI_CAN	id:	ZDI-CAN-692	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-521	Trust: 0.7
db:	CNNVD	id:	CNNVD-201003-456	Trust: 0.7
db:	APPLE	id:	APPLE-SA-2010-03-30-1	Trust: 0.6
db:	APPLE	id:	APPLE-SA-2010-03-29-1	Trust: 0.6
db:	NSFOCUS	id:	14715	Trust: 0.6
db:	BID	id:	39167	Trust: 0.4
db:	PACKETSTORM	id:	87993	Trust: 0.2
db:	PACKETSTORM	id:	88210	Trust: 0.2
db:	VULHUB	id:	VHN-42667	Trust: 0.1

sources: ZDI: ZDI-10-068 // ZDI: ZDI-10-036 // VULHUB: VHN-42667 // BID: 39167 // JVNDB: JVNDB-2010-001245 // PACKETSTORM: 87993 // PACKETSTORM: 88210 // CNNVD: CNNVD-201003-456 // NVD: CVE-2010-0062

REFERENCES

url:	http://support.apple.com/kb/ht4077	Trust: 1.8
url:	http://lists.apple.com/archives/security-announce/2010//mar/msg00001.html	Trust: 1.7
url:	http://lists.apple.com/archives/security-announce/2010//mar/msg00002.html	Trust: 1.7
url:	http://support.apple.com/kb/ht4104	Trust: 1.5
url:	http://www.zerodayinitiative.com/advisories/zdi-10-036	Trust: 1.2
url:	http://www.securityfocus.com/archive/1/510510/100/0/threaded	Trust: 1.1
url:	https://oval.cisecurity.org/repository/search/definition/oval%3aorg.mitre.oval%3adef%3a6626	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2010-0062	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2010-0062	Trust: 0.8
url:	http://www.nsfocus.net/vulndb/14715	Trust: 0.6
url:	http://www.apple.com/quicktime/	Trust: 0.3
url:	http://www.zerodayinitiative.com/advisories/zdi-10-036/	Trust: 0.3
url:	http://www.zerodayinitiative.com/advisories/zdi-10-068/	Trust: 0.3
url:	http://www.zerodayinitiative.com/advisories/disclosure_policy/	Trust: 0.2
url:	http://secunia.com/	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2010-0062	Trust: 0.2
url:	http://twitter.com/thezdi	Trust: 0.2
url:	http://www.tippingpoint.com	Trust: 0.2
url:	http://lists.grok.org.uk/full-disclosure-charter.html	Trust: 0.2
url:	http://www.zerodayinitiative.com	Trust: 0.2
url:	http://www.zerodayinitiative.com/advisories/zdi-10-068	Trust: 0.1

CREDITS

Anonymous

Trust: 0.7

sources: ZDI: ZDI-10-068

SOURCES

db:	ZDI	id:	ZDI-10-068
db:	ZDI	id:	ZDI-10-036
db:	VULHUB	id:	VHN-42667
db:	BID	id:	39167
db:	JVNDB	id:	JVNDB-2010-001245
db:	PACKETSTORM	id:	87993
db:	PACKETSTORM	id:	88210
db:	CNNVD	id:	CNNVD-201003-456
db:	NVD	id:	CVE-2010-0062

LAST UPDATE DATE

2025-04-11T21:42:28.805000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-10-068	date:	2010-04-09T00:00:00
db:	ZDI	id:	ZDI-10-036	date:	2010-04-02T00:00:00
db:	VULHUB	id:	VHN-42667	date:	2018-10-10T00:00:00
db:	BID	id:	39167	date:	2010-04-09T19:52:00
db:	JVNDB	id:	JVNDB-2010-001245	date:	2010-04-13T00:00:00
db:	CNNVD	id:	CNNVD-201003-456	date:	2010-03-31T00:00:00
db:	NVD	id:	CVE-2010-0062	date:	2025-04-11T00:51:21.963

SOURCES RELEASE DATE

db:	ZDI	id:	ZDI-10-068	date:	2010-04-09T00:00:00
db:	ZDI	id:	ZDI-10-036	date:	2010-04-02T00:00:00
db:	VULHUB	id:	VHN-42667	date:	2010-03-30T00:00:00
db:	BID	id:	39167	date:	2010-04-01T00:00:00
db:	JVNDB	id:	JVNDB-2010-001245	date:	2010-04-13T00:00:00
db:	PACKETSTORM	id:	87993	date:	2010-04-03T01:41:40
db:	PACKETSTORM	id:	88210	date:	2010-04-09T19:23:13
db:	CNNVD	id:	CNNVD-201003-456	date:	2010-03-30T00:00:00
db:	NVD	id:	CVE-2010-0062	date:	2010-03-30T18:30:00.390