ID

VAR-201011-0158


CVE

CVE-2010-3790


TITLE

Apple Mac OS X of QuickTime Vulnerable to arbitrary code execution

Trust: 0.8

sources: JVNDB: JVNDB-2010-002434

DESCRIPTION

QuickTime in Apple Mac OS X 10.6.x before 10.6.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted movie file that causes an image sample transformation to scale a sprite outside a buffer boundary. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple Quicktime. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within how the application performs a transformation on an image sample using the sprite handler. When performing the transformation, the application will scale the sprite outside the bounds of the original buffer. This can cause memory corruption which can lead to code execution within the context of the application. When using this Matrix structure to transform image data, the application will miscalculate an index to represent a row of an object. Successful exploits may allow attackers to execute arbitrary code in the context of the currently logged-in user; failed exploit attempts will cause denial-of-service conditions. This issue affects Apple Mac OS X 10.6 to 10.6.4 and Mac OS X Server 10.6 to 10.6.4. NOTE: This issue was previously covered in BID 44778 (Apple Mac OS X Prior to 10.6.5 Multiple Security Vulnerabilities) but has been given its own record to better document it. ZDI-11-231: Apple QuickTime Pict File Matrix Parsing Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-231 June 29, 2011 -- CVE ID: CVE-2010-3790 -- CVSS: 7.5, (AV:N/AC:L/Au:N/C:P/I:P/A:P) -- Affected Vendors: Apple -- Affected Products: Apple Quicktime -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 11429. -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://support.apple.com/kb/HT4723 -- Disclosure Timeline: 2011-04-11 - Vulnerability reported to vendor 2011-06-29 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Subreption LLC -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

Trust: 3.51

sources: NVD: CVE-2010-3790 // JVNDB: JVNDB-2010-002434 // ZDI: ZDI-11-038 // ZDI: ZDI-11-231 // BID: 44794 // VULHUB: VHN-46395 // VULMON: CVE-2010-3790 // PACKETSTORM: 102678 // PACKETSTORM: 98101

AFFECTED PRODUCTS

vendor:applemodel:quicktimescope: - version: -

Trust: 2.0

vendor:applemodel:mac os x serverscope:eqversion:10.6.2

Trust: 1.0

vendor:applemodel:mac os x serverscope:eqversion:10.6.0

Trust: 1.0

vendor:applemodel:mac os x serverscope:eqversion:10.6.3

Trust: 1.0

vendor:applemodel:mac os xscope:eqversion:10.6.3

Trust: 1.0

vendor:applemodel:mac os xscope:eqversion:10.6.2

Trust: 1.0

vendor:applemodel:mac os xscope:eqversion:10.6.0

Trust: 1.0

vendor:applemodel:mac os x serverscope:eqversion:10.6.1

Trust: 1.0

vendor:applemodel:quicktimescope:eqversion:*

Trust: 1.0

vendor:applemodel:mac os x serverscope:eqversion:10.6.4

Trust: 1.0

vendor:applemodel:mac os xscope:eqversion:10.6.1

Trust: 1.0

vendor:applemodel:mac os xscope:eqversion:10.6.4

Trust: 1.0

vendor:applemodel:mac os xscope:eqversion:v10.5.8

Trust: 0.8

vendor:applemodel:mac os xscope:eqversion:v10.6 to v10.6.7

Trust: 0.8

vendor:applemodel:mac os x serverscope:eqversion:v10.5.8

Trust: 0.8

vendor:applemodel:mac os x serverscope:eqversion:v10.6 to v10.6.7

Trust: 0.8

vendor:applemodel:quicktimescope:ltversion:7.6.9

Trust: 0.8

vendor:applemodel:quicktime playerscope:eqversion:7.6.8

Trust: 0.3

vendor:applemodel:quicktime playerscope:eqversion:7.6.7

Trust: 0.3

vendor:applemodel:quicktime playerscope:eqversion:7.6.6(1671)

Trust: 0.3

vendor:applemodel:quicktime playerscope:eqversion:7.6.6

Trust: 0.3

vendor:applemodel:quicktime playerscope:eqversion:7.6.5

Trust: 0.3

vendor:applemodel:quicktime playerscope:eqversion:7.6.4

Trust: 0.3

vendor:applemodel:quicktime playerscope:eqversion:7.6.2

Trust: 0.3

vendor:applemodel:quicktime playerscope:eqversion:7.6.1

Trust: 0.3

vendor:applemodel:quicktime playerscope:eqversion:7.64.17.73

Trust: 0.3

vendor:applemodel:quicktime playerscope:eqversion:7.6

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.6.6

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.6.5

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.6.4

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.6.3

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.6.2

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.6.1

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.6.7

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.6

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.6.5

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.6.4

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.6.3

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.6.2

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.6.1

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.6

Trust: 0.3

vendor:applemodel:quicktime playerscope:neversion:7.6.9

Trust: 0.3

vendor:applemodel:mac os serverscope:neversion:x10.6.5

Trust: 0.3

vendor:applemodel:mac os serverscope:neversion:x10.6.8

Trust: 0.3

sources: ZDI: ZDI-11-038 // ZDI: ZDI-11-231 // BID: 44794 // JVNDB: JVNDB-2010-002434 // CNNVD: CNNVD-201011-176 // NVD: CVE-2010-3790

CVSS

SEVERITY

CVSSV2

CVSSV3

ZDI: CVE-2010-3790
value: HIGH

Trust: 1.4

nvd@nist.gov: CVE-2010-3790
value: MEDIUM

Trust: 1.0

NVD: CVE-2010-3790
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201011-176
value: MEDIUM

Trust: 0.6

VULHUB: VHN-46395
value: MEDIUM

Trust: 0.1

VULMON: CVE-2010-3790
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2010-3790
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

ZDI: CVE-2010-3790
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 8.5
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.7

ZDI: CVE-2010-3790
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.7

VULHUB: VHN-46395
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: ZDI: ZDI-11-038 // ZDI: ZDI-11-231 // VULHUB: VHN-46395 // VULMON: CVE-2010-3790 // JVNDB: JVNDB-2010-002434 // CNNVD: CNNVD-201011-176 // NVD: CVE-2010-3790

PROBLEMTYPE DATA

problemtype:CWE-119

Trust: 1.9

sources: VULHUB: VHN-46395 // JVNDB: JVNDB-2010-002434 // NVD: CVE-2010-3790

THREAT TYPE

remote

Trust: 0.8

sources: PACKETSTORM: 102678 // PACKETSTORM: 98101 // CNNVD: CNNVD-201011-176

TYPE

buffer overflow

Trust: 0.6

sources: CNNVD: CNNVD-201011-176

CONFIGURATIONS

sources: JVNDB: JVNDB-2010-002434

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-46395

PATCH

title:HT4435url:http://support.apple.com/kb/HT4435

Trust: 1.5

title:HT4723url:http://support.apple.com/kb/HT4723

Trust: 1.5

title:HT4447url:http://support.apple.com/kb/HT4447

Trust: 0.8

title:HT4435url:http://support.apple.com/kb/HT4435?viewlocale=ja_JP

Trust: 0.8

title:HT4447url:http://support.apple.com/kb/HT4447?viewlocale=ja_JP

Trust: 0.8

title:QuickTimeInstallerurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=35225

Trust: 0.6

title:MacOSXUpdCombo10.6.5url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=35034

Trust: 0.6

title:MacOSXUpd10.6.5url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=35033

Trust: 0.6

sources: ZDI: ZDI-11-038 // ZDI: ZDI-11-231 // JVNDB: JVNDB-2010-002434 // CNNVD: CNNVD-201011-176

EXTERNAL IDS

db:NVDid:CVE-2010-3790

Trust: 4.5

db:ZDIid:ZDI-11-038

Trust: 2.3

db:BIDid:44794

Trust: 1.5

db:ZDIid:ZDI-11-231

Trust: 1.1

db:SECTRACKid:1024729

Trust: 1.1

db:JVNDBid:JVNDB-2010-002434

Trust: 0.8

db:ZDI_CANid:ZDI-CAN-910

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-1148

Trust: 0.7

db:APPLEid:APPLE-SA-2010-11-10-1

Trust: 0.6

db:CNNVDid:CNNVD-201011-176

Trust: 0.6

db:PACKETSTORMid:98101

Trust: 0.2

db:PACKETSTORMid:102678

Trust: 0.2

db:VULHUBid:VHN-46395

Trust: 0.1

db:VULMONid:CVE-2010-3790

Trust: 0.1

sources: ZDI: ZDI-11-038 // ZDI: ZDI-11-231 // VULHUB: VHN-46395 // VULMON: CVE-2010-3790 // BID: 44794 // JVNDB: JVNDB-2010-002434 // PACKETSTORM: 102678 // PACKETSTORM: 98101 // CNNVD: CNNVD-201011-176 // NVD: CVE-2010-3790

REFERENCES

url:http://support.apple.com/kb/ht4435

Trust: 2.6

url:http://support.apple.com/kb/ht4447

Trust: 2.0

url:http://support.apple.com/kb/ht4723

Trust: 2.0

url:http://lists.apple.com/archives/security-announce/2010//nov/msg00000.html

Trust: 1.8

url:http://www.zerodayinitiative.com/advisories/zdi-11-038/

Trust: 1.5

url:http://lists.apple.com/archives/security-announce/2010//dec/msg00000.html

Trust: 1.2

url:http://lists.apple.com/archives/security-announce/2011//jun/msg00000.html

Trust: 1.2

url:http://www.securityfocus.com/bid/44794

Trust: 1.2

url:http://www.securitytracker.com/id?1024729

Trust: 1.2

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2010-3790

Trust: 0.8

url:http://jvn.jp/cert/jvnvu387412

Trust: 0.8

url:http://jvn.jp/cert/jvnvu976710

Trust: 0.8

url:http://jvn.jp/cert/jvnvu331391

Trust: 0.8

url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2010-3790

Trust: 0.8

url:http://www.zerodayinitiative.com/advisories/zdi-11-231

Trust: 0.4

url:http://www.apple.com/quicktime/

Trust: 0.3

url:http://www.zerodayinitiative.com/advisories/disclosure_policy/

Trust: 0.2

url:http://secunia.com/

Trust: 0.2

url:http://twitter.com/thezdi

Trust: 0.2

url:http://www.zerodayinitiative.com

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2010-3790

Trust: 0.2

url:http://lists.grok.org.uk/full-disclosure-charter.html

Trust: 0.2

url:https://cwe.mitre.org/data/definitions/119.html

Trust: 0.1

url:http://tools.cisco.com/security/center/viewalert.x?alertid=21818

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:http://www.tippingpoint.com

Trust: 0.1

url:http://www.zerodayinitiative.com/advisories/zdi-11-038

Trust: 0.1

sources: ZDI: ZDI-11-038 // ZDI: ZDI-11-231 // VULHUB: VHN-46395 // VULMON: CVE-2010-3790 // BID: 44794 // JVNDB: JVNDB-2010-002434 // PACKETSTORM: 102678 // PACKETSTORM: 98101 // CNNVD: CNNVD-201011-176 // NVD: CVE-2010-3790

CREDITS

Anonymous

Trust: 0.7

sources: ZDI: ZDI-11-038

SOURCES

db:ZDIid:ZDI-11-038
db:ZDIid:ZDI-11-231
db:VULHUBid:VHN-46395
db:VULMONid:CVE-2010-3790
db:BIDid:44794
db:JVNDBid:JVNDB-2010-002434
db:PACKETSTORMid:102678
db:PACKETSTORMid:98101
db:CNNVDid:CNNVD-201011-176
db:NVDid:CVE-2010-3790

LAST UPDATE DATE

2025-04-11T20:13:33.898000+00:00


SOURCES UPDATE DATE

db:ZDIid:ZDI-11-038date:2011-02-01T00:00:00
db:ZDIid:ZDI-11-231date:2011-06-29T00:00:00
db:VULHUBid:VHN-46395date:2011-07-02T00:00:00
db:VULMONid:CVE-2010-3790date:2011-07-02T00:00:00
db:BIDid:44794date:2015-03-19T09:29:00
db:JVNDBid:JVNDB-2010-002434date:2011-06-29T00:00:00
db:CNNVDid:CNNVD-201011-176date:2010-11-18T00:00:00
db:NVDid:CVE-2010-3790date:2025-04-11T00:51:21.963

SOURCES RELEASE DATE

db:ZDIid:ZDI-11-038date:2011-02-01T00:00:00
db:ZDIid:ZDI-11-231date:2011-06-29T00:00:00
db:VULHUBid:VHN-46395date:2010-11-16T00:00:00
db:VULMONid:CVE-2010-3790date:2010-11-16T00:00:00
db:BIDid:44794date:2010-11-10T00:00:00
db:JVNDBid:JVNDB-2010-002434date:2010-12-02T00:00:00
db:PACKETSTORMid:102678date:2011-06-30T06:16:44
db:PACKETSTORMid:98101date:2011-02-02T19:22:00
db:CNNVDid:CNNVD-201011-176date:2010-11-18T00:00:00
db:NVDid:CVE-2010-3790date:2010-11-16T22:00:16.227