Sign-up

ID

VAR-201011-0159


CVE

CVE-2010-3791


TITLE

Apple Mac OS X of QuickTime Vulnerable to buffer overflow

Trust: 0.8

sources: JVNDB: JVNDB-2010-002435

DESCRIPTION

Buffer overflow in QuickTime in Apple Mac OS X 10.6.x before 10.6.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted MPEG movie file. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The flaw exists within the QuickTimeMPEG.qtx module. When handling an ELST atom's edit list table data large values are not handled properly. Specifically, the media rate field is explicitly trusted and can be abused to control memory copy operations. By specifying a large enough value, an attacker can utilize this to write to an arbitrary address in process memory. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the user. This issue affects Apple Mac OS X 10.6 to 10.6.4 and Mac OS X Server 10.6 to 10.6.4. NOTE: This issue was previously covered in BID 44778 (Apple Mac OS X Prior to 10.6.5 Multiple Security Vulnerabilities), but has been given its own record to better document it. Apple QuickTime is a very popular multimedia player. The flaw exists within the QuickTimeMPEG.qtx module. -- Vendor Response: Apple states: Fixed in Mac OS X 10.6.5: http://support.apple.com/kb/HT4435 -- Disclosure Timeline: 2010-07-20 - Vulnerability reported to vendor 2010-11-10 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Anonymous -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi

Trust: 2.7

sources: NVD: CVE-2010-3791 // JVNDB: JVNDB-2010-002435 // ZDI: ZDI-10-254 // BID: 44792 // VULHUB: VHN-46396 // PACKETSTORM: 95945

AFFECTED PRODUCTS

vendor:applemodel:quicktimescope: - version: -

Trust: 1.3

vendor:applemodel:mac os x serverscope:eqversion:10.6.2

Trust: 1.0

vendor:applemodel:mac os x serverscope:eqversion:10.6.0

Trust: 1.0

vendor:applemodel:mac os x serverscope:eqversion:10.6.3

Trust: 1.0

vendor:applemodel:mac os xscope:eqversion:10.6.3

Trust: 1.0

vendor:applemodel:mac os xscope:eqversion:10.6.2

Trust: 1.0

vendor:applemodel:mac os xscope:eqversion:10.6.0

Trust: 1.0

vendor:applemodel:mac os x serverscope:eqversion:10.6.1

Trust: 1.0

vendor:applemodel:quicktimescope:eqversion:*

Trust: 1.0

vendor:applemodel:mac os x serverscope:eqversion:10.6.4

Trust: 1.0

vendor:applemodel:mac os xscope:eqversion:10.6.1

Trust: 1.0

vendor:applemodel:mac os xscope:eqversion:10.6.4

Trust: 1.0

vendor:applemodel:mac os xscope:eqversion:v10.5.8

Trust: 0.8

vendor:applemodel:mac os xscope:eqversion:v10.6 to v10.6.4

Trust: 0.8

vendor:applemodel:mac os x serverscope:eqversion:v10.5.8

Trust: 0.8

vendor:applemodel:mac os x serverscope:eqversion:v10.6 to v10.6.4

Trust: 0.8

vendor:applemodel:quicktimescope:ltversion:7.6.9

Trust: 0.8

vendor:applemodel:quicktime playerscope:eqversion:7.6.8

Trust: 0.3

vendor:applemodel:quicktime playerscope:eqversion:7.6.7

Trust: 0.3

vendor:applemodel:quicktime playerscope:eqversion:7.6.6(1671)

Trust: 0.3

vendor:applemodel:quicktime playerscope:eqversion:7.6.6

Trust: 0.3

vendor:applemodel:quicktime playerscope:eqversion:7.6.5

Trust: 0.3

vendor:applemodel:quicktime playerscope:eqversion:7.6.4

Trust: 0.3

vendor:applemodel:quicktime playerscope:eqversion:7.6.2

Trust: 0.3

vendor:applemodel:quicktime playerscope:eqversion:7.6.1

Trust: 0.3

vendor:applemodel:quicktime playerscope:eqversion:7.64.17.73

Trust: 0.3

vendor:applemodel:quicktime playerscope:eqversion:7.6

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.6.4

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.6.3

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.6.2

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.6.1

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.6

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.6.4

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.6.3

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.6.2

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.6.1

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.6

Trust: 0.3

vendor:applemodel:quicktime playerscope:neversion:7.6.9

Trust: 0.3

vendor:applemodel:mac os serverscope:neversion:x10.6.5

Trust: 0.3

sources: ZDI: ZDI-10-254 // BID: 44792 // JVNDB: JVNDB-2010-002435 // CNNVD: CNNVD-201011-177 // NVD: CVE-2010-3791

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2010-3791
value: MEDIUM

Trust: 1.0

NVD: CVE-2010-3791
value: MEDIUM

Trust: 0.8

ZDI: CVE-2010-3791
value: HIGH

Trust: 0.7

CNNVD: CNNVD-201011-177
value: MEDIUM

Trust: 0.6

VULHUB: VHN-46396
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2010-3791
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

ZDI: CVE-2010-3791
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 8.5
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.7

VULHUB: VHN-46396
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: ZDI: ZDI-10-254 // VULHUB: VHN-46396 // JVNDB: JVNDB-2010-002435 // CNNVD: CNNVD-201011-177 // NVD: CVE-2010-3791

PROBLEMTYPE DATA

problemtype:CWE-119

Trust: 1.9

sources: VULHUB: VHN-46396 // JVNDB: JVNDB-2010-002435 // NVD: CVE-2010-3791

THREAT TYPE

remote

Trust: 0.7

sources: PACKETSTORM: 95945 // CNNVD: CNNVD-201011-177

TYPE

buffer overflow

Trust: 0.6

sources: CNNVD: CNNVD-201011-177

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2010-002435

EXPLOIT AVAILABILITY
sources:
            
            
            VULHUB: VHN-46396

PATCH
title:HT4435url:http://support.apple.com/kb/HT4435
Trust: 0.8
title:HT4447url:http://support.apple.com/kb/HT4447
Trust: 0.8
title:HT4435url:http://support.apple.com/kb/HT4435?viewlocale=ja_JP
Trust: 0.8
title:HT4447url:http://support.apple.com/kb/HT4447?viewlocale=ja_JP
Trust: 0.8
title:Fixed in Mac OS X 10.6.5:  7.6.9: http://support.apple.com/kb/HT4447url:http://support.apple.com/kb/HT4435QuickTime
Trust: 0.7
sources:
            
            
            ZDI: ZDI-10-254 // 
            
            
            
            JVNDB: JVNDB-2010-002435

EXTERNAL IDS
db:NVDid:CVE-2010-3791
Trust: 3.6
db:ZDIid:ZDI-10-254
Trust: 1.1
db:SECTRACKid:1024729
Trust: 1.1
db:JVNDBid:JVNDB-2010-002435
Trust: 0.8
db:ZDI_CANid:ZDI-CAN-838
Trust: 0.7
db:CNNVDid:CNNVD-201011-177
Trust: 0.7
db:APPLEid:APPLE-SA-2010-11-10-1
Trust: 0.6
db:BIDid:44792
Trust: 0.4
db:PACKETSTORMid:95945
Trust: 0.2
db:VULHUBid:VHN-46396
Trust: 0.1
sources:
            
            
            ZDI: ZDI-10-254 // 
            
            
            
            VULHUB: VHN-46396 // 
            
            
            
            BID: 44792 // 
            
            
            
            JVNDB: JVNDB-2010-002435 // 
            
            
            
            PACKETSTORM: 95945 // 
            
            
            
            CNNVD: CNNVD-201011-177 // 
            
            
            
            NVD: CVE-2010-3791

REFERENCES
url:http://support.apple.com/kb/ht4447
Trust: 1.8
url:http://support.apple.com/kb/ht4435
Trust: 1.8
url:http://lists.apple.com/archives/security-announce/2010//nov/msg00000.html
Trust: 1.7
url:http://lists.apple.com/archives/security-announce/2010//dec/msg00000.html
Trust: 1.1
url:http://www.securitytracker.com/id?1024729
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2010-3791
Trust: 0.8
url:http://jvn.jp/cert/jvnvu331391
Trust: 0.8
url:http://jvn.jp/cert/jvnvu387412
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2010-3791
Trust: 0.8
url:http://support.apple.com/kb/ht4435quicktime
Trust: 0.7
url:http://www.apple.com/quicktime/
Trust: 0.3
url:http://www.zerodayinitiative.com/advisories/zdi-10-254/
Trust: 0.3
url:http://www.zerodayinitiative.com/advisories/disclosure_policy/
Trust: 0.1
url:http://twitter.com/thezdi
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2010-3791
Trust: 0.1
url:http://www.tippingpoint.com
Trust: 0.1
url:http://www.zerodayinitiative.com
Trust: 0.1
url:http://www.zerodayinitiative.com/advisories/zdi-10-254
Trust: 0.1
sources:
            
            
            ZDI: ZDI-10-254 // 
            
            
            
            VULHUB: VHN-46396 // 
            
            
            
            BID: 44792 // 
            
            
            
            JVNDB: JVNDB-2010-002435 // 
            
            
            
            PACKETSTORM: 95945 // 
            
            
            
            CNNVD: CNNVD-201011-177 // 
            
            
            
            NVD: CVE-2010-3791

CREDITS
Anonymous
Trust: 0.7
sources:
            
            
            ZDI: ZDI-10-254

SOURCES
db:ZDIid:ZDI-10-254
db:VULHUBid:VHN-46396
db:BIDid:44792
db:JVNDBid:JVNDB-2010-002435
db:PACKETSTORMid:95945
db:CNNVDid:CNNVD-201011-177
db:NVDid:CVE-2010-3791

LAST UPDATE DATE
2025-04-11T21:46:55.938000+00:00

SOURCES UPDATE DATE
db:ZDIid:ZDI-10-254date:2010-11-10T00:00:00
db:VULHUBid:VHN-46396date:2010-12-11T00:00:00
db:BIDid:44792date:2010-12-07T20:35:00
db:JVNDBid:JVNDB-2010-002435date:2010-12-17T00:00:00
db:CNNVDid:CNNVD-201011-177date:2010-11-18T00:00:00
db:NVDid:CVE-2010-3791date:2025-04-11T00:51:21.963

SOURCES RELEASE DATE
db:ZDIid:ZDI-10-254date:2010-11-10T00:00:00
db:VULHUBid:VHN-46396date:2010-11-16T00:00:00
db:BIDid:44792date:2010-11-10T00:00:00
db:JVNDBid:JVNDB-2010-002435date:2010-12-02T00:00:00
db:PACKETSTORMid:95945date:2010-11-18T01:09:01
db:CNNVDid:CNNVD-201011-177date:2010-11-18T00:00:00
db:NVDid:CVE-2010-3791date:2010-11-16T22:00:16.273