Details of VAR-201011-0168

ID

VAR-201011-0168

CVE

CVE-2010-3795

TITLE

Apple Mac OS X of QuickTime Vulnerable to arbitrary code execution

Trust: 0.8

sources: JVNDB: JVNDB-2010-002439

DESCRIPTION

QuickTime in Apple Mac OS X 10.6.x before 10.6.5 accesses uninitialized memory locations during processing of GIF image data, which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted GIF file. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple QuickTime. User interaction is required in that a target must open a malicious media file or visit a malicious page.The specific flaw exists within the application's implementation of the LZW compression when opening a certain file format. The application will allocate a buffer for the image and then decompress image data into it. Due to explicitly trusting the decompressed data, a buffer overflow will occur. This can lead to memory corruption and code execution under the context of the application. Successful exploits may allow attackers to execute arbitrary code in the context of the currently logged-in user; failed exploit attempts will cause denial-of-service conditions. This issue affects Apple Mac OS X 10.6 to 10.6.4 and Mac OS X Server 10.6 to 10.6.4. NOTE: This issue was previously covered in BID 44778 (Apple Mac OS X Prior to 10.6.5 Multiple Security Vulnerabilities) but has been given its own record to better document it. Apple QuickTime is a very popular multimedia player. -- Vendor Response: Apple states: Fixed in Mac OS X 10.6.5: http://support.apple.com/kb/HT4435 -- Disclosure Timeline: 2010-06-30 - Vulnerability reported to vendor 2010-11-10 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Anonymous -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi

Trust: 2.7

sources: NVD: CVE-2010-3795 // JVNDB: JVNDB-2010-002439 // ZDI: ZDI-10-253 // BID: 44785 // VULHUB: VHN-46400 // PACKETSTORM: 95933

AFFECTED PRODUCTS

vendor:	apple	model:	mac os x	scope:	eq	version:	10.6.3	Trust: 1.6
vendor:	apple	model:	mac os x	scope:	eq	version:	10.6.2	Trust: 1.6
vendor:	apple	model:	mac os x	scope:	eq	version:	10.6.4	Trust: 1.6
vendor:	apple	model:	mac os x server	scope:	eq	version:	10.6.2	Trust: 1.6
vendor:	apple	model:	mac os x	scope:	eq	version:	10.6.1	Trust: 1.6
vendor:	apple	model:	mac os x server	scope:	eq	version:	10.6.3	Trust: 1.6
vendor:	apple	model:	mac os x server	scope:	eq	version:	10.6.4	Trust: 1.6
vendor:	apple	model:	mac os x server	scope:	eq	version:	10.6.1	Trust: 1.6
vendor:	apple	model:	mac os x	scope:	eq	version:	10.6.0	Trust: 1.6
vendor:	apple	model:	mac os x server	scope:	eq	version:	10.6.0	Trust: 1.6
vendor:	apple	model:	mac os x	scope:	eq	version:	v10.5.8	Trust: 0.8
vendor:	apple	model:	mac os x	scope:	eq	version:	v10.6 to v10.6.4	Trust: 0.8
vendor:	apple	model:	mac os x server	scope:	eq	version:	v10.5.8	Trust: 0.8
vendor:	apple	model:	mac os x server	scope:	eq	version:	v10.6 to v10.6.4	Trust: 0.8
vendor:	apple	model:	quicktime	scope:	lt	version:	7.6.9\u3000	Trust: 0.8
vendor:	apple	model:	quicktime	scope:	-	version:	-	Trust: 0.7
vendor:	apple	model:	quicktime player	scope:	eq	version:	7.6.8	Trust: 0.3
vendor:	apple	model:	quicktime player	scope:	eq	version:	7.6.7	Trust: 0.3
vendor:	apple	model:	quicktime player	scope:	eq	version:	7.6.6(1671)	Trust: 0.3
vendor:	apple	model:	quicktime player	scope:	eq	version:	7.6.6	Trust: 0.3
vendor:	apple	model:	quicktime player	scope:	eq	version:	7.6.5	Trust: 0.3
vendor:	apple	model:	quicktime player	scope:	eq	version:	7.6.4	Trust: 0.3
vendor:	apple	model:	quicktime player	scope:	eq	version:	7.6.2	Trust: 0.3
vendor:	apple	model:	quicktime player	scope:	eq	version:	7.6.1	Trust: 0.3
vendor:	apple	model:	quicktime player	scope:	eq	version:	7.64.17.73	Trust: 0.3
vendor:	apple	model:	quicktime player	scope:	eq	version:	7.6	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.6.4	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.6.3	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.6.2	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.6.1	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.6	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.6.4	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.6.3	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.6.2	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.6.1	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.6	Trust: 0.3
vendor:	apple	model:	quicktime player	scope:	ne	version:	7.6.9	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	ne	version:	x10.6.5	Trust: 0.3

sources: ZDI: ZDI-10-253 // BID: 44785 // JVNDB: JVNDB-2010-002439 // CNNVD: CNNVD-201011-181 // NVD: CVE-2010-3795

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2010-3795
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2010-3795
value:	MEDIUM
Trust: 0.8
ZDI:	CVE-2010-3795
value:	HIGH
Trust: 0.7
CNNVD:	CNNVD-201011-181
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-46400
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2010-3795
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
ZDI:	CVE-2010-3795
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	8.5
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.7
VULHUB:	VHN-46400
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: ZDI: ZDI-10-253 // VULHUB: VHN-46400 // JVNDB: JVNDB-2010-002439 // CNNVD: CNNVD-201011-181 // NVD: CVE-2010-3795

PROBLEMTYPE DATA

problemtype:

CWE-119

Trust: 1.9

sources: VULHUB: VHN-46400 // JVNDB: JVNDB-2010-002439 // NVD: CVE-2010-3795

THREAT TYPE

remote

Trust: 0.7

sources: PACKETSTORM: 95933 // CNNVD: CNNVD-201011-181

TYPE

buffer overflow

Trust: 0.6

sources: CNNVD: CNNVD-201011-181

CONFIGURATIONS

sources: JVNDB: JVNDB-2010-002439

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-46400

PATCH

title:	HT4435	url:	http://support.apple.com/kb/HT4435	Trust: 0.8
title:	HT4447	url:	http://support.apple.com/kb/HT4447	Trust: 0.8
title:	HT4435	url:	http://support.apple.com/kb/HT4435?viewlocale=ja_JP	Trust: 0.8
title:	HT4447	url:	http://support.apple.com/kb/HT4447?viewlocale=ja_JP	Trust: 0.8
title:	Fixed in Mac OS X 10.6.5: 7.6.9: http://support.apple.com/kb/HT4447	url:	http://support.apple.com/kb/HT4435QuickTime	Trust: 0.7
title:	QuickTimeInstaller	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=35225	Trust: 0.6
title:	MacOSXUpdCombo10.6.5	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=35034	Trust: 0.6
title:	MacOSXUpd10.6.5	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=35033	Trust: 0.6

sources: ZDI: ZDI-10-253 // JVNDB: JVNDB-2010-002439 // CNNVD: CNNVD-201011-181

EXTERNAL IDS

db:	NVD	id:	CVE-2010-3795	Trust: 3.6
db:	ZDI	id:	ZDI-10-253	Trust: 1.1
db:	SECTRACK	id:	1024729	Trust: 1.1
db:	JVNDB	id:	JVNDB-2010-002439	Trust: 0.8
db:	ZDI_CAN	id:	ZDI-CAN-828	Trust: 0.7
db:	CNNVD	id:	CNNVD-201011-181	Trust: 0.7
db:	APPLE	id:	APPLE-SA-2010-11-10-1	Trust: 0.6
db:	BID	id:	44785	Trust: 0.4
db:	PACKETSTORM	id:	95933	Trust: 0.2
db:	VULHUB	id:	VHN-46400	Trust: 0.1

sources: ZDI: ZDI-10-253 // VULHUB: VHN-46400 // BID: 44785 // JVNDB: JVNDB-2010-002439 // PACKETSTORM: 95933 // CNNVD: CNNVD-201011-181 // NVD: CVE-2010-3795

REFERENCES

url:	http://support.apple.com/kb/ht4447	Trust: 1.8
url:	http://support.apple.com/kb/ht4435	Trust: 1.8
url:	http://lists.apple.com/archives/security-announce/2010//nov/msg00000.html	Trust: 1.7
url:	http://lists.apple.com/archives/security-announce/2010//dec/msg00000.html	Trust: 1.1
url:	http://www.securitytracker.com/id?1024729	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2010-3795	Trust: 0.8
url:	http://jvn.jp/cert/jvnvu331391	Trust: 0.8
url:	http://jvn.jp/cert/jvnvu387412	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2010-3795	Trust: 0.8
url:	http://support.apple.com/kb/ht4435quicktime	Trust: 0.7
url:	http://www.apple.com/quicktime/	Trust: 0.3
url:	http://www.zerodayinitiative.com/advisories/zdi-10-253/	Trust: 0.3
url:	http://www.zerodayinitiative.com/advisories/disclosure_policy/	Trust: 0.1
url:	http://www.zerodayinitiative.com/advisories/zdi-10-253	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2010-3795	Trust: 0.1
url:	http://twitter.com/thezdi	Trust: 0.1
url:	http://www.zerodayinitiative.com	Trust: 0.1

sources: ZDI: ZDI-10-253 // VULHUB: VHN-46400 // BID: 44785 // JVNDB: JVNDB-2010-002439 // PACKETSTORM: 95933 // CNNVD: CNNVD-201011-181 // NVD: CVE-2010-3795

CREDITS

Anonymous researcher working with TippingPoint's Zero Day Initiative

Trust: 0.9

sources: BID: 44785 // CNNVD: CNNVD-201011-181

SOURCES

db:	ZDI	id:	ZDI-10-253
db:	VULHUB	id:	VHN-46400
db:	BID	id:	44785
db:	JVNDB	id:	JVNDB-2010-002439
db:	PACKETSTORM	id:	95933
db:	CNNVD	id:	CNNVD-201011-181
db:	NVD	id:	CVE-2010-3795

LAST UPDATE DATE

2025-04-11T20:28:24.202000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-10-253	date:	2010-11-10T00:00:00
db:	VULHUB	id:	VHN-46400	date:	2010-12-11T00:00:00
db:	BID	id:	44785	date:	2010-12-07T20:35:00
db:	JVNDB	id:	JVNDB-2010-002439	date:	2010-12-17T00:00:00
db:	CNNVD	id:	CNNVD-201011-181	date:	2010-11-18T00:00:00
db:	NVD	id:	CVE-2010-3795	date:	2025-04-11T00:51:21.963

SOURCES RELEASE DATE

db:	ZDI	id:	ZDI-10-253	date:	2010-11-10T00:00:00
db:	VULHUB	id:	VHN-46400	date:	2010-11-16T00:00:00
db:	BID	id:	44785	date:	2010-11-10T00:00:00
db:	JVNDB	id:	JVNDB-2010-002439	date:	2010-12-03T00:00:00
db:	PACKETSTORM	id:	95933	date:	2010-11-18T00:29:12
db:	CNNVD	id:	CNNVD-201011-181	date:	2010-11-18T00:00:00
db:	NVD	id:	CVE-2010-3795	date:	2010-11-16T22:00:16.447