VARIoT IoT vulnerabilities database

Multiple buffer overflows in WS_FTP 3 and 4 allow remote authenticated users to cause a denial of service and possibly execute arbitrary code via long (1) APPE (append) or (2) STAT (status) arguments. It has been reported that a vulnerability exists in the processing of a "STAT" command on WS_FTP Servers versions 4.x and prior. Exploitation of this vulnerability may lead to an authenticated user executing arbitrary code with the elevated privileges of the server process. Ipswitch WS_FTP Server is reported to be prone to buffer overruns when handling data supplied to the APPE and STAT FTP commands. Progress Software Ipswitch WS_FTP Server is a set of FTP server software developed by Progress Software Company in the United States. It provides functions such as file transfer control and transfer encryption

Unknown vulnerability in an ISAPI plugin for ISS Server Sensor 7.0 XPU 20.16, 20.18, and possibly other versions before 20.19, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code in Internet Information Server (IIS) via a certain URL through SSL. This vulnerability could be exploited to crash the underlying Microsoft IIS web server. It should be noted that the service may be automatically restarted. It is not known if this issue affects other platforms or can be exploited to crash other underlying web server implementations. The researchers who discovered this vulnerability are currently investigating the possibility of exploiting this issue to execute arbitrary code, though sufficient details are not available regarding this at the time of writing. This BID will be updated if more details become available. RealSecure Server Sensor is a set of intrusion detection and immediate response system based on host-base and network-base. Remote attackers can exploit this vulnerability to perform denial-of-service attacks on services. It's unclear if other platforms are affected by the vulnerability. [enteredgelogo.jpg] EnterEdge Technology takes a holistic approach to ensuring the Confidentiality, Integrity and Availability of data. By combining best-of-breed technology with security expertise, education and managed security services, EnterEdge helps organizations lower costs and improve efficiencies. By simply sending a properly formatted URL via SSL, the ISAPI filter will crash IIS shutting down the service entirely. We are currently testing this vulnerability in XPU 20.16 and 20.18 for remote code execution or code redirection. We contacted ISS on or about August 14th concerning this issue. ISS has since released XPU 20.19 which addresses this specific issue. Credit: EnterEdge Technology, LLC Copyright (c) 1998-2003 EnterEdge Technology Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of EnterEdge Technology. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please e-mail research@enteredge.com for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. Feedback Please send suggestions, updates, and comments to: research@enteredge.com EnterEdge Technology http://www.enteredge.com Copyright \xa9 2001 EnterEdge Technology, LLC 5500 Interstate N. Pkwy Suite 440 Atlanta, GA 30328 Phone: 770.955.9899 Fax 770.955.9896

Cisco CSS 11000 routers on the CS800 chassis allow remote attackers to cause a denial of service (CPU consumption or reboot) via a large number of TCP SYN packets to the circuit IP address, aka "ONDM Ping failure.". The Cisco CSS 11000 router with the CS800 chassis is vulnerable

The Cisco 7900 Series is a family of IP telephony support devices. The Cisco 7900 Series handles fake ARP messages incorrectly. A remote attacker can exploit this vulnerability to perform a denial of service attack on a device, or to intercept packets such as \"intermediaries\". No detailed vulnerability details are currently available. Other attacks including man in the middle style attacks, for example packet injection and data interception have also been reported possible

The Cisco 11000 CSS is a content services switch. Using a large number of TCP SYN packets directly sent to the CSS switch's circuit address can cause CSS internal message communication to be interrupted, resulting in a denial of service due to excessive CPU utilization. In the CS800 chassis, the system control module (SCM) sends an ONDM (online diagnostics monitor) message to each SFP card. In order to check whether the interface is active, if the SCM does not get a response within 30 seconds, the SCM will not re-create any CORE information. Start the CS800. By sending a large number of SYN packets to the circuit IP interface of the CSS switch, the communication is sent to the SCM through the internal MADLAN Ethernet interface. If the internal interface is overloaded, the ONDM ping request and response are discarded, and there is no internal communication. Denial of service. It has been reported that under certain circumstances, it may be possible for remote attackers to force the System Controller Module (SCM) on Cisco Content Service Switches to reboot. A component on the device known as the Online Diagnostics Monitor (ONDM) periodically sends out ping packets to other components to verify functionality. It may be possible to prevent delivery of these ping packets, causing the router to believe the component is not functional and cause the SCM to reboot the device

The D-Link 704p is a 4-port DSL/CABLE router. The D-Link 704p management interface incorrectly handles long requests submitted by users. A remote attacker can exploit this vulnerability to perform a denial of service attack on the router. The D-Link 704p can be configured for remote management. The attacker can connect to the WEB service of the management interface and submit a long URL request, which can cause the router to stop responding and need to be restarted to obtain normal services. The issue presents itself when a request of excessive length is sent to the router. This causes the device to behave in an unstable manner. Malicious requests may result in a complete denial of service condition requiring a device reboot, or the loss of the ability to log in to the administration interface. Although unconfirmed, it should be noted that other D-Link devices that use related firmware might also be affected

The DeviceIoControl function in the Norton Device Driver (NAVAP.sys) in Symantec Norton AntiVirus 2002 allows local users to gain privileges by overwriting memory locations via certain control codes (aka "Device Driver Attack"). According to the report, one of the device control operation handlers attempts to write data to an address offset from a pointer parameter passed to DeviceIoControl(). There is no validation on the parameter supplied or the address written to. This vulnerability can be exploited by unprivileged userland programs to crash the affected host or potentially elevate privileges. Norton Antivirus is a popular anti-virus system

It has been reported that under some circumstances, a Cisco appliance running IOS may answer malicious malformed UDP echo packets with replies that contain partial contents from the affected router's memory.

Buffer overflow in the HTTP server for Cisco IOS 12.2 and earlier allows remote attackers to execute arbitrary code via an extremely long (2GB) HTTP GET request. IOS is prone to a remote security vulnerability. Cisco IOS is a very widely deployed network operating system. Many Cisco devices run IOS. The HTTP service program of the Cisco IOS device does not properly handle large data requests. Remote attackers can use this vulnerability to perform buffer overflow attacks on the service, and may run arbitrary commands on the device with system privileges

The HTTP server on Cisco IOS devices is prone to a buffer overrun that can be triggered by sending 2GB of data. This may be exploited to execute arbitrary code on a vulnerable device.

Off-by-one error in the fb_realpath() function, as derived from the realpath function in BSD, may allow attackers to execute arbitrary code, as demonstrated in wu-ftpd 2.5.0 through 2.6.2 via commands that cause pathnames of length MAXPATHLEN+1 to trigger a buffer overflow, including (1) STOR, (2) RETR, (3) APPE, (4) DELE, (5) MKD, (6) RMD, (7) STOU, or (8) RNTO. A function originally derived from 4.4BSD, realpath(3), contains a vulnerability that may permit a malicious user to gain root access to the server. This function was derived from the FreeBSD 3.x tree. Other applications and operating systems that use or were derived from this code base may be affected. This problem was originally reported to affect WU-FTPd. It has been discoved to affect various BSD implementations as well. WU-FTPD is implemented in fb_realpath() In the function, the size of the buffer for handling the path is MAXPATHLEN However, the length of the path actually delivered is longer than that. (MAXPATHLEN+1) , one shift (off-by-one) A buffer overflow vulnerability exists.root Arbitrary commands may be executed with sufficient privileges. The 'realpath()' function is a C-library procedure to resolve the canonical, absolute pathname of a file based on a path that may contain values such as '/', './', '../', or symbolic links. A vulnerability that was reported to affect the implementation of 'realpath()' in WU-FTPD has lead to the discovery that at least one implementation of the C library is also vulnerable. FreeBSD has announced that the off-by-one stack- buffer-overflow vulnerability is present in their libc. Other systems are also likely vulnerable. Reportedly, this vulnerability has been successfully exploited against WU-FTPD to execute arbitrary instructions. NOTE: Patching the C library alone may not remove all instances of this vulnerability. Statically linked programs may need to be rebuilt with a patched version of the C library. Also, some applications may implement their own version of 'realpath()'. These applications would require their own patches. FreeBSD has published a large list of applications that use 'realpath()'. Administrators of FreeBSD and other systems are urged to review it. For more information, see the advisory 'FreeBSD-SA-03:08.realpath'. The realpath(3) function is used to determine the absolute path name of the rule in the given path name. The realpath(3) function is part of the FreeBSD standard C language library file. If the parsed pathname is 1024 bytes long and contains two directory separators, the buffer passed to the realpath(3) function can be overwritten with a single NUL byte. Applications that typically use the realpath(3) function can cause denial of service, or execute arbitrary code and privilege escalation attacks. sftp-server(8) is part of OpenSSH, and realpath(3) is used to process the chdir command. 1 cdparanoia-3.9. Synopsis: wu-ftpd fb_realpath() off-by-one bug Product: wu-ftpd Version: 2.5.0 <= 2.6.2 Vendor: http://www.wuftpd.org/ URL: http://isec.pl/vulnerabilities/isec-0011-wu-ftpd.txt CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0466 Author: Wojciech Purczynski <cliph@isec.pl> Janusz Niewiadomski <funkysh@isec.pl> Date: July 31, 2003 Issue: ====== Wu-ftpd FTP server contains remotely exploitable off-by-one bug. A local or remote attacker could exploit this vulnerability to gain root privileges on a vulnerable system. Details: ======== An off-by-one bug exists in fb_realpath() function. The overflowed buffer lies on the stack. The bug results from misuse of rootd variable in the calculation of length of a concatenated string: ------8<------cut-here------8<------ /* * Join the two strings together, ensuring that the right thing * happens if the last component is empty, or the dirname is root. */ if (resolved[0] == '/' && resolved[1] == '\0') rootd = 1; else rootd = 0; if (*wbuf) { if (strlen(resolved) + strlen(wbuf) + rootd + 1 > MAXPATHLEN) { errno = ENAMETOOLONG; goto err1; } if (rootd == 0) (void) strcat(resolved, "/"); (void) strcat(resolved, wbuf); } ------8<------cut-here------8<------ Since the path is constructed from current working directory and a file name specified as an parameter to various FTP commands attacker needs to create deep directory structure. This may occur for example if wu-ftpd is compiled with some versions of Linux kernel where PATH_MAX (and MAXPATHLEN accordingly) is defined to be exactly 4095 characters. In such cases, the buffer is padded with an extra byte because of variable alignment which is a result of code optimization. Linux 2.2.x and some early 2.4.x kernel versions defines PATH_MAX to be 4095 characters, thus only wu-ftpd binaries compiled on 2.0.x or later 2.4.x kernels are affected. We believe that exploitation of other little-endian systems is also possible. Impact: ======= Authenticated local user or anonymous FTP user with write-access could execute arbitrary code with root privileges. Vendor Status: ============== June 1, 2003 security@wu-ftpd.org has been notified June 9, 2003 Request for confirmation of receipt sent to security@wu-ftpd.org June 11, 2003 Response received from Kent Landfield July 3, 2003 Request for status update sent July 19, 2003 vendor-sec list notified July 31, 2003 Coordinated public disclosure The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0466 to this issue. -- Janusz Niewiadomski iSEC Security Research http://isec.pl/

The web server for Cisco Aironet AP1x00 Series Wireless devices running certain versions of IOS 12.2 allow remote attackers to cause a denial of service (reload) via a malformed URL. The Cisco Aironet AP1X00 series is a wireless access point issued by Cisco that provides wireless access solutions based on the 802.11b WIFI standard.  The web interface of the Cisco Aironet AP1X00 does not properly handle HTTP GET requests. A remote attacker could use this vulnerability to conduct a denial of service attack on the device. This attack does not require any authentication. After the attack is successful, the device needs to be restarted or it cannot service normal communications.  All VxWorks software-based Cisco Aironet Access Point 1200s are not affected by this vulnerability. These software versions include 11.56, 12.01T1, 12.02T1, and 12.03T. Such a request will cause the device to reload. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: HTTP GET Vulnerability in AP1x00 Revision 1.0 For Public Release 2003 July 28 16:00 UTC (GMT) ---------------------------------------------------------------------- Contents Summary Affected Products Details Impact Software Versions and Fixes Obtaining Fixed Software Workarounds Exploitation and Public Announcements Status of This Notice: FINAL Distribution Revision History Cisco Security Procedures ---------------------------------------------------------------------- Summary A vulnerability has been reported by an external researcher in Cisco IOS(R) release for Cisco Aironet AP1x00 Series Wireless devices. This vulnerability can cause the AP1x00 to reload and is documented as Cisco bug ID CSCeb49869 (registered customers only) (also CAN-2003-0511). There are workarounds available to mitigate the effects of this vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20030728-ap1x00.shtml. The external report can be found at http://www.vigilante.com/inetsecurity/advisories/VIGILANTE-2003002.htm leavingcisco.com. Although it mentions two issues only one is addressed by this advisory. The other issue, Cisco bug ID CSCdz29724 (registered customers only) (also CAN-2003-512), is present in all IOS software and is duplicated by the AP1x00 specific Cisco bug ID CSCeb49842 (registered customers only) . More details about it can be found at http://www.cisco.com/warp/public/707/cisco-sn-20030724-ios-enum.shtml. In order to determine your software release you should log on the Access Point using any account available and execute the following command: access-point> show ver Cisco Internetwork Operating System Software IOS (tm) C1100 Software (C1100-K9W7-M), Version 12.2(8)JA, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1) ^^^^^^^^^ TAC Support: http://www.cisco.com/tac Copyright (c) 1986-2003 by cisco Systems, Inc. The Cisco IOS software version is displayed in the second line of the output. In this example it is 12.2(8)JA. Impact Repeated exploitation of this vulnerability can lead to a prolonged Denial-of-Service (DoS) of the AP1x00. Obtaining Fixed Software Cisco is offering free software upgrades to address these vulnerabilities for all affected customers. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/public/sw-license-agreement.html, or as otherwise set forth at the Cisco Connection Online Software Center at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Customers with service contracts should contact their regular update channels to obtain the free software upgrade identified via this advisory. For most customers with service contracts, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com/tacpage/sw-center/sw-wireless.shtml. To access the software download URL, you must be a registered user and you must be logged in. Customers whose Cisco products are provided or maintained through prior or existing agreement with third-party support organizations such as Cisco Partners, authorized resellers, or service providers should contact that support organization for assistance with the upgrade, which should be free of charge. Customers who purchase direct from Cisco but who do not hold a Cisco service contract and customers who purchase through third-party vendors but are unsuccessful at obtaining fixed software through their point of sale should get their upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Please have your product serial number available and give the URL of this notice as evidence of your entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Workarounds There are two workarounds for this vulnerability. The example of using access-class is given here: ap(config)# ip http access-class 10 ap(config)# access-list 10 permit host 10.0.0.1 In this example, host 10.0.0.1 is the only one that is allowed to access the AP. All other hosts are prohibited. To disable HTTP and enable SSH use this example: ap(config)# no ip http server ap(config)# ip domain name <your-domain> ap(config)# crypto key generate rsa The name for the keys will be: ap.your-domain Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: 1024 % Generating 1024 bit RSA keys ...[OK] ap(config)# line vty 0 4 ap(config-line)# transport input ssh Now you can connect to the Cisco Aironet AP using SSH client from your computer. In addition to the workarounds it is possible to mitigate the exposure by configuring ACLs on the device so that only legitimate hosts can use the http service. This can be done in the following way: access-list 111 permit tcp host 10.0.0.1 host 10.0.0.50 eq www In this example the host 10.0.0.1 is the only one that is allowed to access the device at 10.0.0.50. You will have to change host IP addresses and the ACL number to suit your configuration. This ACL will have to be applied to all interfaces and block all IP addresses assigned to the affected device. Exploitation and Public Announcements This vulnerability is reported by Reda Zitouni from Vigilante. Their report can be found at http://www.vigilante.com/inetsecurity/advisories/VIGILANTE-2003002.htm leavingcisco.com. Status of This Notice: FINAL This is a final advisory. Although Cisco cannot guarantee the accuracy of all statements in this advisory, all of the facts have been checked to the best of our ability. Cisco does not anticipate issuing updated versions of this advisory unless there is some material change in the facts. Should there be a significant change in the facts, Cisco will update this advisory. A stand-alone copy or paraphrase of the text of this security advisory that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution This notice will be posted on Cisco's worldwide website at . In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * bugtraq@securityfocus.com * full-disclosure@lists.netsys.com * first-teams@first.org (includes CERT/CC) * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * comp.dcom.sys.cisco * Various internal Cisco mailing lists Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History +------------------------------------------+ |Revision|2003-July-28 16:00 UTC |Initial | |1.0 |(GMT) |public | | | |release.| +------------------------------------------+ Cisco Security Procedures Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/warp/public/707/sec_incident_response.shtml. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. ---------------------------------------------------------------------- This notice is Copyright 2003 by Cisco Systems, Inc. This notice may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, and include all date and version information. ---------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Comment: PGP Signed by Sharad Ahlawat, Cisco Systems PSIRT iD4DBQE/JUmbezGozzK2tZARArXRAKCIRsac6s3i7oRAEf4/2khQBKdEcgCXTsum aQeEFDQLBhqS5wu0CarFkg== =ehoq -----END PGP SIGNATURE----- . Firmware version 12.2(4)JA and earlier. The Arionet Bridge is vulnerable to a denial of service.This can be exploited remotely by an attacker. No user login or password is necessary. This can be accomplished by submitting a specially crafted request to the web server. There is no need to authenticate to perform this attack, only access to the web server is required. The Aironet bridge reboots upon receiving the request and failing to handle correctly this one. Afterwards, no further access to the WLAN or its services is possible. Vendor status: ************** Cisco was contacted June 19, 2003 and answered the same day. 5 days later, they told us that they would release a patch soon. The patch was finally released July 3, 2003. Vulnerability Assessment: A test case to detect this vulnerability was added to SecureScan NX in the upgrade package of July 28, 2003. You can see the documentation of this test case 17655 on SecureScan NX web site at http://securescannx.vigilante.com/tc/17655 . Please note that this version fixes some other bugs as TC 15438 (refer to release note). If not needed - disable access to the web feature on the Aironet Bridge. 2. If needed - restrict access to the HTTP service for outside connections. CVE: Common Vulnerabilities and Exposures group ( reachable at http://cve.mitre.org/ ) was contacted and assigned CAN-2003-0511 to this vulnerability. Links: ***** Cisco Advisory: http://www.cisco.com/warp/public/707/cisco-sa-20030728-ap1x00.shtml Vigilante Advisory: http://www.vigilante.com/inetsecurity/advisories/VIGILANTE-2003001.htm Product Homepage: http://www.cisco.com/warp/public/cc/pd/witc/ps4570 CVE: CAN-2003-0511 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CAN-2003-0511 Credit: ****** This vulnerability was discovered by Reda Zitouni, member of our Security Watch Team at VIGILANTe. We wish to thank Cisco PSIRT Team for their fast answer to fix this problem. Copyright VIGILANTe.com, Inc. 2003-07-28 Disclaimer: ********** The information within this document may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any consequences whatsoever arising out of or in connection with the use or spread of this information. Any use of this information lays within the user's responsibility. Feedback: ******** Please send suggestions, updates, and comments to securitywatch@vigilante.com

Cisco IOS 12.2 and earlier generates a "% Login invalid" message instead of prompting for a password when an invalid username is provided, which allows remote attackers to identify valid usernames on the system and conduct brute force password guessing, as reported for the Aironet Bridge. A vulnerability in the Cisco Aironet 1100 Series Access Point may allow a remote attacker to discover valid accounts on the access point. Cisco IOS Specific versions of telnet There is a vulnerability that the response of the authentication result varies depending on the user name when password authentication is performed via.Depending on the response, it may be possible to infer whether the user exists. An information leak has been reported in Cisco Aironet Access Points when the telnet service has been enabled. This may allow a remote attacker to gain potentially sensitive information. If it is illegal, it will prompt the \"\\% Login invalid\" message. VIGILANTe Security Watch Advisory Name: Cisco Aironet AP1100 Valid Account Disclosure Vulnerability Systems Affected: Tested on a Cisco Aironet AP1100 Model 1120B Series Wireless device. Firmware version 12.2(4)JA and earlier. NB : A large number of Cisco IOSes are affected by this flaw. Severity: High Risk Vendor URL: http://www.vigilante.com Authors: Reda Zitouni (reda.zitouni@vigilante.com) Date: 28th July 2003 Advisory Code: VIGILANTE-2003002 Description *********** Cisco Aironet 1100 Series Access Point is a device manufactured by Cisco Systems offering a WLAN solution based on the 802.11b Wifi standard. The Aironet Bridge is vulnerable to a Brute Force attack revealing if an account exists or not. If an attacker submits an existing account as login he will be then prompted for the password. If not the case a ""% Login invalid" reply will be displayed by the server, revealing the account is not existing. By default on the Aironet AP1100, the 'cisco' account is set and is prompted for a password when submitted. That default account then allows an attacker to determine if this flaw on the remote device is patched or not. This may lead to further serious attacks. Vendor status: ************** Cisco was contacted June 19, 2003 and answered the same day. 5 days later, they told us that they would release a patch soon. The patch was finally released July 3, 2003. Please note that this flaw is released by Cisco as a Security Notice in CCO. Vulnerability Assessment: ************************ A test case to detect this vulnerability was added to SecureScan NX in the upgrade package of July 28, 2003. You can see the documentation of this test case 15438 on SecureScan NX web site at http://securescannx.vigilante.com/tc/15438. Fix: A firmware upgrading the Aironet IOS version to c1100-k9w7 has been released by Cisco. Please note that this version fixes some other bugs as TC 17655 (refer to release note). A stronger authentication mechanism, such as SSH can also be implemented. CVE: Common Vulnerabilities and Exposures group ( reachable at http://cve.mitre.org/ ) was contacted and assigned CAN-2003-0512 to this vulnerability. Links: ***** Cisco Advisory: http://www.cisco.com/warp/public/707/cisco-sn-20030724-ios-enum.shtml Vigilante Advisory: http://www.vigilante.com/inetsecurity/advisories/VIGILANTE-2003002.htm Product Homepage: http://www.cisco.com/warp/public/cc/pd/witc/ps4570 CVE: CAN-2003-0512 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CAN-2003-0512 Credit: ****** This vulnerability was discovered by Reda Zitouni, member of our Security Watch Team at VIGILANTe. We wish to thank Cisco PSIRT Team for their fast answer to fix this problem. Copyright VIGILANTe.com, Inc. 2003-07-28 Disclaimer: ********** The information within this document may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any consequences whatsoever arising out of or in connection with the use or spread of this information. Any use of this information lays within the user's responsibility. Feedback: ******** Please send suggestions, updates, and comments to securitywatch@vigilante.com

Apple QuickTime / Darwin Streaming Server before 4.1.3g allows remote attackers to cause a denial of service (crash) via a .. (dot dot) sequence followed by an MS-DOS device name (e.g. AUX) in a request to HTTP port 1220, a different vulnerability than CVE-2003-0421. A remote attacker can use the MS-DOS device name (such as AUX) followed by the .. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Rapid7, Inc. Security Advisory Visit http://www.rapid7.com/ to download NeXpose, the world's most advanced vulnerability scanner. Linux and Windows 2000/XP versions are available now! _______________________________________________________________________ Rapid7 Advisory R7-0015 Multiple Vulnerabilities Apple QuickTime/Darwin Streaming Server Published: July 22, 2003 Revision: 1.0 http://www.rapid7.com/advisories/R7-0015.html CVE: CAN-2003-0421, CAN-2003-0422, CAN-2003-0423, CAN-2003-0424, CAN-2003-0425, CAN-2003-0426, CAN-2003-0502 1. Affected system(s): KNOWN VULNERABLE: o QuickTime/Darwin Streaming Server v4.1.3 for MacOS X o QuickTime/Darwin Streaming Server v4.1.3 for Win32 o QuickTime/Darwin Streaming Server v4.1.3 for Linux UNKNOWN/NOT TESTED: o other platforms (Solaris) 2. 3. Vendor status and information Apple http://www.apple.com/ The vendor has been notified and has released fixes for all but one of the issues, which is currently under investigation. 4. Solution Upgrade to version 4.1.3g or later of Darwin Streaming Server, which may be obtained as a free download from: http://developer.apple.com/darwin/projects/streaming/ Please see the next section for detailed fix information. 5. Detailed analysis There are several vulnerabilities. Denial of Service by HTTP Request for DOS Device Name CVE ID: CAN-2003-0421 Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only) Fixed: In version 4.1.3f (Win32) Requesting a DOS device name (e.g. An initial HTTP 404 response will be returned for the device request, but future requests will not be serviced. For example: ==> GET /AUX HTTP/1.0 Denial of Service by Request for ../ DOS Device Name CVE ID: CAN-2003-0502 Affects: Darwin Streaming Server v4.1.3f and earlier (Win32 only) Fixed: In version 4.1.3g (Win32) This is a variant of CAN-2003-0421. A fix for CAN-2003-0421 was included in Streaming Server version, 4.1.3f, but further testing revealed that it was vulnerable to a variant where the device name was prefixed by dotdot slash (../), as in: ==> GET /../AUX HTTP/1.0 Denial of Service by HTTP Request for /view_broadcast.cgi Script CVE ID: CAN-2003-0422 Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only) Fixed: In version 4.1.3f (Win32) Requesting the /view_broadcast.cgi script over HTTP (port 1220) will cause a denial of service on the server if the required request parameters are not sent. The connection will be closed midway through servicing the request and no new connections will be allowed to the server. Example: ==> GET /view_broadcast.cgi HTTP/1.0 <== HTTP/1.0 200 OK <== Content-Type: video/quicktime <== <== rtsp:// ^^ server drops connection Source Disclosure via HTTP Request for /parse_xml.cgi Script CVE ID: CAN-2003-0423 Affects: Darwin Streaming Server v4.1.3g and earlier Fixed: No fix is available at this time. Apple is aware of this issue and they are investigating it further. The source code of any file within the web root can be obtained by issuing a request for /parse_xml.cgi?filename=[file], where [file] is the file whose source code you wish to view. This is only a serious risk if the administrator has installed custom scripts on Darwin Streaming Server that need to be protected. Script Source Disclosure by Appending Special Characters CVE ID: CAN-2003-0424 Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only) Fixed: In version 4.1.3f (Win32) The source code of any script can be obtained by appending the special characters %2e (period) or %20 (space) to an HTTP request for that script. For example, requesting /view_broadcast.cgi%2e will reveal the source code for that script. Web Root Traversal and Arbitrary File Disclosure (Win32) CVE ID: CAN-2003-0425 Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only) Fixed: In version 4.1.3f (Win32) Any file on the system can be retrieved by using three dots to break out of the web root. For example, requesting /.../qtusers will return the QuickTime user/password file. Default Install Allows Remote User to Set Admin Password CVE ID: CAN-2003-0426 Affects: Darwin Streaming Server v4.1.3e and earlier (Mac OS X only) Fixed: In version 4.1.3f (Mac OS X) When Darwin Streaming Server is first installed, the HTTP-based administration server (typically port 1220) presents a "Setup Assistant" page where the user is prompted to set a new administrator password. This would allow any remote user to connect and set up an administrator password before the server administrator has had a chance to do so. 6. Contact Information Rapid7 Security Advisories Email: advisory@rapid7.com Web: http://www.rapid7.com/ Phone: +1 (212) 558-8700 7. Disclaimer and Copyright Rapid7, Inc. is not responsible for the misuse of the information provided in our security advisories. These advisories are a service to the professional security community. There are NO WARRANTIES with regard to this information. Any application or distribution of this information constitutes acceptance AS IS, at the user's own risk. This information is subject to change without notice. This advisory Copyright (C) 2003 Rapid7, Inc. Permission is hereby granted to redistribute this advisory, providing that no changes are made and that the copyright notices and disclaimers remain intact. -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBPx3UVST52JC2U8wAEQLPIwCg2Ps9jBufF8N6dGgCaoxEMijMtbcAnRL8 793Plejp5hw/r1OkojX2CQaB =OD0m -----END PGP SIGNATURE-----

The installation of Apple QuickTime / Darwin Streaming Server before 4.1.3f starts the administration server with a "Setup Assistant" page that allows remote attackers to set the administrator password and gain privileges before the real administrator. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Rapid7, Inc. Security Advisory Visit http://www.rapid7.com/ to download NeXpose, the world's most advanced vulnerability scanner. Linux and Windows 2000/XP versions are available now! _______________________________________________________________________ Rapid7 Advisory R7-0015 Multiple Vulnerabilities Apple QuickTime/Darwin Streaming Server Published: July 22, 2003 Revision: 1.0 http://www.rapid7.com/advisories/R7-0015.html CVE: CAN-2003-0421, CAN-2003-0422, CAN-2003-0423, CAN-2003-0424, CAN-2003-0425, CAN-2003-0426, CAN-2003-0502 1. Affected system(s): KNOWN VULNERABLE: o QuickTime/Darwin Streaming Server v4.1.3 for MacOS X o QuickTime/Darwin Streaming Server v4.1.3 for Win32 o QuickTime/Darwin Streaming Server v4.1.3 for Linux UNKNOWN/NOT TESTED: o other platforms (Solaris) 2. Summary Several vulnerabilities have been found in the Apple QuickTime/Darwin Streaming Server, including denial of service, web root traversal, and script source disclosure. 3. Vendor status and information Apple http://www.apple.com/ The vendor has been notified and has released fixes for all but one of the issues, which is currently under investigation. 4. Solution Upgrade to version 4.1.3g or later of Darwin Streaming Server, which may be obtained as a free download from: http://developer.apple.com/darwin/projects/streaming/ Please see the next section for detailed fix information. 5. Detailed analysis There are several vulnerabilities. Denial of Service by HTTP Request for DOS Device Name CVE ID: CAN-2003-0421 Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only) Fixed: In version 4.1.3f (Win32) Requesting a DOS device name (e.g. AUX) over HTTP (port 1220) will cause a denial of service on the server. An initial HTTP 404 response will be returned for the device request, but future requests will not be serviced. For example: ==> GET /AUX HTTP/1.0 Denial of Service by Request for ../ DOS Device Name CVE ID: CAN-2003-0502 Affects: Darwin Streaming Server v4.1.3f and earlier (Win32 only) Fixed: In version 4.1.3g (Win32) This is a variant of CAN-2003-0421. A fix for CAN-2003-0421 was included in Streaming Server version, 4.1.3f, but further testing revealed that it was vulnerable to a variant where the device name was prefixed by dotdot slash (../), as in: ==> GET /../AUX HTTP/1.0 Denial of Service by HTTP Request for /view_broadcast.cgi Script CVE ID: CAN-2003-0422 Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only) Fixed: In version 4.1.3f (Win32) Requesting the /view_broadcast.cgi script over HTTP (port 1220) will cause a denial of service on the server if the required request parameters are not sent. The connection will be closed midway through servicing the request and no new connections will be allowed to the server. Example: ==> GET /view_broadcast.cgi HTTP/1.0 <== HTTP/1.0 200 OK <== Content-Type: video/quicktime <== <== rtsp:// ^^ server drops connection Source Disclosure via HTTP Request for /parse_xml.cgi Script CVE ID: CAN-2003-0423 Affects: Darwin Streaming Server v4.1.3g and earlier Fixed: No fix is available at this time. Apple is aware of this issue and they are investigating it further. The source code of any file within the web root can be obtained by issuing a request for /parse_xml.cgi?filename=[file], where [file] is the file whose source code you wish to view. This is only a serious risk if the administrator has installed custom scripts on Darwin Streaming Server that need to be protected. Script Source Disclosure by Appending Special Characters CVE ID: CAN-2003-0424 Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only) Fixed: In version 4.1.3f (Win32) The source code of any script can be obtained by appending the special characters %2e (period) or %20 (space) to an HTTP request for that script. For example, requesting /view_broadcast.cgi%2e will reveal the source code for that script. Web Root Traversal and Arbitrary File Disclosure (Win32) CVE ID: CAN-2003-0425 Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only) Fixed: In version 4.1.3f (Win32) Any file on the system can be retrieved by using three dots to break out of the web root. For example, requesting /.../qtusers will return the QuickTime user/password file. 6. Contact Information Rapid7 Security Advisories Email: advisory@rapid7.com Web: http://www.rapid7.com/ Phone: +1 (212) 558-8700 7. Disclaimer and Copyright Rapid7, Inc. is not responsible for the misuse of the information provided in our security advisories. These advisories are a service to the professional security community. There are NO WARRANTIES with regard to this information. Any application or distribution of this information constitutes acceptance AS IS, at the user's own risk. This information is subject to change without notice. This advisory Copyright (C) 2003 Rapid7, Inc. Permission is hereby granted to redistribute this advisory, providing that no changes are made and that the copyright notices and disclaimers remain intact. -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBPx3UVST52JC2U8wAEQLPIwCg2Ps9jBufF8N6dGgCaoxEMijMtbcAnRL8 793Plejp5hw/r1OkojX2CQaB =OD0m -----END PGP SIGNATURE-----

Apple QuickTime / Darwin Streaming Server before 4.1.3f allows remote attackers to cause a denial of service (crash) via an MS-DOS device name (e.g. AUX) in a request to HTTP port 1220, a different vulnerability than CVE-2003-0502. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Rapid7, Inc. Security Advisory Visit http://www.rapid7.com/ to download NeXpose, the world's most advanced vulnerability scanner. Linux and Windows 2000/XP versions are available now! _______________________________________________________________________ Rapid7 Advisory R7-0015 Multiple Vulnerabilities Apple QuickTime/Darwin Streaming Server Published: July 22, 2003 Revision: 1.0 http://www.rapid7.com/advisories/R7-0015.html CVE: CAN-2003-0421, CAN-2003-0422, CAN-2003-0423, CAN-2003-0424, CAN-2003-0425, CAN-2003-0426, CAN-2003-0502 1. Affected system(s): KNOWN VULNERABLE: o QuickTime/Darwin Streaming Server v4.1.3 for MacOS X o QuickTime/Darwin Streaming Server v4.1.3 for Win32 o QuickTime/Darwin Streaming Server v4.1.3 for Linux UNKNOWN/NOT TESTED: o other platforms (Solaris) 2. 3. Vendor status and information Apple http://www.apple.com/ The vendor has been notified and has released fixes for all but one of the issues, which is currently under investigation. 4. Solution Upgrade to version 4.1.3g or later of Darwin Streaming Server, which may be obtained as a free download from: http://developer.apple.com/darwin/projects/streaming/ Please see the next section for detailed fix information. 5. Detailed analysis There are several vulnerabilities. An initial HTTP 404 response will be returned for the device request, but future requests will not be serviced. A fix for CAN-2003-0421 was included in Streaming Server version, 4.1.3f, but further testing revealed that it was vulnerable to a variant where the device name was prefixed by dotdot slash (../), as in: ==> GET /../AUX HTTP/1.0 Denial of Service by HTTP Request for /view_broadcast.cgi Script CVE ID: CAN-2003-0422 Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only) Fixed: In version 4.1.3f (Win32) Requesting the /view_broadcast.cgi script over HTTP (port 1220) will cause a denial of service on the server if the required request parameters are not sent. The connection will be closed midway through servicing the request and no new connections will be allowed to the server. Example: ==> GET /view_broadcast.cgi HTTP/1.0 <== HTTP/1.0 200 OK <== Content-Type: video/quicktime <== <== rtsp:// ^^ server drops connection Source Disclosure via HTTP Request for /parse_xml.cgi Script CVE ID: CAN-2003-0423 Affects: Darwin Streaming Server v4.1.3g and earlier Fixed: No fix is available at this time. Apple is aware of this issue and they are investigating it further. The source code of any file within the web root can be obtained by issuing a request for /parse_xml.cgi?filename=[file], where [file] is the file whose source code you wish to view. This is only a serious risk if the administrator has installed custom scripts on Darwin Streaming Server that need to be protected. Script Source Disclosure by Appending Special Characters CVE ID: CAN-2003-0424 Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only) Fixed: In version 4.1.3f (Win32) The source code of any script can be obtained by appending the special characters %2e (period) or %20 (space) to an HTTP request for that script. For example, requesting /view_broadcast.cgi%2e will reveal the source code for that script. Web Root Traversal and Arbitrary File Disclosure (Win32) CVE ID: CAN-2003-0425 Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only) Fixed: In version 4.1.3f (Win32) Any file on the system can be retrieved by using three dots to break out of the web root. For example, requesting /.../qtusers will return the QuickTime user/password file. Default Install Allows Remote User to Set Admin Password CVE ID: CAN-2003-0426 Affects: Darwin Streaming Server v4.1.3e and earlier (Mac OS X only) Fixed: In version 4.1.3f (Mac OS X) When Darwin Streaming Server is first installed, the HTTP-based administration server (typically port 1220) presents a "Setup Assistant" page where the user is prompted to set a new administrator password. This would allow any remote user to connect and set up an administrator password before the server administrator has had a chance to do so. 6. Contact Information Rapid7 Security Advisories Email: advisory@rapid7.com Web: http://www.rapid7.com/ Phone: +1 (212) 558-8700 7. Disclaimer and Copyright Rapid7, Inc. is not responsible for the misuse of the information provided in our security advisories. These advisories are a service to the professional security community. There are NO WARRANTIES with regard to this information. Any application or distribution of this information constitutes acceptance AS IS, at the user's own risk. This information is subject to change without notice. This advisory Copyright (C) 2003 Rapid7, Inc. Permission is hereby granted to redistribute this advisory, providing that no changes are made and that the copyright notices and disclaimers remain intact. -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBPx3UVST52JC2U8wAEQLPIwCg2Ps9jBufF8N6dGgCaoxEMijMtbcAnRL8 793Plejp5hw/r1OkojX2CQaB =OD0m -----END PGP SIGNATURE-----

The 3Com 812 OfficeConnect is a widely used DSL router. 3Com 812 OfficeConnect lacks proper handling of long requests submitted by users to the management interface. Remote attackers can exploit this vulnerability to denial the device. The DSL router does not have any authentication for the user to perform management interface access. Any LAN user submits a request of more than 512 bytes to the WEB management interface, which may cause the router to crash and need to be restarted to obtain normal services. A problem in the 3Com 812 OfficeConnect has been reported that may result in the router becoming unstable. Because of this, an attacker may be able to deny service to legitimate users of the vulnerable router by submitting an excessively long request

Workgroup Manager in Apple Mac OS X Server 10.2 through 10.2.6 does not disable a password for a new account before it is saved for the first time, which allows remote attackers to gain unauthorized access via the new account before it is saved. It has been reported the OS X Server Workgroup Manager may create accounts in an insecure manner. This vulnerability may allow an attacker to gain unauthorized access or elevated privileges to an affected system via the newly created account. Mac OS X is an operating system used on Mac machines, based on the BSD system. However, no detailed vulnerability details have been provided so far

parse_xml.cgi in Apple QuickTime / Darwin Streaming Server before 4.1.3g allows remote attackers to obtain the source code for parseable files via the filename parameter. Apple QuickTime/Darwin Streaming Server is prone to a source disclosure issue. The issue exists in the parse_xml.cgi administrative script. This could permit an attacker to gain access to sensitive information contained within script source code. This issue is reported to affect versions up to and including 4.1.3g. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Rapid7, Inc. Security Advisory Visit http://www.rapid7.com/ to download NeXpose, the world's most advanced vulnerability scanner. Linux and Windows 2000/XP versions are available now! _______________________________________________________________________ Rapid7 Advisory R7-0015 Multiple Vulnerabilities Apple QuickTime/Darwin Streaming Server Published: July 22, 2003 Revision: 1.0 http://www.rapid7.com/advisories/R7-0015.html CVE: CAN-2003-0421, CAN-2003-0422, CAN-2003-0423, CAN-2003-0424, CAN-2003-0425, CAN-2003-0426, CAN-2003-0502 1. Affected system(s): KNOWN VULNERABLE: o QuickTime/Darwin Streaming Server v4.1.3 for MacOS X o QuickTime/Darwin Streaming Server v4.1.3 for Win32 o QuickTime/Darwin Streaming Server v4.1.3 for Linux UNKNOWN/NOT TESTED: o other platforms (Solaris) 2. 3. Vendor status and information Apple http://www.apple.com/ The vendor has been notified and has released fixes for all but one of the issues, which is currently under investigation. 4. Solution Upgrade to version 4.1.3g or later of Darwin Streaming Server, which may be obtained as a free download from: http://developer.apple.com/darwin/projects/streaming/ Please see the next section for detailed fix information. 5. Detailed analysis There are several vulnerabilities. Denial of Service by HTTP Request for DOS Device Name CVE ID: CAN-2003-0421 Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only) Fixed: In version 4.1.3f (Win32) Requesting a DOS device name (e.g. AUX) over HTTP (port 1220) will cause a denial of service on the server. An initial HTTP 404 response will be returned for the device request, but future requests will not be serviced. For example: ==> GET /AUX HTTP/1.0 Denial of Service by Request for ../ DOS Device Name CVE ID: CAN-2003-0502 Affects: Darwin Streaming Server v4.1.3f and earlier (Win32 only) Fixed: In version 4.1.3g (Win32) This is a variant of CAN-2003-0421. A fix for CAN-2003-0421 was included in Streaming Server version, 4.1.3f, but further testing revealed that it was vulnerable to a variant where the device name was prefixed by dotdot slash (../), as in: ==> GET /../AUX HTTP/1.0 Denial of Service by HTTP Request for /view_broadcast.cgi Script CVE ID: CAN-2003-0422 Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only) Fixed: In version 4.1.3f (Win32) Requesting the /view_broadcast.cgi script over HTTP (port 1220) will cause a denial of service on the server if the required request parameters are not sent. The connection will be closed midway through servicing the request and no new connections will be allowed to the server. Example: ==> GET /view_broadcast.cgi HTTP/1.0 <== HTTP/1.0 200 OK <== Content-Type: video/quicktime <== <== rtsp:// ^^ server drops connection Source Disclosure via HTTP Request for /parse_xml.cgi Script CVE ID: CAN-2003-0423 Affects: Darwin Streaming Server v4.1.3g and earlier Fixed: No fix is available at this time. Apple is aware of this issue and they are investigating it further. The source code of any file within the web root can be obtained by issuing a request for /parse_xml.cgi?filename=[file], where [file] is the file whose source code you wish to view. This is only a serious risk if the administrator has installed custom scripts on Darwin Streaming Server that need to be protected. Script Source Disclosure by Appending Special Characters CVE ID: CAN-2003-0424 Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only) Fixed: In version 4.1.3f (Win32) The source code of any script can be obtained by appending the special characters %2e (period) or %20 (space) to an HTTP request for that script. Web Root Traversal and Arbitrary File Disclosure (Win32) CVE ID: CAN-2003-0425 Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only) Fixed: In version 4.1.3f (Win32) Any file on the system can be retrieved by using three dots to break out of the web root. For example, requesting /.../qtusers will return the QuickTime user/password file. Default Install Allows Remote User to Set Admin Password CVE ID: CAN-2003-0426 Affects: Darwin Streaming Server v4.1.3e and earlier (Mac OS X only) Fixed: In version 4.1.3f (Mac OS X) When Darwin Streaming Server is first installed, the HTTP-based administration server (typically port 1220) presents a "Setup Assistant" page where the user is prompted to set a new administrator password. This would allow any remote user to connect and set up an administrator password before the server administrator has had a chance to do so. 6. Contact Information Rapid7 Security Advisories Email: advisory@rapid7.com Web: http://www.rapid7.com/ Phone: +1 (212) 558-8700 7. Disclaimer and Copyright Rapid7, Inc. is not responsible for the misuse of the information provided in our security advisories. These advisories are a service to the professional security community. There are NO WARRANTIES with regard to this information. Any application or distribution of this information constitutes acceptance AS IS, at the user's own risk. This information is subject to change without notice. This advisory Copyright (C) 2003 Rapid7, Inc. Permission is hereby granted to redistribute this advisory, providing that no changes are made and that the copyright notices and disclaimers remain intact. -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBPx3UVST52JC2U8wAEQLPIwCg2Ps9jBufF8N6dGgCaoxEMijMtbcAnRL8 793Plejp5hw/r1OkojX2CQaB =OD0m -----END PGP SIGNATURE-----

Apple QuickTime / Darwin Streaming Server before 4.1.3f allows remote attackers to cause a denial of service (crash) via a request to view_broadcast.cgi that does not contain the required parameters. When an HTTP request is made to the view_broadcast.cgi script without specifying any parameters, the server will not accept new connections. This vulnerability was reported to affect QuickTime/Darwin Streaming Server 4.1.3e and earlier on Windows. Vulnerabilities exist in Apple QuickTime / Darwin Streaming versions prior to 4.1.3f. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Rapid7, Inc. Security Advisory Visit http://www.rapid7.com/ to download NeXpose, the world's most advanced vulnerability scanner. Linux and Windows 2000/XP versions are available now! _______________________________________________________________________ Rapid7 Advisory R7-0015 Multiple Vulnerabilities Apple QuickTime/Darwin Streaming Server Published: July 22, 2003 Revision: 1.0 http://www.rapid7.com/advisories/R7-0015.html CVE: CAN-2003-0421, CAN-2003-0422, CAN-2003-0423, CAN-2003-0424, CAN-2003-0425, CAN-2003-0426, CAN-2003-0502 1. Affected system(s): KNOWN VULNERABLE: o QuickTime/Darwin Streaming Server v4.1.3 for MacOS X o QuickTime/Darwin Streaming Server v4.1.3 for Win32 o QuickTime/Darwin Streaming Server v4.1.3 for Linux UNKNOWN/NOT TESTED: o other platforms (Solaris) 2. 3. Vendor status and information Apple http://www.apple.com/ The vendor has been notified and has released fixes for all but one of the issues, which is currently under investigation. 4. Solution Upgrade to version 4.1.3g or later of Darwin Streaming Server, which may be obtained as a free download from: http://developer.apple.com/darwin/projects/streaming/ Please see the next section for detailed fix information. 5. Detailed analysis There are several vulnerabilities. Denial of Service by HTTP Request for DOS Device Name CVE ID: CAN-2003-0421 Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only) Fixed: In version 4.1.3f (Win32) Requesting a DOS device name (e.g. An initial HTTP 404 response will be returned for the device request, but future requests will not be serviced. Example: ==> GET /view_broadcast.cgi HTTP/1.0 <== HTTP/1.0 200 OK <== Content-Type: video/quicktime <== <== rtsp:// ^^ server drops connection Source Disclosure via HTTP Request for /parse_xml.cgi Script CVE ID: CAN-2003-0423 Affects: Darwin Streaming Server v4.1.3g and earlier Fixed: No fix is available at this time. Apple is aware of this issue and they are investigating it further. The source code of any file within the web root can be obtained by issuing a request for /parse_xml.cgi?filename=[file], where [file] is the file whose source code you wish to view. This is only a serious risk if the administrator has installed custom scripts on Darwin Streaming Server that need to be protected. Script Source Disclosure by Appending Special Characters CVE ID: CAN-2003-0424 Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only) Fixed: In version 4.1.3f (Win32) The source code of any script can be obtained by appending the special characters %2e (period) or %20 (space) to an HTTP request for that script. For example, requesting /view_broadcast.cgi%2e will reveal the source code for that script. Web Root Traversal and Arbitrary File Disclosure (Win32) CVE ID: CAN-2003-0425 Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only) Fixed: In version 4.1.3f (Win32) Any file on the system can be retrieved by using three dots to break out of the web root. For example, requesting /.../qtusers will return the QuickTime user/password file. Default Install Allows Remote User to Set Admin Password CVE ID: CAN-2003-0426 Affects: Darwin Streaming Server v4.1.3e and earlier (Mac OS X only) Fixed: In version 4.1.3f (Mac OS X) When Darwin Streaming Server is first installed, the HTTP-based administration server (typically port 1220) presents a "Setup Assistant" page where the user is prompted to set a new administrator password. This would allow any remote user to connect and set up an administrator password before the server administrator has had a chance to do so. 6. Contact Information Rapid7 Security Advisories Email: advisory@rapid7.com Web: http://www.rapid7.com/ Phone: +1 (212) 558-8700 7. Disclaimer and Copyright Rapid7, Inc. is not responsible for the misuse of the information provided in our security advisories. These advisories are a service to the professional security community. There are NO WARRANTIES with regard to this information. Any application or distribution of this information constitutes acceptance AS IS, at the user's own risk. This information is subject to change without notice. This advisory Copyright (C) 2003 Rapid7, Inc. Permission is hereby granted to redistribute this advisory, providing that no changes are made and that the copyright notices and disclaimers remain intact. -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBPx3UVST52JC2U8wAEQLPIwCg2Ps9jBufF8N6dGgCaoxEMijMtbcAnRL8 793Plejp5hw/r1OkojX2CQaB =OD0m -----END PGP SIGNATURE-----