Back to Advisories

Advisories

Rapid7 Advisory R7-0015: Multiple Vulnerabilities Apple QuickTime/Darwin Streaming Server

CVE: CAN-2003-0421, CAN-2003-0422, CAN-2003-0423, CAN-2003-0424, CAN-2003-0425, CAN-2003-0426, CAN-2003-0502

Summary

July 22, 2003 - Several vulnerabilities have been found in the Apple QuickTime/Darwin Streaming Server, including denial of service, web root traversal, and script source disclosure.

Affected system(s):

KNOWN VULNERABLE:

  • QuickTime/Darwin Streaming Server v4.1.3 for MacOS X
  • QuickTime/Darwin Streaming Server v4.1.3 for Win32
  • QuickTime/Darwin Streaming Server v4.1.3 for Linux

UNKNOWN/NOT TESTED:

  • other platforms (Solaris)

Vendor Info

Apple
http://www.apple.com/

The vendor has been notified and has released fixes for all but one of the issues, which is currently under investigation.

Detailed Analysis

There are several vulnerabilities.

Denial of Service by HTTP Request for DOS Device Name
CVE ID: CAN-2003-0421
Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only)
Fixed: In version 4.1.3f (Win32)

Requesting a DOS device name (e.g. AUX) over HTTP (port 1220) will cause a denial of service on the server. An initial HTTP 404 response will be returned for the device request, but future requests will not be serviced. For example:

==> GET /AUX HTTP/1.0

Denial of Service by Request for ../ DOS Device Name
CVE ID: CAN-2003-0502
Affects: Darwin Streaming Server v4.1.3f and earlier (Win32 only)
Fixed: In version 4.1.3g (Win32)

This is a variant of CAN-2003-0421. A fix for CAN-2003-0421 was included in Streaming Server version, 4.1.3f, but further testing revealed that it was vulnerable to a variant where the device name was prefixed by dotdot slash (../), as in:

==> GET /../AUX HTTP/1.0

Denial of Service by HTTP Request for /view_broadcast.cgi Script
CVE ID: CAN-2003-0422
Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only)
Fixed: In version 4.1.3f (Win32)

Requesting the /view_broadcast.cgi script over HTTP (port 1220) will cause a denial of service on the server if the required request parameters are not sent. The connection will be closed midway through servicing the request and no new connections will be allowed to the server.

Example:

==> GET /view_broadcast.cgi HTTP/1.0

<== HTTP/1.0 200 OK
<== Content-Type: video/quicktime
<==
<== rtsp://
^^ server drops connection

Source Disclosure via HTTP Request for /parse_xml.cgi Script
CVE ID: CAN-2003-0423
Affects: Darwin Streaming Server v4.1.3g and earlier
Fixed: No fix is available at this time. Apple is aware of this issue and they are investigating it further.

The source code of any file within the web root can be obtained by issuing a request for /parse_xml.cgi?filename=[file], where [file] is the file whose source code you wish to view.

This is only a serious risk if the administrator has installed custom scripts on Darwin Streaming Server that need to be protected.

Script Source Disclosure by Appending Special Characters
CVE ID: CAN-2003-0424
Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only)
Fixed: In version 4.1.3f (Win32)

The source code of any script can be obtained by appending the special characters %2e (period) or %20 (space) to an HTTP request for that script. For example, requesting /view_broadcast.cgi%2e will reveal the source code for that script.

Web Root Traversal and Arbitrary File Disclosure (Win32)
CVE ID: CAN-2003-0425
Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only)
Fixed: In version 4.1.3f (Win32)

Any file on the system can be retrieved by using three dots to break out of the web root. For example, requesting /.../qtusers will return the QuickTime user/password file.

Default Install Allows Remote User to Set Admin Password
CVE ID: CAN-2003-0426
Affects: Darwin Streaming Server v4.1.3e and earlier (Mac OS X only)
Fixed: In version 4.1.3f (Mac OS X)

When Darwin Streaming Server is first installed, the HTTP-based administration server (typically port 1220) presents a "Setup Assistant" page where the user is prompted to set a new administrator password. This would allow any remote user to connect and set up an administrator password before the server administrator has had a chance to do so.

Solution

Upgrade to version 4.1.3g or later of Darwin Streaming Server, which may be obtained as a free download from:

http://developer.apple.com/darwin/projects/streaming/

Please see the next section for detailed fix information.

Disclaimer & Copyright

Rapid7, LLC is not responsible for the misuse of the information provided in our security advisories. These advisories are a service to the professional security community. There are NO WARRANTIES with regard to this information. Any application or distribution of this information constitutes acceptance AS IS, at the user's own risk. This information is subject to change without notice.

This advisory Copyright (C) 2003 Rapid7, LLC. Permission is hereby granted to redistribute this advisory, providing that no changes are made and that the copyright notices and disclaimers remain intact.