Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2003.0122 -- @stake Security Advisory QuickTime/Darwin Streaming Administration Server Multiple vulnerabilities 26 February 2003 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Darwin Streaming Server 4.1.2 QuickTime Streaming Server 4.1.1 Vendor: @stake, Inc. Operating System: Mac OS X Linux Solaris Windows Impact: Increased Privileges Execute Arbitrary Code/Commands Read-only Data Access Provide Misleading Information Access Required: Existing Account Remote Comment: CVE Id: CAN-2003-0050, CAN-2003-0051, CAN-2003-0052, CAN-2003-0053, CAN-2003-0054, CAN-2003-0055 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 @stake, Inc. www.atstake.com Security Advisory Advisory Name: QuickTime/Darwin Streaming Administration Server Multiple vulnerabilities Release Date: 03-24-2003 Application: Darwin Streaming Server 4.1.2 QuickTime Streaming Server 4.1.1 Platform: MacOS X, Linux, Solaris, Windows Severity: Remote Command Execution / Privilege Escalation Arbitrary Directory Listings / Cross Site Scripting x2 Physical Path Revelation / Buffer Overflow Authors: Dave G. <daveg@atstake.com> Ollie Whitehouse <ollie@atstake.com> Vendor Status: Vendor has software update CVE Candidate: CAN-2003-0050,51,52,53,54,55 Reference: www.atstake.com/research/advisories/2003/a032403-1.txt Overview: Apple Darwin and QuickTime Streaming Administration Servers are web based services that allow administrators to manage the Darwin and QuickTime Streaming Servers. By default, these servers run as root on port 1220/tcp. There is a remote pre-authentication remote command execution condition within this service. Any attacker with a web browser and access to the service can execute commands on the underlying operating system. Certain versions of the Darwin Streaming Administration Server restrict this attack, allowing an attacker to execute a command, but without additional command line arguments. Additionally, a number of other vulnerabilities can be used to: a) Reveal the physical path b) Retrieve arbitrary directory listings outside of the web root c) Initiate cross-site scripting attacks d) Local privilege escalation through a buffer overflow Details: 1) Arbitrary Command Execution The Darwin Streaming Administration Server relies on the parse_xml.cgi application to authenticate and interface with the user. This CGI is written in PERL and passes unvalidated input to the open() function. The open() function will execute commands when the pipe '|' characters are inserted into the input. The call in question takes input from a parameter passed in through a GET request to the CGI. The QuickTime Streaming Server is vulnerable to this attack. Newer versions of the Darwin Administration Server added a check to determine the existence of the template file (the -e function). While this check does provide protection, there is a well known technique to partially bypass(*) it. By inserting a NULL (0x00) between the last character of the command and the pipe, an attacker can pass the file existence check, and execute a command. This request will pass the file existence check. However, attackers cannot add additional command line parameters. While this does limit the ability of the attacker to take full control of the operating system, there are several situations where this vulnerability still presents a risk: a) If an attacker can create arbitrary files and know its location. b) If an attacker has a non-root account on the system, this vulnerability can be used to obtain root privileges. c) If an attacker can find an application on the system that can reduce the security or availability of the system without requiring additional command line arguments. (*) "PERL CGI problems", Phrack 55, Article 7, rain.forest.puppy 2) Physical Path Revelation In addition it is possible to cause the same CGI application to revealthe physical path which the Darwin/QuickTime admin servers are installed within by passing a NULL as the filename parameter. 3) Arbitrary Directory Listings Parse_xml.cgi is also susceptible to arbitrary directory listings due to the lack of user input validation within the application. It is possible for an attacker to use the open() function to open the inode of a directory as a file under UNIX operating systems to retrieve a directory listing. Although it should be noted that to view the output correctly in a web browser it may be required to view the source code to the page in order to see the output returned. 4) Cross Site Scripting There is a minor security vulnerability in the way that parse_xml.cgi generates error messages when a filename which does not exist is passed as the 'filename' parameter. This potentially opens the administrators to the possibility of a cross site scripting attack. This combined with the fact that the 'qtpassword' cookie is the administrative username and password Base64 encoded provides an easy method of gaining valid credentials to the site in question. 5) Cross Site Scripting - Round 2 There exists another cross site scripting issue which is more likely to be exploited due to the manner by which it occurs. If an unauthenticated user makes a request to port 7070, they can supply scripting code as part of the argument to the rtsp DESCRIBE method. This request is then written to the log file. When the logs are viewed within the administrative interface, the code will execute in the administrator's browser session. 6) Buffer Overflow in MP3 Broadcasting Module There is a buffer overflow in the MP3 broadcasting module contained within the streaming server. If you have an MP3 file which has filename of over 256 bytes then a buffer overflow will occur. Due to the fact that the streaming server by default runs as root (on Unix) means that potentially it can be used by local/ftp users to escalate privileges. Vendor Response: Apple has an update for Mac OS X Server which addresses these issues. The software update is available from the following locations: Updating from Mac OS X Server 10.2.3: http://www.info.apple.com/kbnum/n70171 Updating from Mac OS X Server 10.2, 10.2.1, or 10.2.2: http://www.info.apple.com/kbnum/n70172 Recommendation: You should apply the software update available from Apple. If this is not possible it is recommended that this service not be Internet accessible. Credit: Dave G. <daveg@atstake.com> is responsible for finding issue #1: Arbitrary Command Execution. Ollie Whitehouse <ollie@atstake.com> is responsible for finding issues #2: Physical Path Revelation, #3: Arbitrary Directory Listings, #4: Cross Site Scripting, #5 Cross Site Scripting - Round 2, and #6 Buffer Overflow in MP3 brodcasting module. Common Vulnerabilities and Exposures (CVE) Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. CAN-2003-0050 Arbitrary command execution in QuickTime Streaming Server CAN-2003-0051 Physical path revelation in QuickTime Streaming Server CAN-2003-0052 Directory listings in QuickTime Streaming Server CAN-2003-0053 Login credentials in QuickTime Streaming Server CAN-2003-0054 Arbitrary command execution when viewing QTSS logs CAN-2003-0055 Buffer overflow in MP3 Broadcasting application @stake Vulnerability Reporting Policy: http://www.atstake.com/research/policy/ @stake Advisory Archive: http://www.atstake.com/research/advisories/ PGP Key: http://www.atstake.com/research/pgp_key.asc Copyright 2003 @stake, Inc. All rights reserved - -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 - not licensed for commercial use: www.pgp.com iQA/AwUBPlq77Ee9kNIfAm4yEQIPkACgtDX/wGwNMDGoSS3UTwTY2HDMDEoAoNm4 aVOYvQqDjdVRVanxgw9vVVED =Kqfm - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to use any or all of this information is the responsibility of each user or organisation, and should be done so in accordance with site policies and procedures. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your system has been compromised, contact AusCERT or your representative in FIRST (Forum of Incident Response and Security Teams). Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBPlym2Ch9+71yA2DNAQH1OgP/a+p7+Fsuj9aMazOMm4D153mUM2dLiuV0 F2llADaK1OvYTMIg9h5uzu08g5LHoiJYAlcRGrxVo2l/C2LSNq6oFocH8Z+msoQi lOpOD5sIhXsAVGVSV4h7cKCeRuIVshBR86FpXWBkSoJc/KkJsPu5i/Eauw7HTXTJ 6KSigOWur/A= =78qG -----END PGP SIGNATURE-----