Flaws Found in Apple Streaming Servers

[InfoSec News <isn () c4i org>]

http://www.eweek.com/article2/0,3959,903462,00.asp

By Dennis Fisher
February 25, 2003 

There are several security vulnerabilities in recent versions of Apple
Computer Inc.'s popular QuickTime Streaming Server and Darwin
Streaming Server that give attackers the ability to execute code on
remote machines.

The flaws affect version 4.1.2 of the Darwin server and 4.1.1 of the
QuickTime server. Apple, based in Cupertino, Calif., has released
updated versions of both servers that fix the problems.

QuickTime Streaming Server and Darwin Streaming Server are
enterprise-class servers designed to deliver thousands of simultaneous
streams.

Of the six vulnerabilities found by researchers at @Stake Inc., in
Cambridge, Mass., the most serious is a condition in the CGI
application used to authenticate and interface with users that allows
an attacker to pass unvalidated input to the open() function on the
streaming server. By inserting a specific character in the command,
the attacker can bypass a file existence check designed to protect
against such operations.

The vulnerability would not allow the attacker to add any further
command-line parameters to his input. But, if the attacker has a
non-root account on the machine, he could use this vulnerability to
gain root privileges, the @stake advisory says.

A second vulnerability within the same CGI application enables an
attacker to cause the application to disclose the physical path to the
Darwin/QuickTime administration server.

Another flaw in the CGI application gives attackers the ability to use
the open() function to open the inode of a directory as a file on Unix
to obtain a directory listing.

There are also two minor cross-site scripting vulnerabilities. One of
the flaws is related to the way that the parse_xml.cgi application
generates error messages when a file that does not exist is requested.  
The second involves an attacker making an unauthenticated request to
port 7070 and supplying scripting code as part of the request. The
request is then written to the log file and the code will execute when
the administrator views the logs.

The final vulnerability is a buffer overrun in the MP3 broadcast
module within the streaming servers. Any MP3 file with a name longer
than 256 bytes will cause the buffer overrun and can allow local or
FTP users to escalate their privileges on vulnerable machines.

The update for machines running Mac OS X Server 10.2.3 is here [1].

[1] http://docs.info.apple.com/article.html?artnum=70171



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.