Flaws Found in Apple Streaming Servers

Flaws in Apple's popular QuickTime, Darwin servers enable attackers to execute code on remote machines.

There are several security vulnerabilities in recent versions of Apple Computer Inc.s popular QuickTime Streaming Server and Darwin Streaming Server that give attackers the ability to execute code on remote machines.

The flaws affect version 4.1.2 of the Darwin server and 4.1.1 of the QuickTime server. Apple, based in Cupertino, Calif., has released updated versions of both servers that fix the problems.

QuickTime Streaming Server and Darwin Streaming Server are enterprise-class servers designed to deliver thousands of simultaneous streams.

Of the six vulnerabilities found by researchers at @Stake Inc., in Cambridge, Mass., the most serious is a condition in the CGI application used to authenticate and interface with users that allows an attacker to pass unvalidated input to the open() function on the streaming server. By inserting a specific character in the command, the attacker can bypass a file existence check designed to protect against such operations.

The vulnerability would not allow the attacker to add any further command-line parameters to his input. But, if the attacker has a non-root account on the machine, he could use this vulnerability to gain root privileges, the @stake advisory says.

A second vulnerability within the same CGI application enables an attacker to cause the application to disclose the physical path to the Darwin/QuickTime administration server.

Another flaw in the CGI application gives attackers the ability to use the open() function to open the inode of a directory as a file on Unix to obtain a directory listing.

There are also two minor cross-site scripting vulnerabilities. One of the flaws is related to the way that the parse_xml.cgi application generates error messages when a file that does not exist is requested. The second involves an attacker making an unauthenticated request to port 7070 and supplying scripting code as part of the request. The request is then written to the log file and the code will execute when the administrator views the logs.

The final vulnerability is a buffer overrun in the MP3 broadcast module within the streaming servers. Any MP3 file with a name longer than 256 bytes will cause the buffer overrun and can allow local or FTP users to escalate their privileges on vulnerable machines.

The update for machines running Mac OS X Server 10.2.3 is here.