25th Feb 2003 [SBWID-6025]
COMMAND
	QuickTime/Darwin    Streaming     Administration     Server     Multiple
	vulnerabilities
SYSTEMS AFFECTED
	Application: Darwin Streaming Server 4.1.2
	             QuickTime Streaming Server 4.1.1
PROBLEM
	
	-----BEGIN PGP SIGNED MESSAGE-----
	Hash: SHA1
	                               @stake, Inc.
	                             www.atstake.com
	                            Security Advisory
	Advisory Name: QuickTime/Darwin Streaming Administration
	               Server Multiple vulnerabilities
	 Release Date: 03-24-2003
	  Application: Darwin Streaming Server 4.1.2
	               QuickTime Streaming Server 4.1.1
	     Platform: MacOS X, Linux, Solaris, Windows
	     Severity: Remote Command Execution / Privilege Escalation
	               Arbitrary Directory Listings / Cross Site
	               Scripting x2
	               Physical Path Revelation / Buffer Overflow
	      Authors: Dave G. <[email protected]>
	               Ollie Whitehouse <[email protected]>
	Vendor Status: Vendor has software update
	CVE Candidate: CAN-2003-0050,51,52,53,54,55
	    Reference: www.atstake.com/research/advisories/2003/a032403-1.txt
	Overview:
	
	Apple Darwin and QuickTime  Streaming  Administration  Servers  are  web
	based services that  allow  administrators  to  manage  the  Darwin  and
	QuickTime Streaming Servers. By default, these servers run  as  root  on
	port 1220/tcp.
	There is a remote pre-authentication remote command execution  condition
	within this service. Any attacker with a web browser and access  to  the
	service  can  execute  commands  on  the  underlying  operating  system.
	Certain versions of the Darwin Streaming Administration Server  restrict
	this attack, allowing an attacker to  execute  a  command,  but  without
	additional command line arguments.
	Additionally, a number of other vulnerabilities can be used to:
	 
	a) Reveal the physical path
	b) Retrieve arbitrary directory listings outside of the web root
	c) Initiate cross-site scripting attacks
	d) Local privilege escalation through a buffer overflow
	
	Details:
	 
	1) Arbitrary Command Execution
	
	The Darwin Streaming Administration Server relies on  the  parse_xml.cgi
	application to authenticate and interface with the  user.  This  CGI  is
	written in PERL and passes unvalidated input  to  the  open()  function.
	The open() function will execute commands when the pipe  '|'  characters
	are inserted into the input.
	The call in question takes input from a parameter passed  in  through  a
	GET request to the CGI. The QuickTime Streaming Server is vulnerable  to
	this attack. Newer versions of the Darwin Administration Server added  a
	check  to  determine  the  existence  of  the  template  file  (the   -e
	function). While this check does provide protection,  there  is  a  well
	known technique to partially bypass(*) it. By inserting  a  NULL  (0x00)
	between the last character of the command and the pipe, an attacker  can
	pass the file existence check, and execute a command. This request  will
	pass the file existence check. However, attackers cannot add  additional
	command line parameters. While  this  does  limit  the  ability  of  the
	attacker to take  full  control  of  the  operating  system,  there  are
	several situations where this vulnerability still presents a risk:
	 
	a) If an attacker can create arbitrary files and know its location.
	b) If an attacker has a non-root account on the system, this
	  vulnerability can be used to obtain root privileges.
	c) If an attacker can find an application on the system that can
	  reduce the security or availability of the system without
	  requiring additional command line arguments.
	
	(*) "PERL CGI problems", Phrack 55, Article 7, rain.forest.puppy
	 
	2) Physical Path Revelation
	
	In addition it  is  possible  to  cause  the  same  CGI  application  to
	revealthe physical path which the  Darwin/QuickTime  admin  servers  are
	installed within by passing a NULL as the filename parameter.
	 
	3) Arbitrary Directory Listings
	
	Parse_xml.cgi is also susceptible to arbitrary  directory  listings  due
	to the lack of user input  validation  within  the  application.  It  is
	possible for an attacker to use the open() function to  open  the  inode
	of a directory as a file under UNIX  operating  systems  to  retrieve  a
	directory listing. Although it should be noted that to view  the  output
	correctly in a web browser it may be required to view  the  source  code
	to the page in order to see the output returned.
	 
	4) Cross Site Scripting
	
	There is a minor security vulnerability in the  way  that  parse_xml.cgi
	generates error messages when a filename which does not exist is  passed
	as the 'filename' parameter. This potentially opens  the  administrators
	to the possibility of a cross site scripting attack.
	This combined  with  the  fact  that  the  'qtpassword'  cookie  is  the
	administrative username and password Base64  encoded  provides  an  easy
	method of gaining valid credentials to the site in question.
	 
	5) Cross Site Scripting - Round 2
	
	There exists another cross site scripting issue which is more likely  to
	be  exploited  due  to  the  manner  by   which   it   occurs.   If   an
	unauthenticated user makes a request  to  port  7070,  they  can  supply
	scripting code as part of the argument to the rtsp DESCRIBE method.
	This request is then written to the log file. When the logs  are  viewed
	within the administrative  interface,  the  code  will  execute  in  the
	administrator's browser session.
	 
	6) Buffer Overflow in MP3 Broadcasting Module
	
	There is a buffer overflow in  the  MP3  broadcasting  module  contained
	within the streaming server. If you have an MP3 file which has  filename
	of over 256 bytes then a buffer overflow will occur.
	Due to the fact that the streaming server by default runs  as  root  (on
	Unix) means that potentially it  can  be  used  by  local/ftp  users  to
	escalate privileges.
	 Update (01 March 2003)
	 ======
	Joe Testa, Rapid 7, Inc, says :
	I've found two other issues in QuickTime Streaming  Server  v4.1.1  that
	seem to be fixed in the newest v4.1.3:
	1.)  File probing:
	
	  Request:   http://localhost:1220/parse_xml.cgi?filename=../nonexistent
	  Response:  'Can't access HTML file '../nonexistent'!' [...]
	  Request:   http://localhost:1220/parse_xml.cgi?
	                 filename=../../../autoexec.bat
	  Response:  'Can't open HTML file '../../../autoexec.bat'! [...]
	
	As you can  see,  this  discrepency  in  the  error  message  allows  an
	unauthenticated user to "feel-out" the file system  and  determine  what
	structures and files exist.
	2.)  File retrieval:
	
	  Request:   http://localhost:1220/parse_xml.cgi?filename=.../qtusers
	  Response:  "realm Streaming Server admin:$dufr$D9/.....$C4g2VaRK" [...]
	
	This works against  the  Win32  platform,  and  not  against  the  Linux
	platform; this was not tested against Solaris or MacOS X.
SOLUTION
	Vendor Response:
	Apple has an update for Mac OS X Server which addresses these issues.
	The software update is available from the following locations:
	
	  Updating from Mac OS X Server 10.2.3:
	     http://www.info.apple.com/kbnum/n70171
	  Updating from Mac OS X Server 10.2, 10.2.1, or 10.2.2:
	     http://www.info.apple.com/kbnum/n70172
	
	Recommendation:
	You should apply the software update available from Apple.  If  this  is
	not possible it  is  recommended  that  this  service  not  be  Internet
	accessible.
	Credit:
	
	Dave G. <[email protected]> is responsible for finding issue #1:
	Arbitrary Command Execution.
	Ollie Whitehouse <[email protected]> is responsible for finding
	issues #2: Physical Path Revelation, #3: Arbitrary Directory
	Listings, #4: Cross Site Scripting, #5 Cross Site Scripting -
	Round 2, and #6 Buffer Overflow in MP3 brodcasting module.
	Common Vulnerabilities and Exposures (CVE) Information:
	The Common Vulnerabilities and Exposures (CVE) project has assigned
	the following names to these issues.  These are candidates for
	inclusion in the CVE list (http://cve.mitre.org), which standardizes
	names for security problems.
	 CAN-2003-0050 Arbitrary command execution in QuickTime Streaming
	               Server
	 CAN-2003-0051 Physical path revelation in QuickTime Streaming
	               Server
	 CAN-2003-0052 Directory listings in QuickTime Streaming Server
	 CAN-2003-0053 Login credentials in QuickTime Streaming Server
	 CAN-2003-0054 Arbitrary command execution when viewing QTSS logs
	 CAN-2003-0055 Buffer overflow in MP3 Broadcasting application
	@stake Vulnerability Reporting Policy:
	http://www.atstake.com/research/policy/
	@stake Advisory Archive: http://www.atstake.com/research/advisories/
	PGP Key:
	http://www.atstake.com/research/pgp_key.asc
	Copyright 2003 @stake, Inc. All rights reserved
	-----BEGIN PGP SIGNATURE-----
	Version: PGP 8.0 - not licensed for commercial use: www.pgp.com
	iQA/AwUBPlq77Ee9kNIfAm4yEQIPkACgtDX/wGwNMDGoSS3UTwTY2HDMDEoAoNm4
	aVOYvQqDjdVRVanxgw9vVVED
	=Kqfm
	-----END PGP SIGNATURE-----