CVE-2007-2175

Apple QTJava toQTPointer() Pointer Arithmetic Memory Overwrite Vulnerability

Severity Score

7.6

*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Apple QuickTime Java extensions (QTJava.dll), as used in Safari and other browsers, and when Java is enabled, allows remote attackers to execute arbitrary code via parameters to the toQTPointer method in quicktime.util.QTHandleRef, which can be used to modify arbitrary memory when creating QTPointerRef objects, as demonstrated during the "PWN 2 0WN" contest at CanSecWest 2007.

Las extensiones de Apple QuickTime Java (en la biblioteca QTJava .dll), como es usado en Safari y otros navegadores, y cuando Java está habilitado, permiten que los atacantes remotos ejecuten código arbitrario por medio de parámetros hacia el método toQTPointer en quicktime.util.QTHandleRef, que puede ser usado para modificar memoria arbitraria al crear objetos QTPointerRef, como se demostró durante el concurso "PWN 2 0WN" en CanSecWest 2007

This vulnerability allows attackers to execute arbitrary code on systems with vulnerable installations of Apple's QuickTime. User interaction is required to exploit this vulnerability in that the target must visit a malicious page.
The flaw exists within the QuickTime Java extensions (QTJava.dll), specifically the routine toQTPointer() exposed through quicktime.util.QTHandleRef. A lack of sanity checking on the parameters passed to this routine, through the Java Virtual Machine (JVM), allows an attacker to write arbitrary values to memory. This can be leveraged to execute arbitrary code under the context of the current user. Example code execution vectors include Microsoft Internet Explorer, Mozilla Firefox and Apple Safari. This vulnerability affects the latest versions of both the MacOS and Windows operating systems, including MacOS 10.4.9 and Windows Vista.

*Credits: Dino A. Dai Zovi

CVSS Scores

NISTv2 7.6

Attack Vector

Network

Attack Complexity

High

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2007-04-23 First Exploit
2007-04-24 CVE Reserved
2007-04-24 CVE Published
2024-02-26 EPSS Updated
2024-08-07 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CAPEC

References (16)

URL	Tag	Source
http://cansecwest.com/post/2007-04-20-14:54:00.First_Mac_Hacked_Cancel_Or_Allow	X_refsource_misc
http://docs.info.apple.com/article.html?artnum=305446	X_refsource_confirm
http://www.kb.cert.org/vuls/id/420668	Third Party Advisory
http://www.matasano.com/log/806/hot-off-the-matasano-sms-queue-cansec-macbook-challenge-won	X_refsource_misc
http://www.matasano.com/log/812/breaking-macbook-vuln-in-quicktime-affects-win32-apple-code	X_refsource_misc
http://www.osvdb.org/34178	Vdb Entry
http://www.securityfocus.com/archive/1/467319/100/0/threaded	Mailing List
http://www.securitytracker.com/id?1017950	Vdb Entry
http://www.theregister.co.uk/2007/04/20/pwn-2-own_winner	X_refsource_misc
http://www.zerodayinitiative.com/advisories/ZDI-07-023.html	X_refsource_misc
https://exchange.xforce.ibmcloud.com/vulnerabilities/33827	Vdb Entry
-

URL	Date	SRC
https://www.exploit-db.com/exploits/29884	2007-04-23
https://www.exploit-db.com/exploits/9943	2007-04-23
https://www.exploit-db.com/exploits/16295	2010-09-20

URL	Date	SRC

URL	Date	SRC
http://lists.apple.com/archives/security-announce/2007/May/msg00001.html	2018-10-16

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apple Search vendor "Apple"		Safari Search vendor "Apple" for product "Safari"				*		-		Affected