Apple QuickTime/Darwin Streaming Server DESCRIBE Request Remote Denial of Service Vulnerability

Bugtraq ID:	9735
Class:	Failure to Handle Exceptional Conditions
CVE:	CVE-2004-0169 CVE-2004-0169
Remote:	Yes
Local:	No
Published:	Feb 24 2004 12:00AM
Updated:	Mar 19 2015 08:17AM
Credit:	The disclosure of this issue has been credited to iDEFENSE.
Vulnerable:	Apple Quicktime Streaming Server 4.1.3 + Apple Mac OS X 10.3.2 + Apple Mac OS X 10.2.8 + Apple Mac OS X Server 10.3.2 + Apple Mac OS X Server 10.3.1 + Apple Mac OS X Server 10.3.1 + Apple Mac OS X Server 10.3 + Apple Mac OS X Server 10.3 + Apple Mac OS X Server 10.2.8 + Apple Mac OS X Server 10.2.8 Apple Darwin Streaming Server 4.1.3 + Apple Mac OS X 10.3.2 + Apple Mac OS X 10.2.8 + Apple Mac OS X Server 10.3.2 + Apple Mac OS X Server 10.3.1 + Apple Mac OS X Server 10.3.1 + Apple Mac OS X Server 10.3 + Apple Mac OS X Server 10.3 + Apple Mac OS X Server 10.2.8 + Apple Mac OS X Server 10.2.8
Not Vulnerable:

Apple QuickTime/Darwin Streaming Server DESCRIBE Request Remote Denial of Service Vulnerability

It has been reported that QuickTime/Darwin Streaming Server may be prone to a remote denial of service vulnerability that could allow an attacker to cause the server to crash or hang. The issue presents itself when the software attempts to parse DESCRIBE requests with specially crafted User-Agent fields.

QuickTime/Darwin Streaming Server version 4.1.3 is reported to be prone to this issue.

This issue was originally described in Apple Security Update 2004-02-23 Released To Fix Multiple Vulnerabilities (BID 9731).

Apple QuickTime/Darwin Streaming Server DESCRIBE Request Remote Denial of Service Vulnerability

The researches credited with discovering this issue have developed code to exploit this issue. The exploit code has not been released to the public at the moment.

Apple QuickTime/Darwin Streaming Server DESCRIBE Request Remote Denial of Service Vulnerability

Solution:
This issue has been addressed by the vendor in Apple Security update APPLE-SA-2004-02-23. QuickTime Streaming Server updates for platforms other than Mac OS X Server can be obtained from the following location:

http://developer.apple.com/darwin/projects/streaming/


Apple Quicktime Streaming Server 4.1.3

• Apple QuickTime/Darwin SecUpdSrvr2004-02-23Jag.dmg
  For Mac OS X 10.2.8 Server.
  http://www.info.apple.com/kbnum/n120322


• Apple QuickTime/Darwin SecUpdSrvr2004-02-23Pan.dmg
  For Mac OS X 10.3.2 Server.
  http://www.info.apple.com/kbnum/n120324

Apple Darwin Streaming Server 4.1.3

• Apple QuickTime/Darwin SecUpdSrvr2004-02-23Jag.dmg
  For Mac OS X 10.2.8 Server.
  http://www.info.apple.com/kbnum/n120322


• Apple QuickTime/Darwin SecUpdSrvr2004-02-23Pan.dmg
  For Mac OS X 10.3.2 Server.
  http://www.info.apple.com/kbnum/n120324

Apple QuickTime/Darwin Streaming Server DESCRIBE Request Remote Denial of Service Vulnerability

References:

• iDEFENSE Security Advisory 02.23.04: Darwin Streaming Server Remote Denial ("iDefense Labs" )