Apple QuickTime/Darwin Streaming Server DESCRIBE请求远程拒绝服务漏洞
发布日期:2004-02-24
更新日期:2004-03-01
受影响系统:Apple Darwin Streaming Server 4.1.3
- Apple MacOS X Server 10.3.2
- Apple MacOS X Server 10.3.1
- Apple MacOS X Server 10.3
- Apple MacOS X Server 10.2.8
Apple Quicktime Streaming Server 4.1.3
- Apple MacOS X Server 10.3.2
- Apple MacOS X Server 10.3.1
- Apple MacOS X Server 10.3
- Apple MacOS X Server 10.2.8
描述:
BUGTRAQ ID:
9735
CVE(CAN) ID:
CVE-2004-0169
Apple QuickTime/Darwin是流行的流服务器。
Apple QuickTime/Darwin在解析DESCRIBE请求时存在问题,远程攻击者可以利用这个漏洞对服务程序进行拒绝服务攻击。
问题发生在解析包含特殊构建的User-Agent字段数据的DESCRIBE请求。当攻击者提交的DESCRIBE请求包含的User-Agent字段超过255字符,可导致在CommonUtilitiesLib/StringFormatter.h 97行发生Assert错误:
virtual void BufferIsFull(char* /*inBuffer*/, UInt32/*inBufferLen*/)
{
Assert(0);
}
使服务程序停止响应。
<*来源:iDEFENSE
链接:
http://www.idefense.com/application/poi/display?id=75
*>
建议:
厂商补丁:
Apple
-----
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
Apple Darwin Streaming Server 4.1.3:
Apple Upgrade QuickTime/Darwin SecUpdSrvr2004-02-23Jag.dmg
http://www.info.apple.com/kbnum/n120322
For Mac OS X 10.2.8 Server.
Apple Upgrade QuickTime/Darwin SecUpdSrvr2004-02-23Pan.dmg
http://www.info.apple.com/kbnum/n120324
For Mac OS X 10.3.2 Server.
Apple Quicktime Streaming Server 4.1.3:
Apple Upgrade QuickTime/Darwin SecUpdSrvr2004-02-23Jag.dmg
http://www.info.apple.com/kbnum/n120322
For Mac OS X 10.2.8 Server.
Apple Upgrade QuickTime/Darwin SecUpdSrvr2004-02-23Pan.dmg
http://www.info.apple.com/kbnum/n120324
For Mac OS X 10.3.2 Server.
浏览次数:2922
严重程度:0(网友投票)
