CVE-2007-2175
published 2007-04-24CVE-2007-2175: Apple QuickTime Java extensions (QTJava.dll), as used in Safari and other browsers, and when Java is enabled, allows remote attackers to execute arbitrary code…
PriorityP262high7.6CVSS 2.0
AVNACHAuNCCICAC
EXPLOIT
EPSS
83.80%
99.7th percentile
Apple QuickTime Java extensions (QTJava.dll), as used in Safari and other browsers, and when Java is enabled, allows remote attackers to execute arbitrary code via parameters to the toQTPointer method in quicktime.util.QTHandleRef, which can be used to modify arbitrary memory when creating QTPointerRef objects, as demonstrated during the "PWN 2 0WN" contest at CanSecWest 2007.
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x03\x10\xcc\x54
bytes↗
\x03\x10\xf0\x54
- →Detect HTTP responses serving a Java .class file with Content-Type 'application/octet-stream' where the URI matches *.class — this is the exploit applet delivery pattern used by the Metasploit module. ↗
- →Look for Java applet requests where the URI ends in '.class' preceded by a redirect to a base directory path — characteristic of the exploit's two-stage HTTP delivery (HTML then .class). ↗
- →Monitor for invocation of the toQTPointer() method with a large negative offset argument (e.g., -2000000000) from within a Java applet context, which is the core exploitation primitive for arbitrary memory access. ↗
- →Detect loading of QTJava.dll (Apple QuickTime Java extensions) in browser processes (Safari, Firefox, IE) combined with Java applet execution — this is the vulnerable component. ↗
- →Inspect Java applet bytecode for the marker byte sequences \x03\x10\xcc\x54 (target platform selector) and \x03\x10\xf0\x54 (shellcode placeholder) — these are the patch points in QTJavaExploit.class used by the exploit. ↗
- ·The exploit requires both Java and QuickTime to be installed and enabled in the browser. Disabling Java in the browser mitigates the attack vector entirely. ↗
- ·On Windows, Internet Explorer 6/7 may be an exploit vector but a sandboxing feature may interfere with successful exploitation — this was unconfirmed at time of disclosure. ↗
- ·The Metasploit module targets three distinct platform/architecture combinations (Windows x86, Mac OS X PPC, Mac OS X x86); detection logic should account for all three payload variants embedded in the same .class file. ↗
CVSS provenance
nvdv2.07.6HIGHAV:N/AC:H/Au:N/C:C/I:C/A:C
vendor_redhat7.6HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4fv5-g6r3-cjxh: Unspecified vulnerability in Mozilla Firefox allows remote attackers to execute arbitrary code via unspecified vectors involving Javascript errors
ghsa_unreviewed·2022-05-01·CVSS 7.6
CVE-2007-2176 [HIGH] GHSA-4fv5-g6r3-cjxh: Unspecified vulnerability in Mozilla Firefox allows remote attackers to execute arbitrary code via unspecified vectors involving Javascript errors
Unspecified vulnerability in Mozilla Firefox allows remote attackers to execute arbitrary code via unspecified vectors involving Javascript errors. NOTE: this might be the same issue as CVE-2007-2175.
GHSA
GHSA-v58r-vg3c-hjmm: Apple QuickTime Java extensions (QTJava
ghsa_unreviewed·2022-05-01
CVE-2007-2175 [HIGH] GHSA-v58r-vg3c-hjmm: Apple QuickTime Java extensions (QTJava
Apple QuickTime Java extensions (QTJava.dll), as used in Safari and other browsers, and when Java is enabled, allows remote attackers to execute arbitrary code via parameters to the toQTPointer method in quicktime.util.QTHandleRef, which can be used to modify arbitrary memory when creating QTPointerRef objects, as demonstrated during the "PWN 2 0WN" contest at CanSecWest 2007.
Red Hat
CVE-2007-2176: Unspecified vulnerability in Mozilla Firefox allows remote attackers to execute arbitrary code via unspecified vectors involving Javascript errors
vendor_redhat·CVSS 7.6
CVE-2007-2176 [HIGH] CVE-2007-2176: Unspecified vulnerability in Mozilla Firefox allows remote attackers to execute arbitrary code via unspecified vectors involving Javascript errors
Unspecified vulnerability in Mozilla Firefox allows remote attackers to execute arbitrary code via unspecified vectors involving Javascript errors. NOTE: this might be the same issue as CVE-2007-2175.
Statement: Not vulnerable. This issue is a flaw in the way Java and Quicktime interact.
No detection rules found.
Exploit-DB
Apple QTJava - 'toQTPointer()' Arbitrary Memory Access (Metasploit)
exploitdb·2010-09-20
CVE-2007-2175 Apple QTJava - 'toQTPointer()' Arbitrary Memory Access (Metasploit)
Apple QTJava - 'toQTPointer()' Arbitrary Memory Access (Metasploit)
---
##
# $Id: qtjava_pointer.rb 10394 2010-09-20 08:06:27Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Apple QTJava toQTPointer() Arbitrary Memory Access',
'Description' => %q{
This module exploits an arbitrary memory access vulnerability in the
Quicktime for Java API provided with Quicktime 7.
},
'License' => MSF_LICENSE,
'Author' =>
[
'hdm', # Original exploit for Mac OS X PPC / Win32
'kf', # Added support for Mac OS X X86
'ddz' # Discovered bug, provided t
Exploit-DB
Apple QuickTime 7.1.5 - QTJava toQTPointer() Java Handling Arbitrary Code Execution
exploitdb·2007-04-23
CVE-2007-2175 Apple QuickTime 7.1.5 - QTJava toQTPointer() Java Handling Arbitrary Code Execution
Apple QuickTime 7.1.5 - QTJava toQTPointer() Java Handling Arbitrary Code Execution
---
source: https://www.securityfocus.com/bid/23608/info
QuickTime is prone to a vulnerability that may aid in the remote compromise of a vulnerable computer.
The issue occurs when a Java-enabled browser is used to view a malicious website. QuickTime must also be installed.
Attackers may exploit this issue to execute arbitrary code in the context of a user running the vulnerable application. Failed exploit attempts will likely result in denial-of-service conditions.
This issue is exploitable through both Safari and Mozilla Firefox running on Mac OS X. Reports indicate that Firefox on Windows platforms may also be an exploit vector.
Reports also indicate that Internet Explorer 6 and 7 running on Windo
Exploit-DB
Apple QuickTime for Java 7 - Memory Access (Metasploit)
exploitdb·2007-04-23
CVE-2007-2175 Apple QuickTime for Java 7 - Memory Access (Metasploit)
Apple QuickTime for Java 7 - Memory Access (Metasploit)
---
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Apple QTJava toQTPointer() Arbitrary Memory Access',
'Description' => %q{
This module exploits an arbitrary memory access vulnerability in the
Quicktime for Java API provided with Quicktime 7.
},
'License' => MSF_LICENSE,
'Author' =>
[
'hdm', # Original exploit for Mac OS X PPC / Win32
'kf', # Added support for Mac OS X X86
'ddz' # Discovered bug, provided tips
],
'Version' => '$Revision$',
'References' =>
[
['CVE', '2007
Metasploit
Apple QTJava toQTPointer() Arbitrary Memory Access
metasploit
Apple QTJava toQTPointer() Arbitrary Memory Access
Apple QTJava toQTPointer() Arbitrary Memory Access
This module exploits an arbitrary memory access vulnerability in the Quicktime for Java API provided with Quicktime 7.
No writeups or analysis indexed.
http://cansecwest.com/post/2007-04-20-14:54:00.First_Mac_Hacked_Cancel_Or_Allowhttp://docs.info.apple.com/article.html?artnum=305446http://lists.apple.com/archives/security-announce/2007/May/msg00001.htmlhttp://www.kb.cert.org/vuls/id/420668http://www.matasano.com/log/806/hot-off-the-matasano-sms-queue-cansec-macbook-challenge-won/http://www.matasano.com/log/812/breaking-macbook-vuln-in-quicktime-affects-win32-apple-code/http://www.osvdb.org/34178http://www.securityfocus.com/archive/1/467319/100/0/threadedhttp://www.securitytracker.com/id?1017950http://www.theregister.co.uk/2007/04/20/pwn-2-own_winner/http://www.zerodayinitiative.com/advisories/ZDI-07-023.htmlhttps://exchange.xforce.ibmcloud.com/vulnerabilities/33827http://cansecwest.com/post/2007-04-20-14:54:00.First_Mac_Hacked_Cancel_Or_Allowhttp://docs.info.apple.com/article.html?artnum=305446http://lists.apple.com/archives/security-announce/2007/May/msg00001.htmlhttp://www.kb.cert.org/vuls/id/420668http://www.matasano.com/log/806/hot-off-the-matasano-sms-queue-cansec-macbook-challenge-won/http://www.matasano.com/log/812/breaking-macbook-vuln-in-quicktime-affects-win32-apple-code/http://www.osvdb.org/34178http://www.securityfocus.com/archive/1/467319/100/0/threadedhttp://www.securitytracker.com/id?1017950http://www.theregister.co.uk/2007/04/20/pwn-2-own_winner/http://www.zerodayinitiative.com/advisories/ZDI-07-023.htmlhttps://exchange.xforce.ibmcloud.com/vulnerabilities/33827
2007-04-24
Published