cbcvebase.
CVE-2007-2175
published 2007-04-24

CVE-2007-2175: Apple QuickTime Java extensions (QTJava.dll), as used in Safari and other browsers, and when Java is enabled, allows remote attackers to execute arbitrary code…

PriorityP262high7.6CVSS 2.0
AVNACHAuNCCICAC
EXPLOIT
EPSS
83.80%
99.7th percentile
Apple QuickTime Java extensions (QTJava.dll), as used in Safari and other browsers, and when Java is enabled, allows remote attackers to execute arbitrary code via parameters to the toQTPointer method in quicktime.util.QTHandleRef, which can be used to modify arbitrary memory when creating QTPointerRef objects, as demonstrated during the "PWN 2 0WN" contest at CanSecWest 2007.

Detection & IOCsextracted from sources · hover to see the quote

filenameQTJavaExploit.class
pathdata/exploits/QTJavaExploit.class
bytes
\x03\x10\xcc\x54
bytes
\x03\x10\xf0\x54
  • Detect HTTP responses serving a Java .class file with Content-Type 'application/octet-stream' where the URI matches *.class — this is the exploit applet delivery pattern used by the Metasploit module.
  • Look for Java applet requests where the URI ends in '.class' preceded by a redirect to a base directory path — characteristic of the exploit's two-stage HTTP delivery (HTML then .class).
  • Monitor for invocation of the toQTPointer() method with a large negative offset argument (e.g., -2000000000) from within a Java applet context, which is the core exploitation primitive for arbitrary memory access.
  • Detect loading of QTJava.dll (Apple QuickTime Java extensions) in browser processes (Safari, Firefox, IE) combined with Java applet execution — this is the vulnerable component.
  • Inspect Java applet bytecode for the marker byte sequences \x03\x10\xcc\x54 (target platform selector) and \x03\x10\xf0\x54 (shellcode placeholder) — these are the patch points in QTJavaExploit.class used by the exploit.
  • ·The exploit requires both Java and QuickTime to be installed and enabled in the browser. Disabling Java in the browser mitigates the attack vector entirely.
  • ·On Windows, Internet Explorer 6/7 may be an exploit vector but a sandboxing feature may interfere with successful exploitation — this was unconfirmed at time of disclosure.
  • ·The Metasploit module targets three distinct platform/architecture combinations (Windows x86, Mac OS X PPC, Mac OS X x86); detection logic should account for all three payload variants embedded in the same .class file.

CVSS provenance

nvdv2.07.6HIGHAV:N/AC:H/Au:N/C:C/I:C/A:C
vendor_redhat7.6HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.