search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Apple Quicktime/Darwin Streaming Server fails to properly parse DESCRIBE requests

Vulnerability Note VU#460350

Original Release Date: 2004-02-25 | Last Revised: 2004-03-15


Apple Quicktime/Darwin Streaming Server fails to properly parse DESCRIBE requests containing overly large User-Agent fields. This could allow an unauthenticated, remote attacker to cause a denial-of-service condition.


Apple's QuickTime and Darwin Streaming Server is software which provides integrated distribution of various forms of digital content. Such content can be delivered over a network using Real-Time Transport Protocol (RTP) and Real-Time Streaming Protocol (RTSP).

The RTSP provides a DESCRIBE method which according to RFC 2326 "retrieves the description of a presentation or media object identified by the request URL from a server. It may use the Accept header to specify the description formats that the client understands. The server responds with a description of the requested resource. The DESCRIBE reply-response pair constitutes the media initialization phase of RTSP."

There is a vulnerability in the way the Quicktime/Darwin Streaming Server parses DESCRIBE requests containing specially crafted User-Agent fields. An attacker could exploit this vulnerability by sending a DESCRIBE request containing an overly large User-Agent field.


An unauthenticated, remote attacker could prevent legitimate users from accessing the streamed content.


Apply Patch
Apple has released a patch to address this vulnerability. For further details, please see the Apple Security Advisory (Security Update 2004-02-23).

Vendor Information


Apple Computer Inc. Affected

Updated:  February 25, 2004



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


Please refer to the Apple Security Advisory.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVSS Metrics

Group Score Vector



This vulnerability was reported by iDefense.

This document was written by Damon Morda.

Other Information

CVE IDs: CVE-2004-0169
Severity Metric: 1.68
Date Public: 2004-02-24
Date First Published: 2004-02-25
Date Last Updated: 2004-03-15 13:49 UTC
Document Revision: 12

Sponsored by CISA.