November 26th, 2007
Latest QuickTime bug leaves XP, Vista vulnerable
Security researchers say that a new QuickTime flaw has gone public and leaves XP and Vista vulnerable to attack.
According to Secunia, the latest QuickTime bug “can be exploited by malicious people to compromise a user’s system.” A working exploit is public and the vulnerability has been confirmed for version 7.3. Secunia calls the bug “extremely critical.”
Based on the original report from “h07,” Apple apparently didn’t enable a security feature. Here’s h07’s tale:
[*] On Vista the QuickTimePlayer and the .gtx modules dont have ASLR enabled, NO RANDOMIZATION :)
[*]All the 7.3 and 7.2 DLL modules are SafeSEH enabled, except for the .gtx modules, that is how u bypass the SEH
Restrictions in XP and in Vista!! so we use Addys from there.
[*]There are ALOT of filtered characters so choose your shellcode wisely or you will run into Access Violations
Since I didnt feel like wasting my time going through all the filtered Characters, go through it yourself.
- Here are some \x4b, \x59, \x79
[*]I did hit my shellcode but b/c i havent gone through all the filtered characters i got an Access Violation
in the shellcode
[*]Can be easily modified to keep accepting clients with a lil modding, do it yourself u noobs[***]Here is an example of how to embed a streaming the quicktime redirection to the RTSP exploit.
http://quicktime.tc.columbia.edu/users/iml/movies/mtest.html
cough use w/ an iframe cough
The U.S. computer emergency readiness team has more in plain old English. Key excerpts:
Apple QuickTime contains a stack buffer overflow vulnerability in the way QuickTime handles the RTSP Content-Type header. This vulnerability may be exploited by convincing a user to connect to a specially crafted RTSP stream. Note that QuickTime is a component of Apple iTunes, therefore iTunes installations are also affected by this vulnerability. We are aware of publicly available exploit code for this vulnerability.
By convincing a user to connect to a specially crafted RTSP stream, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system. An attacker can use various types of web page content, including a QuickTime Media Link file, to cause a user to load an RTSP stream.
We are currently unaware of a practical solution to this problem. Please consider the following workarounds. Note that these workarounds will not address the vulnerability, but they may help block certain attack vectors for the vulnerability.
Ryan is on vacation.
Larry Dignan is Editor in Chief of ZDNet and Editorial Director of ZDNet sister site TechRepublic. See his full profile and disclosure of his industry affiliations.
