SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Multimedia)  >   QuickTime Vendors:   Apple Computer
QuickTime Buffer Overflow in Processing HTTP 404 Response Messages Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1019178
SecurityTracker URL:  http://securitytracker.com/id/1019178
CVE Reference:   CVE-2008-0234   (Links to External Site)
Updated:  Feb 6 2008
Original Entry Date:  Jan 10 2008
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 7.3.1.70 and prior versions
Description:   Luigi Auriemma reported a vulnerability in QuickTime. A remote user can cause arbitrary code to be executed on the target user's system.

A remote user can create an 'rtsp://' URL that, when loaded by the target user, will cause the player to connect to a remote server. If TCP port 554 on the specified remote server is not available, the player will connect via TCP port 80. A specially crafted HTTP 404 response from the remote server can trigger a buffer overflow in the target user's player and execute arbitrary code on the target user's system. The code will run with the privileges of the target user.

The buffer overflow occurs during the display of connection status.

A demonstration exploit response is available at:

http://aluigi.org/poc/quicktimebof.txt

Impact:   A remote user can execute arbitrary code on the target user's system.
Solution:   Apple has issued a fix (7.4.1), available from the Software Update application, or from the Apple Downloads site at:

http://www.apple.com/support/downloads/

For Mac OS X v10.5 or later
The download file is named: "QuickTime741_Leopard.dmg"
Its SHA-1 digest is: cf4af6969ff21ad03fdcb4289db62a61a00700a3

For Mac OS X v10.4.9 through Mac OS X v10.4.11
The download file is named: "QuickTime741_Tiger.dmg"
Its SHA-1 digest is: 006ec419ad88a1d6c4a4695bad3eb9250abdc21d

For Mac OS X v10.3.9
The download file is named: "QuickTime741_Panther.dmg"
Its SHA-1 digest is: 4dfb9775dc84feaa49c096ccdc45109f8d6996c5

For Windows Vista / XP SP2
The download file is named: "QuickTimeInstaller.exe"
Its SHA-1 digest is: 4bfe254cd7569ccad99ca6419e04ea8530e68a7f

QuickTime with iTunes for Windows Vista / XP SP2
The download file is named: "iTunesSetup.exe"
Its SHA-1 digest is: 9c1c0cdc2a1375af71f6423277a41cc2ce6273d1

QuickTime with iTunes (64 bit) for Windows Vista
The download file is named: "iTunes64Setup.exe"
Its SHA-1 digest is: 65f4c439b72de7ef7c53750866a04c247724be0f

The Apple advisory is available at:

http://docs.info.apple.com/article.html?artnum=307407

Vendor URL:  docs.info.apple.com/article.html?artnum=307407 (Links to External Site)
Cause:   Boundary error
Underlying OS:   UNIX (OS X), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jul 10 2008 (Apple Issues Fix for Apple TV) QuickTime Buffer Overflow in Processing HTTP 404 Response Messages Lets Remote Users Execute Arbitrary Code   (Apple Product Security <product-security-noreply@lists.apple.com>)
Apple has released a fix for Apple TV.



 Source Message Contents

Date:  Thu, 10 Jan 2008 19:45:17 +0100
Subject:  Buffer-overflow in Quicktime Player 7.3.1.70


#######################################################################

                             Luigi Auriemma

Application:  Quicktime Player
              http://www.apple.com/quicktime
Versions:     <= 7.3.1.70
Platforms:    Windows and Mac
Bug:          buffer-overflow
Exploitation: remote
Date:         10 Jan 2008
Thanx to:     swirl for the help during the re-testing of the bug
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Quicktime is a well known media player developed by Apple.


#######################################################################

======
2) Bug
======


The problem is a buffer-overflow which happens during the filling of
the LCD-like screen containing info about the status of the connection.

For exploiting this vulnerability is only needed that an user follows
a rtsp:// link, if the port 554 of the server is closed Quicktime will
automatically change the transport and will try the HTTP protocol on
port 80, the 404 error message of the server (other error numbers are
valid too) will be visualized in the LCD-like screen.

During my tests I have been able to fully overwrite the return address
anyway note that the visible effects of the vulnerability could change
during the usage of the debugger (in attaching mode it's everything
ok).


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/quicktimebof.txt

  nc -l -p 80 -v -v -n < quicktimebof.txt

and then

  QuickTimePlayer.exe rtsp://127.0.0.1/file.mp3


#######################################################################

======
4) Fix
======


No fix


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC