==================================================
Apple QuickTime Player version 7.64.17.73 <= Insecure DLL Hijacking
Vulnerability (cfnetwork.dll, corefoundation.dll)
==================================================
1. OVERVIEW
The Apple QuickTime Player application is vulnerable to Insecure DLL
Hijacking Vulnerability. Similar terms that describe this
vulnerability have been come up with Remote Binary Planting, and
Insecure DLL Loading/Injection/Hijacking/Preloading.
2. PRODUCT DESCRIPTION
A powerful multimedia technology with a built-in media player,
QuickTime lets you view Internet video, HD movie trailers, and
personal media in a wide range of file formats. And it lets you enjoy
them in remarkably high
quality.(http://www.apple.com/quicktime/what-is/)
3. VULNERABILITY DESCRIPTION
The Picture Viewer of the Apple QuickTime Player application passes an
insufficiently qualified path in loading its external library -
"cfnetwork.dll, corefoundation.dll"
when a user opens its associated file with extensions - mac, pic, pntg, qtif.
4. VERSIONS AFFECTED
7.64.17.73 and probably lower version of 7.x
5. PROOF-OF-CONCEPT/EXPLOIT
http://core.yehg.net/lab/pr0js/advisories/dll_hijacking/quicktime/poc/quicktime_7.64.17.73-dll-hijacking.zip
Tested Platform: Windows XP Service Pack 3 (Fresh Windows)
6. IMPACT
Attackers can trigger a successful exploit against a victim user in a
number of ways such as placing a malicious external
library file made as hidden attribute and a seemingly interesting file
in network shares, usb drives, file sharing networks,
social networks, ..etc
7. SOLUTION
Upgrade to the latest version.
Software Vendors who bundle this version of QuickTime in their
software packages should update it.
8. VENDOR
Apple Inc
http://www.apple.com/quicktime/
9. CREDIT
This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.
10. DISCLOSURE TIME-LINE
N/A: vulnerability discovered
N/A: notified vendor
09-12-2010: vulnerability disclosed
11. REFERENCES
Original Advisory URL:
http://core.yehg.net/lab/pr0js/advisories/dll_hijacking/[quicktime]_7.64.17.73_insecure_dll_hijacking
Workaround Solution: http://support.microsoft.com/kb/2264107
Workaround Solution:
https://www.microsoft.com/technet/security/advisory/2269637.mspx#EGF
Developer Solution:
http://msdn.microsoft.com/en-us/library/ff919712%28v=VS.85%29.aspx
Unofficial DLL Hijacking List:
http://www.corelan.be:8800/index.php/2010/08/25/dll-hijacking-kb-2269637-the-unofficial-list/
Testing for DLL Hijacking:
http://core.yehg.net/lab/pr0js/view.php/when_testing_for_dll_hijacking.txt
#yehg [09-12-2010]