OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Dan Harkless (dan-bugtraqDILVISH.SPEED.NET)
Date: Wed Jan 31 2001 - 14:53:33 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    UNYUN <shadowpenguinBACKSECTION.NET> writes:
    > SPS Advisory #41
    >
    > Apple Quick Time Plug-in Buffer Overflow
    >
    > UNYUN <shadowpenguinbacksection.net>
    > Shadow Penguin Security (http://shadowpenguin.backsection.net)
    >
    > --------------------------------------------------------------
    >
    > [Date]
    > July 31, 2001
    >
    > [Vulnerable]
    > QuickTime Player 4.1.2 for Windows (Japanese)
    >
    > [Not vulnerable]
    > unknown
    >
    > [Overview]
    > There is a exploitable buffer overflow bug in quick time plug-in
    > for windows. This problem occurs when the visitor clicks the shown
    > movie in the browser. Quick time plug-in doesn't check the length of
    > HREF parameter in EMBED tag appropriately, Quick time overflows when
    > the long string is specified in HREF. This buffer overflow overwrites
    > the local buffer, the codes which are written in the EMBED tag can be
    > executed in the client host.
    >
    > [Risk]
    > If the HTML file which contains the cracking code in EMBED tag is
    > opened and visitor clicks the shown movie, the cracking code will be
    > executed on the client host. This overflow contains the possibility of
    > the virus and trojans infection, sytsem destruction, intrusion, and
    > so on.
    >
    > [Details]
    > We explain the details of this problem under the environment of
    > Windows98(SE/Japanes)+QuickTime Player 4.1.2 for Windows+Internet
    > Explorer 5.0. You can check this problem easily by the following
    > simple HTML file.
    >
    > <html>
    > <embed src="c:\program files\quicktime\sample.mov"
    > href="aaaa... long string (730 characters)"
    > width=60 height=60 autoplay="true"
    > target="QUICKTIMEPLAYER">
    > </html>

    You don't mention whether you've tried this on other versions of the OS,
    browser, or player. FWIW, I tried it with QuickTime Player 4.1.2 on Windows
    2000 (U.S.) with Internet Explorer 5.00.3103.1000 and didn't get a crash.
    Tried with 730 characters and with 7300.

    Also tried with Netscape Communicator 4.76 on the same platform. There I
    had to change the src from the "c:\Non-Microsoft\QuickTime-4.1.2\Sample.mov"
    that IE accepts to the standards-compliant
    "file:///C|/Non-Microsoft/QuickTime-4.1.2/Sample.mov", but again, no crash.

    ----------------------------------------------------------------------
    Dan Harkless | To prevent SPAM contamination, please
    dan-bugtraqdilvish.speed.net | do not mention this private email
    SpeedGate Communications, Inc. | address in Usenet posts. Thank you.