Quick Time Player 7.6.9 – ActiveX Control Buffer Overflow Vulnerability
Author(s): Ivan Sanchez & Hernan Hegykozi
Contact Us: firstname.lastname@example.org
Vendor Notified: 2 months ago “Apple Inc / bugreport.apple.com ”
Problem ID: 9753778
We have discovered that the product “QuickTimePlayer_7.6.9″ presents a big hole regarding an ActiveX Control Buffer Overflow, crashing the application when you run special code.
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of QuickTimePlayer.dll. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the QuickTimePlayer.dll component explicitly trusting a length embedded within a particular file in order to calculate the length of a buffer. The application will then duplicate an arbitrarily sized string into a statically sized buffer located on the stack. This can lead to code execution under the context of the application.
1-Open the Quicktime ,
2-Run the following code:
<?XML version='1.0' standalone='yes' ?>
<package><job id='DoneInVBS' debug='false' error='true'>
<object classid='clsid:0F5B08E7-94EE-470B-A184-5CD4A7DF35A3' id='target' />
targetFile = "C:\Program Files\QuickTime\QuickTimePlayer.dll"
prototype = "Sub OpenURL ( ByVal url As String )"
memberName = "OpenURL"progid = "QuickTimePlayerLib.QuickTimePlayer"
argCount = 1
3-The APP will crash.