####################################################################### Luigi Auriemma Application: Quicktime Player http://www.apple.com/quicktime Versions: <= 7.3.1.70 Platforms: Windows and Mac Bug: buffer-overflow Exploitation: remote Date: 10 Jan 2008 Thanx to: swirl for the help during the re-testing of the bug Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Quicktime is a well known media player developed by Apple. ####################################################################### ====== 2) Bug ====== The problem is a buffer-overflow which happens during the handling of the HTTP error message and its visualization in the LCD-like screen which contains info about the status of the connection. The copying instruction is visible starting at offset 0x6761d559, the return address can be overwritten completely by the 4 bytes at offset 1926 of the error message, only NULL and carriage-return/line-feed chars are not allowed to use and after the exploitation EAX will point to the same offset where is located the data which overwrote the return address (so EAX + 4 points to the shellcode). For exploiting this vulnerability is only needed that an user follows a rtsp:// link, if the port 554 of the server is closed Quicktime will automatically change the transport and will try the HTTP protocol on port 80, the 404 error message of the server (other error numbers are valid too) will be visualized in the LCD-like screen. Note: this "protocol switching" thing is only the first way I have found for testing the bug so I can't exclude (for the moment) the possibility of reaching the vulnerable code using better and easier ways. In short this feature (enabled by default, watch "Transport setup") acts in the following way: When the rtsp url is called (and no custom port has been specified) Quicktime performs 3 types of consecutive connections, something like a scanning: - port 554 (rtsp) using the rtsp protocol (DESCRIBE) - port 7070 (pnm) using the rtsp protocol (DESCRIBE) - port 80 (http) using the http protocol (GET) Everything can be seen at offset 0x675A32C9 of QuickTimeStreaming.qtx where ECX has the value of 1, 2 and 3 relatively to the previous "stages" (4 means "give up"). If the connection times out Quicktime automatically considers the remote host as unreacheable and will no longer continue the "protocol switching". For example if port 554 is closed it passes to port 7070, and if port 7070 is filtered (timeout) Quicktime gives up and doesn't check port 80. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/quicktimebof.zip ####################################################################### ====== 4) Fix ====== No fix UPDATE 16 Jan 2008 The new version 7.4.0.91 doesn't fix the bug but code execution is not confimed. #######################################################################