[18910] in bugtraq
Re: [SPSadvisory#41]Apple Quick Time Plug-in Buffer Overflow
daemon@ATHENA.MIT.EDU (Dan Harkless)
Wed Jan 31 18:06:56 2001
Message-Id: <200101312053.MAA19274@dilvish.speed.net>
Date: Wed, 31 Jan 2001 12:53:33 -0800
Reply-To: Dan Harkless <dan-bugtraq@DILVISH.SPEED.NET>
From: Dan Harkless <dan-bugtraq@DILVISH.SPEED.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Message from UNYUN <shadowpenguin@BACKSECTION.NET> of "Wed, 31
Jan 2001 22:25:25 +0900."
<3A781245280.E0EESHADOWPENGUIN@rr.iij4u.or.jp>
UNYUN <shadowpenguin@BACKSECTION.NET> writes:
> SPS Advisory #41
>
> Apple Quick Time Plug-in Buffer Overflow
>
> UNYUN <shadowpenguin@backsection.net>
> Shadow Penguin Security (http://shadowpenguin.backsection.net)
>
> --------------------------------------------------------------
>
> [Date]
> July 31, 2001
>
> [Vulnerable]
> QuickTime Player 4.1.2 for Windows (Japanese)
>
> [Not vulnerable]
> unknown
>
> [Overview]
> There is a exploitable buffer overflow bug in quick time plug-in
> for windows. This problem occurs when the visitor clicks the shown
> movie in the browser. Quick time plug-in doesn't check the length of
> HREF parameter in EMBED tag appropriately, Quick time overflows when
> the long string is specified in HREF. This buffer overflow overwrites
> the local buffer, the codes which are written in the EMBED tag can be
> executed in the client host.
>
> [Risk]
> If the HTML file which contains the cracking code in EMBED tag is
> opened and visitor clicks the shown movie, the cracking code will be
> executed on the client host. This overflow contains the possibility of
> the virus and trojans infection, sytsem destruction, intrusion, and
> so on.
>
> [Details]
> We explain the details of this problem under the environment of
> Windows98(SE/Japanes)+QuickTime Player 4.1.2 for Windows+Internet
> Explorer 5.0. You can check this problem easily by the following
> simple HTML file.
>
> <html>
> <embed src="c:\program files\quicktime\sample.mov"
> href="aaaa... long string (730 characters)"
> width=60 height=60 autoplay="true"
> target="QUICKTIMEPLAYER">
> </html>
You don't mention whether you've tried this on other versions of the OS,
browser, or player. FWIW, I tried it with QuickTime Player 4.1.2 on Windows
2000 (U.S.) with Internet Explorer 5.00.3103.1000 and didn't get a crash.
Tried with 730 characters and with 7300.
Also tried with Netscape Communicator 4.76 on the same platform. There I
had to change the src from the "c:\Non-Microsoft\QuickTime-4.1.2\Sample.mov"
that IE accepts to the standards-compliant
"file:///C|/Non-Microsoft/QuickTime-4.1.2/Sample.mov", but again, no crash.
----------------------------------------------------------------------
Dan Harkless | To prevent SPAM contamination, please
dan-bugtraq@dilvish.speed.net | do not mention this private email
SpeedGate Communications, Inc. | address in Usenet posts. Thank you.
