Search This Blog

Monday, January 14, 2008

[NT] Quicktime Player HTTP Error Message Buffer Overflow

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html


- - - - - - - - -

Quicktime Player HTTP Error Message Buffer Overflow
------------------------------------------------------------------------


SUMMARY

A vulnerability in the way Quicktime displays error messages allows remote
attackers to cause it to crash and execute arbitrary code. The
vulnerability is triggered by a malformed HTTP response whenever the
Quicktime is asked to connect to an RTSP server whose TCP port 554 and
7070 are closed but non-filtered.

DETAILS

Vulnerable Systems:
* Quicktime Player version 7.3.1.70 and prior

Exploit:
/*
Copyright 2008 Luigi Auriemma -

http://aluigi.altervista.org/poc/quicktimebof.zip

This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
USA

http://www.gnu.org/licenses/gpl.txt
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
#include <stdarg.h>
#include <time.h>
#include <ctype.h>
#include <sys/stat.h>

#ifdef WIN32
#include <direct.h>
#include <ws2tcpip.h>
#include <winsock.h>
#include "winerr.h"

#define close closesocket
#define sleep Sleep
#define in_addr_t uint32_t
#define ONESEC 1000
#else
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <sys/ioctl.h>
#include <net/if.h>
#include <pthread.h>

#define ONESEC 1
#define strnicmp strncasecmp
#define stricmp strcasecmp
#define stristr strcasestr

No comments: