Backdooring MP3 Files
XSS is the new hotness!. I cannot agree more on that.
MP3 Files can be Backdoored with Malicious Content too
Over the past few days I have been exploring different features of Apple’s QuickTime player – key software component of iTunes and standard part of many home and business workstations. A lot of research was conducted and some problems, which IMHO are quite serious, were found. Please take this post as a security notice.
The problems is caused by a quite useful feature called QuickTime Media Link (.qtl). The whole point of these QuickTime Media Link files is to provide means of playing media files in a more accessible way. In this respect the developer can create a .qtl file which hold information about the media content that needs to be played plus recommended dimensions, accessibility features, control features etc. QuickTime Media Link files are written in XML and end typically end with .qtl. A .qtl file in its very basic form looks like the following:
<?xml version="1.0"> <?quicktime type="application/x-quicktime-media-link"?> <embed src="Sample.mov" autoplay="true"/>
The most important element in this XML is called
embed. This element describes the content that needs to be played. There are quite few attributes that can be assigned to the
embed element like
autoplay but they are not as interesting as
qtnext attribute specifies what needs to be played next. Because
Upon execution the media link presented above will display a harmless message to the user. Keep in mind that a lot more dangerous things can be done. For more information about the impact of such an attack check the AttackAPI – a toolkit designed to test browser related issues.
This is a quite big problem especially in default configurations of iTunes. The iTunes installation wizard installs the QuickTime player and QuickTime browser plugins and associates various media files with its components. If you open a mp3 file from the desktop it will be played in iTunes player by default, however if you open it from some website it will be played in the QuickTime player browser plugin. In this respect, users who are previewing mp3s and other media files from the Internet are vulnerable.
For the sole purpose of demonstrating how this vulnerability works I composed a quite simple and harmless proof of concept. There are two links to mp3 files at the bottom of this page. Two of these files are backdoored. One of them is a tune I composed many years ago.
- jamesbond-overdrive.mp3 – the real tune
about:blank. I am not quite familiar with
about:blank but my understandings are that everything from
Proof of concept for this issue can be found at the following URL.