from what I read from your Quick Time POC, you use the qtnext instruction to open an arbitrary URL. The vulnerability itself is not in Quicktime but in the function of the url.dll file that is called. Internet shortcut files functions in a similar way, although the function executed is from ieframe.dll, not url.dll (at least when IE 7 is installed).

For what I read, what happens is that the qtnext instruction is executed pretty much like an URL file, so that the file that will be opened will be subject to the famous Internet Explorer security zones scheme. dotted URL addresses are automatically put in the Internet security zone by default, in which the default setting for opening programs and unsafe files (unsafe means the extension is in the Microsoft blacklist, this includes a hell lot of file types, like .url, .chm., .hta, .wsf, etc) is set to prompt, so this is why it was not working (You were probably getting a file execution prompt, which informs u the file name and extension plus the type and Editor, if it has a valid digital signature). If you had used an address such as file://computername/share/file.exe it would probably work just fine, in case you have IE 6 or if IE 7 has determined your computer is part of a domain and/or if you have manually enabled the intranet settings, because the file is automatically put in the Local Intranet security zone.

XP SP2/SP3 operating system has got a bug in which for some reason, when you open an internet shortcut that points to a shortcut file located in a network share (at the internet security zone), it will be automatically loaded and executed, as long as the command line for the shortcut (.LNK file) points to a local program, which in turn you can pass parameters. and that´s why it worked for QuickTime.

PS: Windows 2000 SP4 seems to automatically load and run arbitrary files located in network shares (that include addresses placed in both the local intranet and internet zone), so I guess if you pointed the qtnext instruction to an address such as file://x.x.x.x/share/file.exe, the file.exe would be automatically executed on this system. I say *seems* because this copy of Windows 2000 I have I downloaded from the internet and installed over a virtual machine and it could be messed up.

I remember joking with friends that had Quicktime, by passing the url shell:personal to the qtnext parameter and it would load the contents of mydocuments folder. The fact that you can pass arbitrary URL protocols to the qtnext opens a door for a known type of attack : parameter injection on URL protocols.

Great work PDP thanks for the info.