QuickTime 0day for Vista and XP
A remote vulnerability exists in the QuickTime player for Windows XP and Vista (latest service packs). Other versions are believed to be affected as well. For now, no details will be released regarding the method of exploitation.
Because we are an information security think tank and because we encounter some very interesting vulnerabilities in our work, we often share our findings with the masses in order to give something back to the community. It is good to take but it is even better when you give. Unfortunately, the situation in UK is changing and we, as whitehat hackers, have to adjust to these changes. Therefore, we have been experimenting with a number of disclosure methods in the past couple of months. We’ve tried everything, from full-disclosure to partial-disclosure, private-disclosure and no disclosure at all. Now is time to move to something totally different and if we find it working for us, we will share the secret with you for the better of the community. Please bare with us. This is just one of our social experiments.
A remote vulnerability exists in the QuickTime player for Windows XP and Vista (latest service packs). An attacker could exploit the vulnerability by constructing a specially crafted QuickTime supported media file that allows remote code execution if a user visited a malicious Web site, opened a specially crafted attachment in e-mail or opened a maliciously crafted media file from the desktop.
If a user is logged on with administrative privalages, the attacker could take complete control of an affected system. An attacker could then install malicious programs, view, change, delete sensitive data, or create new accounts with full user rights. Users who are logged on with less privileged account could be less impacted than users who operate with administrative user rights.
The vulnerability was successfully tested in Windows XP SP2 and Windows Vista SP1 environments. Other versions are believed to be exploitable as well. The vulnerability is currently held private. The GNUCITIZEN team is following responsible disclosure practices. Therefore, the vulnerability details will be privately disclosed to the vendor in a short period of time. This advisory is meant to inform the public and raise the consumer’s awareness.
The video above demonstrates the issue on Windows Vista and Windows XP. The Windows Vista demo is rather slow because it runs from a 512MB VMWare station.
trackbacks
- Vulnerabilitate quicktime + windows xp/vista
- Department of Homeland Security website hacked - CPS Forums
- Researcher finds new flaw in QuickTime for Windows | InfoWorld | News | 2008-04-28 | By Jeremy Kirk, IDG News Service
- New flaw found in QuickTime for Windows
- Sebezhetőség a Windows-os QuickTime-ban | Macbase
- Pesquisador encontra nova falha no QuickTime rodando no XP e Vista | Manoel Franklin
- Neue Zero-Day-Lücke in Apples Quicktime entdeckt - News | ZDNet.de Security - Sicherheit
- Fallo de Seguridad de QuickTime en Windows XP y Vista | Incubaweb
- Security News - Tools - Tutorials and more … » Blog Archive » Department of Homeland Security website hacked!
- Agujero de seguridad en Quicktime compromete a usuarios de Vista y XP | Win-Vista.es
- Pesquisador encontra nova falha no QuickTime p/ Windows
- Windows Üzerinde Yeni Bir QuickTime Açığı | MacOSXPC.Com
- Hardware e Software » Blog Archive » QuickTime, individuata falla pericolosa
- GNUCitizen: QuickTime for Windows Vista and XP Leakage Leads to Inevitable Badness | Infosecurity.US
- Quicktime Flaw Makes Windows Vulnerable to Attack | Networking for Networkers
- Antonio Trigiani iBlog - Informatica Virale » Blog Archive » Video: Vulnerabilità QuickTime 0day su Windows Vista e XP
GNUCITIZEN is one of the most influential organizations of its kind, reaching thousands of users every day and having a strong relationship with numerous printed and web-based media outlets. Part of our mission is to let others succeed the same way GNUCITIZEN did. Therefore, if you have a research or an interesting information you would like to share, 
comments
Wow, impressive. You stumbled upon this doing what? How we can help prevent against this sort of vulnerability?
Nice work PDP, very interesting find. I look forward to reading the information behind this technique in the future.
Also more about the music artist and title names, please :)
good stuff pdp! I must say you’re really inspiring me to find a client-side RCE vuln!
This is simply amazing. I was just thinking, what if someone found this vulnerability and decided to embed the file on a malicious website. Then infect a few larger websites with a hidden iframe including the site. Would hit pretty hard i think.
YouTube must not like your exploit:
“We’re sorry, this video is no longer available.”
I don’t know the name of the song because I took it from a site providing CCed audio. So, I have no idea. rob, the video is still up.
Jonas, that’s why we don’t disclose the details of the issue. We want to inform and at the same time prevent mass 0wnage.
Music is from the swordfish soundtrack….
Dope Smugglaz - The Word (PMT Remix)
pdp, would you name the site or give a link to the track used? Thanks!
Cool… :)
Good - not to post the “exploit” now, but to mention the standard fact: don’t work as Admin.
I like the whitehead way: no destruction, but construction. That’s the right way. You’re sweet as!
Is only the stand-alone player affected or is it exploitable through a browser as well?
Thank you Keve! Sorry for the OT.
Don’t you have to give credit to the person who made the music, even if it is creative commons licensed? I don’t remember seeing a CC license where you don’t have to give credit to the author, though I might not be up to date :)
well, I should have, but if I only knew the author. however, this is irrelevant to the current subject. stay focused. :)
“Because we are an information security think tank”
kekkkekeke!!! Your a Polish douche bag who gets off on attention.
troll community rulez… polish? :) your ignorance precedes you. next time when you come up with such brilliant comments, verify the validity of your statements before pressing the submit button. it will save you the embarrassment. :) keep on dude! you have a great future. :) all the best, pdp
What about Vista w/ UAC turned on? Cool video, nicely produced.
Jim, exploits are means to an end. :) I would be more worried for my online accounts getting compromised, as I don’t have control over them, then my Vista box being included in a harmless botnet.
And how is this remote vulnerability? You click on bloody local file and run it in your local application. Tricks doesn’t make this vulnerability remote.
remote in a sense that the user can be compromised when opening such a file.
Nice one Petko, if you say it is so I trust you,after the PDF thing my faith is almost religious, is there a workaround to prevent this, or just disable Quicktime, any advice? ;>}
This wouldn’t happen to be exploited in a similar fashion to the Windows Media Player one would it?
no details regarding the vulnerability will be shared at this stage. 10x
come oooon! there is a bug found in quicktime everyday. there’s no reason to hype it that way. and btw “remote in a sense that the user can be compromised when opening such a file.” then every bug is remote isn’t it?
someq, as far as I can see no one is hyping this bug. people find it interesting, they comment on it. but please, find another bug in quicktime so you get even. :)
ohhh, not to mention the fact that it works on Vista, but why should I hype that? hmmm…
Nice find, yet again :)
Why do I keep forgetting that you are based in the UK? You’re just a small Viking raid away.
So, probably some URL protocol vulnerability. Or, embedded HTML with an object tag that points the codeBase attribute on mspaint or notepad in known locations. Am I getting close? ;)
/Thor
yeh, if you are around London we should catch up.
Indeed this is hyping; you say in the article that it can trigger with the user visiting a “malicious Web site”, yet you say in a comment it is remote in a “that the user can be compromised when opening such a file”. I’m not arguing about remote, but exaggerating the importance of the exploit - especially that most (careful) users will not turn off uac.
it is all semantics, all of the above are possible. visiting a file is opening it. not to mention that the QuickTime browser plugin can load into the QuickTime Player, a feature known to be called , but this is besides the point. So, if this is hype, then fair enough. I find this vulnerability less significant then any other vulnerabilities affecting your online profiles, data whatever. You may have UAC on Vista but you are barefoot on the Web. thanks for the comment.
P.S.
the only reason I am putting this issue up is to warn the public, keep in mind that I could have turn it into a fat bonus.
UAC is a joke and can be circumvented by savvy programmers.
http://developers.slashdot.org.....27/2013215
there you go, thanks Jim
@jim: You’re kidding right? Did you read the article? They didn’t even come close to breaking UAC security. They changed the app from displaying UAC popups to display an installer popup. Try again fanboy.
@pdp: yet another sensationalised article on your “unique” exploits/techniques. considering that apple released a patch for quicktime after the mac was owned using an exploit through QT, and then announced that there were two more exploits which affected vista and mac users which were being worked on, I would say that your exploit is non-existant, non-remote, and absurdly advertised as a 0-day with a “we aren’t letting you know what we know, but we know something!” attitude. fail.
fragge, thanks for the interesting comment but you are wrong. here is a question for you, how can I know what these two other imaginary vulnerabilities are?
@jim: rtfa next time. Or at least the comments on /.
For the “imaginary vulnerabilities” Apple’s policy stinks, that’s all I can say…
I think we sometimes forget our roots as security researchers. The only reason we have an industry today was because of full-disclosure and hype. If you can’t create a noise to motivate change, then you don’t affect the commercial market, which in turn means we are all out of jobs ;)
@PDP: Which Class of Vulnerability ( stack/heap based buffer overflow or other.. ) was used for this vulnerability? btw: good work pdp :)
Very good findings and research pdp, keep up the good work, and props for the responsible disclosure. Don’t let any of these trolls take away from your execlent findings. And good luck working with Apple, I just keep thinking about the wireless dirver vulnerability and how they treated HDMoore :\
@alino: I doubt he is going to say, read the other comments and his responses.
so you are doing some HREF track ninja?
http://www.apple.com/quicktime.....racks.html
You test this stuff on a mac PDP?
when can we expect to see how this is done?
Inquiring minds want to know. Can you at least let us know how Apple is reacting to this exploit?
Seconding Jim’s question. Knowing it exists is important, knowing what’s being done about it is even more important.