The QuickTime Vulnerability Overview

The details of the vulnerability were covered in my previous post. In this one I would like to briefly talk about the impact. Obviously, the vulnerability is very simple. Simple yet effective. However, this is not the type of vulnerability someone can exploit on a massive scale. Here is why.

Attack Vectors

The key element of the attack vector presented in my previous post is the attackers’ ability to point the victim to a file hosted on a NETBIOS share. [...]

more | comments | comments rss | posted by

Details of the QuickTime Vulnerability

In this post I intend to give a brief overview of the QuickTime vulnerability which I partially-disclosed over here. I should have made these details public long time ago but better late than never. The vulnerability has been fixed for several months now and I believe it is safe to talk about it in the public.

Let’s start with an example. The following is the source code of a malicious QuickTime SMIL file:

First of all, we start with the SMIL header (SMILtext). [...]

more | comments | comments rss | posted by

Dumping the admin password of the BT Home Hub (pt 2)

This is just a quick update regarding our previous post which details how to extract the default admin password for the latest firmware of the BT Home Hub (6.2.6.E at time of writing). I recommend you to read the previous post if you have not done so yet.

The BT Home Hub’s serial number – which is the default admin password – can also be found on UPnP description XML files. [...]

more | comments | comments rss | posted by

QuickTime 0day for Vista and XP

A remote vulnerability exists in the QuickTime player for Windows XP and Vista (latest service packs). Other versions are believed to be affected as well. For now, no details will be released regarding the method of exploitation.

The video above demonstrates the issue on Windows Vista and Windows XP. The Windows Vista demo is rather slow because it runs from a 512MB VMWare machine.

more | comments | comments rss | posted by

Holes in Embedded Devices: Authentication bypass (pt 4)

This kind of authentication bypass bug can go easily undetected during a security assessment if not enough attention is paid. In order to understand this type of vulnerability, we need to be familiar with settings pages available on devices’ web interface that allow the admin user to modify settings.

Administrative web interfaces have different sections/menus available to logged-in administrators. Each section is just a HTML page with a form designed to make configuration changes. [...]

more | comments | comments rss | posted by

The Pownce Worm (Yet Another Potential AJAX Worm)

First of all I need to let you know that it is not within our practice to disclose vulnerabilities on specific online applications. However, given the fact that Pownce, the vendor, was responsibly informed and the fact that we believe that the issue is interesting enough to be discussed, we’ve decided to let you know about our findings. [...]

more | comments | comments rss | posted by

0DAY: QuickTime pwns Firefox

It seams that QuickTime media formats can cause Firefox to misbehave. The result of this vulnerability can lead to full compromise of the browser.

Before we move on, I have to say a few things. Last year I disclosed two QuickTime vulnerabilities here and here. The first vulnerability was fixed but the second one was completely ignored. I tried to bring the spot light on the second vulnerability one more time over here without much of success. [...]

more | comments | comments rss | posted by

Full Disclosure?

As the GNUCITIZEN group grows, the team continue to find vulnerabilities in software products and applications, and there has been no real set policy around our members disclosure of these vulnerabilities. I think most of us have leaned towards the full-disclosure route. Occasionally, the vulnerability has been fairly critical and we have felt that releasing it early would be irresponsible, especially if the vendor had provided us with an acceptable timescale of when a fix would be available. [...]

more | comments | comments rss | posted by