0DAY QuickTime pwns Firefox
It seams that QuickTime media formats can cause Firefox to misbehave. The result of this vulnerability can lead to full compromise of the browser.
Before we move on, I have to say a few things. Last year I disclosed two QuickTime vulnerabilities here and here. The first vulnerability was fixed but the second one was completely ignored. I tried to bring the spot light on the second vulnerability one more time over here without much of success. So, I decided to post a demonstration of how a Low risk issue can be turned into a very easy to perform HIGH risk attack when technology change.
The exploit is rather simple. But first, here is a simple QTL file which instructs the browser to display a friendly
alert('whats up...') message on the screen:
The most interesting thing about this simple XML file is that we can save it with QuickTime supported extension in order to mislead the user. If you check about:plugins under Firefox, you will see that QuickTime supports several media formats. We can use the audio and video formats only. This means that you can paste the above code into files with extensions:
3g2, 3gp, 3gp2, 3gpp, AMR, aac, adts, aif, aifc, aiff, amc, au, avi, bwf, caf, cdda, cel, flc, fli, gsm, m15, m1a, m1s, m1v, m2a, m4a, m4b, m4p, m4v, m75, mac, mov, mp2, mp3, mp4, mpa, mpeg, mpg, mpm, mpv, mqv, pct, pic, pict, png, pnt, pntg, qcp, qt, qti, qtif, rgb, rts, rtsp, sdp, sdv, sgi, snd, ulw, vfw, wav and others.
Enough theory, let's see some action. For more information, just read this blog post. The exploit that gains chrome privileges looks like this:
In practice I can do anything with the browser. However, just for the sake of this demonstration, I simply open calc.exe.
If you dare to try this in your browser, here is a list of a few files you have to click on. They are not malicious. You have my word: qt-poc-01.mp3, qt-poc-02-shutdown-dont-click.mp3, qt-poc-03.mpeg, qt-poc-04.mov, qt-poc-05.avi.
BTW, QuickTime comes by default with iTunes. Therefore, iTunes users are most affected, I believe.
file.initWithPath('c:\\windows\\system32\\cmd.exe /c echo x & run notepad.exe & etc')? I'm not sure if it can be done but would be much easier to execute code without writing 'firefox backdoors' in 'chrome zone'...
like all other browsers do [K-Meleon,Opera..]
and use some utf8 encoder if you have long parameters. I still havent managed to get this to write a .bat.
process.run(true,['/parmaeter1'],['/parameter2'],2) (2=arg lenght)
process.run(true,['/c > script.txt echo hello'],1)