QuickTime 0day for Vista and XP

Fri, 25 Apr 2008 17:57:42 GMT

A remote vulnerability exists in the QuickTime player for Windows XP and Vista (latest service packs). Other versions are believed to be affected as well. For now, no details will be released regarding the method of exploitation.

An attacker could exploit the vulnerability by constructing a specially crafted QuickTime supported media file that allows remote code execution if a user visits a malicious Web site, opened a specially crafted attachment in e-mail or opened a maliciously crafted media file from the desktop. The vulnerability was successfully tested on Windows XP SP2 and Windows Vista SP1 environments. Other versions are believed to be exploitable as well. The vulnerability is currently held private. The GNUCITIZEN team is following responsible disclosure practices. Therefore, the vulnerability details will be privately disclosed to the vendor in a short period of time. This advisory is meant to inform the public and raise general awareness.

The video above demonstrates the issue on Windows Vista and Windows XP. The Windows Vista demo is rather slow because it runs from a 512MB VMWare machine.

Yousif YaldaYousif Yalda
Wow, impressive. You stumbled upon this doing what? How we can help prevent against this sort of vulnerability?
RyanTheGreatRyanTheGreat
Nice work PDP, very interesting find. I look forward to reading the information behind this technique in the future.
LuckyLucky
Also more about the music artist and title names, please :)
Adrian 'pagvac' PastorAdrian 'pagvac' Pastor
good stuff pdp! I must say you're really inspiring me to find a client-side RCE vuln!
JonasJonas
This is simply amazing. I was just thinking, what if someone found this vulnerability and decided to embed the file on a malicious website. Then infect a few larger websites with a hidden iframe including the site. Would hit pretty hard i think.
robrob
YouTube must not like your exploit: We're sorry, this video is no longer available.
pdppdp
I don't know the name of the song because I took it from a site providing CCed audio. So, I have no idea. rob, the video is still up.
pdppdp
Jonas, that's why we don't disclose the details of the issue. We want to inform and at the same time prevent mass 0wnage.
KeveKeve
Music is from the swordfish soundtrack.... Dope Smugglaz - The Word (PMT Remix)
LuckyLucky
pdp, would you name the site or give a link to the track used? Thanks!
wishiwishi
Cool... :) Good - not to post the "exploit" now, but to mention the standard fact: don't work as Admin. I like the whitehead way: no destruction, but construction. That's the right way. You're sweet as!
OwariDaOwariDa
Is only the stand-alone player affected or is it exploitable through a browser as well?
LuckyLucky
Thank you Keve! Sorry for the OT.
whocareswhocares
Don't you have to give credit to the person who made the music, even if it is creative commons licensed? I don't remember seeing a CC license where you don't have to give credit to the author, though I might not be up to date :)
pdppdp
well, I should have, but if I only knew the author. however, this is irrelevant to the current subject. stay focused. :)
Jim ManicoJim Manico
What about Vista w/ UAC turned on? Cool video, nicely produced.
pdppdp
Jim, exploits are means to an end. :) I would be more worried for my online accounts getting compromised, as I don't have control over them, then my Vista box being included in a harmless botnet.
skfskf
And how is this remote vulnerability? You click on bloody local file and run it in your local application. Tricks doesn't make this vulnerability remote.
pdppdp
remote in a sense that the user can be compromised when opening such a file.
adriangadriang
Nice one Petko, if you say it is so I trust you,after the PDF thing my faith is almost religious, is there a workaround to prevent this, or just disable Quicktime, any advice? ;>}
Awesome AnDrEwAwesome AnDrEw
This wouldn't happen to be exploited in a similar fashion to the Windows Media Player one would it?
pdppdp
no details regarding the vulnerability will be shared at this stage. 10x
Thor LarholmThor Larholm
Nice find, yet again :) Why do I keep forgetting that you are based in the UK? You're just a small Viking raid away. So, probably some URL protocol vulnerability. Or, embedded HTML with an object tag that points the codeBase attribute on mspaint or notepad in known locations. Am I getting close? ;) /Thor
pdppdp
yeh, if you are around London we should catch up.
Jim ManicoJim Manico
UAC is a joke and can be circumvented by savvy programmers. http://developers.slashdot.org/article.pl?sid=08/04/27/2013215
pdppdp
there you go, thanks Jim
cryoohkicryoohki
@jim: rtfa next time. Or at least the comments on /. For the "imaginary vulnerabilities" Apple's policy stinks, that's all I can say...
David KierznowskiDavid Kierznowski
Regarding hype:
I think we sometimes forget our roots as security researchers. The only reason we have an industry today was because of full-disclosure and hype. If you can't create a noise to motivate change, then you don't affect the commercial market, which in turn means we are all out of jobs ;)
alinoalino
@PDP: Which Class of Vulnerability ( stack/heap based buffer overflow or other.. ) was used for this vulnerability? btw: good work pdp :)
hilikushilikus
Very good findings and research pdp, keep up the good work, and props for the responsible disclosure. Don't let any of these trolls take away from your execlent findings. And good luck working with Apple, I just keep thinking about the wireless dirver vulnerability and how they treated HDMoore :\ @alino: I doubt he is going to say, read the other comments and his responses.
works on mac?works on mac?
so you are doing some HREF track ninja? http://www.apple.com/quicktime/tutorials/hreftracks.html You test this stuff on a mac PDP?
flashdriveflashdrive
when can we expect to see how this is done?
Jim ManicoJim Manico
Inquiring minds want to know. Can you at least let us know how Apple is reacting to this exploit?
IxIx
Seconding Jim's question. Knowing it exists is important, knowing what's being done about it is even more important.