Proof of concept exploit code for a newlydiscovered vulnerability in Apple's QuickTime player has been madeavailable to the public today. The vulnerability (Apple QuickTime RTSP Response Header Content-Length Remote Buffer Overflow Vulnerability) was first reported on November 23rd by Polish security researcher Krystian Kloskowski.
The publicly released exploit works successfully when tested withthe latest stand-alone QuickTime player application version 7.3. Itdoes not seem to execute any shellcode when tested with the QuickTimebrowser plugin even though the browser crashes due to the bufferoverflow.
At the moment we believe the most likely attack scenarios to appear using this vulnerability could be:
1. Email based attacks.
2. Web browser based attacks.
In the email attack scenario the user receives a malicious emailwith an attachment containing a file with some extension associated bydefault to QuickTime Player (e.g. .mov, .qt, qtl., gsm, .3gp, etc). Theattachment is not actually a media file, but instead it is an XML filewhich will force the player to open an RTSP connection on port 554 tothe malicious server hosting the exploit. When the QuickTime Playercontacts the remote server, it receives back the malformed RTSPresponse which triggers the buffer overflow and the execution of theattacker’s shellcode immediately. This attack requires users todouble-click on the QuickTime multimedia attachment to run. It is worthbearing in mind that this attack may also work with other common mediaformats such as mpeg, .avi, and other MIME types that are associatedwith the QuickTime player.
In the Web browser attack scenario, the attack will most likelystart with a hyperlinked URL sent to the user. When the user clicks onthe URL, the browser loads a page that has a QuickTime streaming objectembedded in it. The object initiates the RTSP connection to themalicious server on port 554 and exploit code is sent in response.
We have tested the exploit behavior of the current exploit againstsome of the common Web browsers. We have seen that with InternetExplorer 6/7 and Safari 3 Beta the attack is prevented.
The browser in this case loads the QuickTime Player as an internalplugin and when the overflow occurs, it triggers some standard bufferoverflow protection that shut downs the affected processes before anydamage can be done. Attackers may attempt to refine the exploit in thecoming days in order to overcome this initial hiccup and work to createa reliable exploit that works on Internet Explorer.
Firefox users are more susceptible to this attack because Firefoxfarms off the request directly to the QuickTime Player as a separateprocess outside of its control. As a result, the current version of theexploit works perfectly against Firefox if users have chosen QuickTimeas the default player for multimedia formats.
At this time there is no patch available to resolve this issue so toreduce the risk against this threat users are advised to restrict outbound connections on TCP 554 using their firewalls and to avoidfollowing links to untrusted Web sites.