Multiple Media Players ((iTunes / QuickTime) - HTTP DataHandler Overflow

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1059012 漏洞类型
发布时间 2010-01-15 更新时间 2010-01-15
CVE编号 N/A CNNVD-ID N/A
漏洞平台 Multiple CVSS评分 N/A
|漏洞来源
https://www.exploit-db.com/exploits/11142
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
ScaryMovie Exploit Study
By: Dr_IDE
October, 2009

There is a widespread failure in the way that (.MOV) files are handled by the Quicktime Library. I have attempted to compound my findings on this issue. 

Nearly every (.MOV) enabled application that I tested fell victim to this exploit. This is a local memory corruption vulnerability in the way these programs process a malformed file. I have provided crash logs, register dumps where applicable, sample script and trigger file.

Memory Corruption is repeatable and code execution seems possible. Because this issue affects web browsers it seems that the attack vector will be both Local and Remote.

It should be noted these applications are all registered by default as registered applications for this file type. There is no trickery involved in order to enable these programs to open the malicious file.

List of affected programs that I have verified:
-Tested on Snow Leopard 10.6.1 (All updates as of 10/07/09)
Apple Products (OSX):
	Finder.app              		(Built-in OSX)
 	Garageband 09			        (Latest)
	Grapher.app             		(Built-in OSX)	
	iMovie 8.0				(Latest)
 	iPhoto 8.0                		(Latest)
	iTunes 9.0.1				(Latest)
	iWeb					(Latest)
	Keynote 5.0.3 (791)			(Latest)
	Numbers 2.0.3 (332)		        (Latest)
	Pages 4.0.3 (766)			(Latest)
	Safari 4.0.3				(Latest)
 	Quicktime Player 10       		(Latest)

Third Party Applications (OSX):
 	Cellulo 2.0.2             		(Latest)
	Excel 2008				(Latest)
	HexEdit 2.2				(Latest)
	Mozilla Firefox 3.5.3(OSX)		(Latest)
	Powerpoint 2008			        (Latest)
	VLC 1.0.2 (OSX)			        (Latest)
 	WidescreenPlayer          		(Latest)
	Word 2008				(Latest)
Windows XP Service Pack 3:
	iTunes 9.0.1.8             		(Latest)
	Quicktime 7.3.4            		(Latest)
	MediaPlayerClassic 6.4.9.1	        (Latest)

Not Vulnerable:
	VLC 1.0.2 on Windows seems to not be vulnerable to this.
	Firefox 3.5.3 on Windows crashed once but not reliably.

PoC Packagetx:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/11142.zip (Dr_IDE_ScaryMovie_Study.zip)