TUCoPS :: Windows Apps :: win5683.htm

QuickTime ActiveX Remote Buffer Overflow
11th Sep 2002 [SBWID-5683]
COMMAND

	
		Apple QuickTime ActiveX remote buffer overflow
	
	

SYSTEMS AFFECTED

	
		Apple QuickTime ActiveX v5.0.2
	
	

PROBLEM

	
		Ollie   Whitehouse    [ollie@atstake.com]    with    Andreas    Junestam
		[andreas@atstake.com]    and    Dave    Aitel     of     @stake     Inc.
		[http://www.atstake.com]                                          posted
		[www.atstake.com/research/advisories/2002/a091002-1.txt] :
		

		Apple QuickTime (http://www.quicktime.com) is the media player  used  by
		a large number of distributors for high quality video  and  audio  based
		media. Version 5.0 has been downloaded over 100,000,000 times. There  is
		a buffer overrun caused by the way that the QuickTime ActiveX  component
		handles the "pluginspage" field when  parsed  from  a  malicious  remote
		orlocal HTML page. This can allow the execution  of  arbitrary  computer
		code on the computer viewing  the  malicious  web  page.  The  QuickTime
		ActiveX component is  commonly  used  for  movie  trailers  (i.e.  those
		located  at  http://www.apple.com/trailers/)  and  other  streaming   or
		static media technologies when they are embedded in a web page.
		

		

		Details:
		

		To exploit this vulnerability an attacker would need to get his  or  her
		target to open a malicious HTML  file  as  an  attachment  to  an  email
		message, as a file on the local or network file system,  or  as  a  file
		via HTTP. Most likely this would be accomplished by embedding a link  to
		a vulnerabile web site in an email message or another web page.  If  the
		malicious HTML file is opened it will cause  Quicktime  to  execute  the
		arbitrary computer code contained within the HTML page.
		

		        Take the following example HTML page:

		

		        ---- Begin Sample HTML

		        <OBJ7ECT CLASSID="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B"

		          WIDTH="480" HEIGHT="376">

		          <PA7RAM NAME="src" VALUE="test.mov">

		          <PA7RAM NAME="controller" VALUE="false">

		          <PA7RAM NAME="target" VALUE="myself">

		          <PA7RAM NAME="href" VALUE="test.mov">

		          <PA7RAM NAME="pluginspage" VALUE="insert overly long

		string here">

		          <EM7BED WIDTH="480" HEIGHT="376" CONTROLLER="false"

		          TARGET="myself" HREF="test2.mov"

		          SRC="test.mov"

		          BGCOLOR="FFFFFF"

		          BORDER="0"

		          PLUGINSPAGE="insert overly long string here">

		          </EM7BED>

		        </OB7JECT>

		        ---- End Sample HTML

		

		[note: remove the '7's in the tags above to create valid HTML]

		

		This sample HTML when, edited to insert  an  overly  long  string,  will
		cause an exception that is exploitable.
		

		It is possible for an attacker to specify a codebase that will  download
		a vulnerable version of the ActiveX component.
		

		This is a good example of why not  to  trust  *ANY*  ActiveX  components
		from any unknown source even if the site  is  considered  safe  and  the
		ActiveX component is signed on behalf of a trusted organization.
		

		
	
	

SOLUTION

	
		Apple  has  resolved  this  issue  within  QuickTime  6  which  can   be
		downloaded from :
		

		 http://www.apple.com/quicktime/

		

		

		Recommendation:
		

		If you use Quicktime, upgrade to Quicktime 6. If  you  are  a  web  site
		that hosts the qtplugin.cab file you should upgrade to version 6.
		

		You should  never  open  attachments/webpages  that  come  from  unknown
		sources no matter how benign they may appear.  Be  wary  of  those  that
		come from known sources.
		

		You can set the "kill bit" for a known vulnerable ActiveX  component  by
		editting the registry. This will keep Internet Explorer  from  executing
		the vulnerable component. Directions for setting the kill bit on  a  are
		at:
		

		http://support.microsoft.com/default.aspx?scid=KB;EN-US;q240797&

		

		You should consider the benefits and risks of each attachment file  type
		or ActiveX components that you let into  your  organization.  Attachment
		file types or ActiveX components that you do not need should be  dropped
		at your perimeter mail gateway or proxy  server.  Attachments  that  you
		choose to forward on into your organization should be scanned for  known
		malicious code using an antivirus product.
		

		

		Common Vulnerabilities and Exposures (CVE) Information:
		

		The Common Vulnerabilities and Exposures (CVE) project has assigned  the
		following names to these issues. These are candidates for  inclusion  in
		the  CVE  list  (http://cve.mitre.org),  which  standardizes  names  for
		security problems.
		

		     CAN-2002-0376 Apple QuickTime ActiveX v5.0.2 Buffer Overrun

		

		

		@stake Vulnerability Reporting Policy:

		http://www.atstake.com/research/policy/

		

		@stake Advisory Archive:

		http://www.atstake.com/research/advisories/

		

		PGP Key:

		http://www.atstake.com/research/pgp_key.asc

		

		Copyright 2002 @stake, Inc. All rights reserved.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH