Zero-Day Exploit for Apple QuickTime Vulnerability

Proof of concept exploit code for a newly discovered vulnerability in Apple's QuickTime player has been made available to the public today. The vulnerability (Apple QuickTime RTSP Response Header Content-Length Remote Buffer Overflow Vulnerability) was first reported on November 23rd by Polish security researcher Krystian Kloskowski.

The publicly released exploit works successfully when tested with the latest stand-alone QuickTime player application version 7.3. It does not seem to execute any shellcode when tested with the QuickTime browser plugin even though the browser crashes due to the buffer overflow.

At the moment we believe the most likely attack scenarios to appear using this vulnerability could be:
1. Email based attacks.
2. Web browser based attacks.

In the email attack scenario the user receives a malicious email with an attachment containing a file with some extension associated by default to QuickTime Player (e.g. .mov, .qt, qtl., gsm, .3gp, etc). The attachment is not actually a media file, but instead it is an XML file which will force the player to open an RTSP connection on port 554 to the malicious server hosting the exploit. When the QuickTime Player contacts the remote server, it receives back the malformed RTSP response which triggers the buffer overflow and the execution of the attacker’s shellcode immediately. This attack requires users to double-click on the QuickTime multimedia attachment to run. It is worth bearing in mind that this attack may also work with other common media formats such as mpeg, .avi, and other MIME types that are associated with the QuickTime player.

In the Web browser attack scenario, the attack will most likely start with a hyperlinked URL sent to the user. When the user clicks on the URL, the browser loads a page that has a QuickTime streaming object embedded in it. The object initiates the RTSP connection to the malicious server on port 554 and exploit code is sent in response.

We have tested the exploit behavior of the current exploit against some of the common Web browsers. We have seen that with Internet Explorer 6/7 and Safari 3 Beta the attack is prevented.

View Image

The browser in this case loads the QuickTime Player as an internal plugin and when the overflow occurs, it triggers some standard buffer overflow protection that shut downs the affected processes before any damage can be done. Attackers may attempt to refine the exploit in the coming days in order to overcome this initial hiccup and work to create a reliable exploit that works on Internet Explorer.

Firefox users are more susceptible to this attack because Firefox farms off the request directly to the QuickTime Player as a separate process outside of its control. As a result, the current version of the exploit works perfectly against Firefox if users have chosen QuickTime as the default player for multimedia formats.

View Image

At this time there is no patch available to resolve this issue so to reduce the risk against this threat users are advised to restrict out bound connections on TCP 554 using their firewalls and to avoid following links to untrusted Web sites.