QuickTime Under Seige: Another Zero Day Exploit Released
The year-long hacker assault on Apple's QuickTime media player has unearthed another serious security vulnerability affecting
both Mac OS X and Windows users.
The latest flaw, released as zero-day (with with proof-of-concept exploit,) is a remote buffer overflow that occurs because QuickTime fails to properly bounds-check user-supplied input before copying it to an insufficiently sized buffer.
Researchers at Symantec DeepSight have confirmed the discovery, warning that:
Attackers can leverage this issue to execute arbitrary machine code in the context of the user running the affected application. Successful exploits will compromise the application and possibly the underlying computer. Failed attacks will likely cause denial-of-service conditions.
This issue occurs when QuickTime attempts to open an RTSP connection with a server that has TCP port 554 closed. Quicktime will then attempt the connection via HTTP protocol on port 80. If the server returns an HTTP error status code message, the contents of the message will be displayed in the application's connection status bar.
"This can cause a buffer-overflow error that results in code execution," Symantec warned.
Here are some possible attack scenarios:
1. An attacker crafts a malicious HTTP error status code response file designed to leverage the issue. This would contain arbitrary data, memory addresses, and executable machine code designed to perform some action on the attacker's behalf.
2. The attacker hosts an RTSP server that blocks access to TCP port 554 and uses the malicious file for HTTP responses.
3. The attacker entices an unsuspecting user to connect to the server using the affected application.
4. When the user's application connects and processes the returned HTTP response, the attacker's code runs.
A successful exploit will compromise the affected application. Failed attacks will likely cause denial-of-service conditions.
Not counting silent (undocumented) fixes, Apple has patched at least 35 security flaws affecting QuickTime in 2007. In 2006, the QuickTime patch count was 28.
Separately, hacker Luigi Auriemma has discovered a "highly critical" code execution hole in the VLC Media Player.
The skinny from this Secunia advisory:
The vulnerability is caused due to a boundary error in within modules/access/rtsp/real_sdpplin.c when processing SDP data (Session Description Protocol) for RTSP sessions. This can be exploited to cause a heap-based buffer overflow e.g. when a user is enticed to connect to a malicious server.
Successful exploitation may allow execution of arbitrary code.
The VLC Media Player flaw is reported in version 0.8.6d. Other versions may also be affected.
UPDATE: New information suggests the QuickTime bug does NOT affect Mac OS X users. Also, the US-CERT has issued an advisory.