Re: [SPSadvisory#41]Apple Quick Time Plug-in Buffer Overflow

[Dan Harkless <dan-bugtraq () DILVISH SPEED NET>]

UNYUN <shadowpenguin () BACKSECTION NET> writes:
> SPS Advisory #41
>
> Apple Quick Time Plug-in Buffer Overflow
>
> UNYUN <shadowpenguin () backsection net>
> Shadow Penguin Security (http://shadowpenguin.backsection.net)
>
> --------------------------------------------------------------
>
> [Date]
> July 31, 2001
>
> [Vulnerable]
> QuickTime Player 4.1.2 for Windows (Japanese)
>
> [Not vulnerable]
> unknown
>
> [Overview]
>    There is a exploitable buffer overflow bug in quick time plug-in
> for windows. This problem occurs when the visitor clicks the shown
> movie in the browser. Quick time plug-in doesn't check the length of
> HREF parameter in EMBED tag appropriately, Quick time overflows when
> the long string is specified in HREF. This buffer overflow overwrites
> the local buffer, the codes which are written in the EMBED tag can be
> executed in the client host.
>
> [Risk]
>    If the HTML file which contains the cracking code in EMBED tag is
> opened and visitor clicks the shown movie, the cracking code will be
> executed on the client host. This overflow contains the possibility of
>  the virus and trojans infection, sytsem destruction, intrusion, and
> so on.
>
> [Details]
>    We explain the details of this problem under the environment of
> Windows98(SE/Japanes)+QuickTime Player 4.1.2 for Windows+Internet
> Explorer 5.0. You can check this problem easily by the following
> simple HTML file.
>
> <html>
> <embed src="c:\program files\quicktime\sample.mov"
>        href="aaaa... long string (730 characters)"
>        width=60 height=60 autoplay="true"
>        target="QUICKTIMEPLAYER">
> </html>

You don't mention whether you've tried this on other versions of the OS,
browser, or player.  FWIW, I tried it with QuickTime Player 4.1.2 on Windows
2000 (U.S.) with Internet Explorer 5.00.3103.1000 and didn't get a crash.
Tried with 730 characters and with 7300.

Also tried with Netscape Communicator 4.76 on the same platform.  There I
had to change the src from the "c:\Non-Microsoft\QuickTime-4.1.2\Sample.mov"
that IE accepts to the standards-compliant
"file:///C|/Non-Microsoft/QuickTime-4.1.2/Sample.mov", but again, no crash.

----------------------------------------------------------------------
Dan Harkless                   | To prevent SPAM contamination, please
dan-bugtraq () dilvish speed net  | do not mention this private email
SpeedGate Communications, Inc. | address in Usenet posts.  Thank you.