Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Fix for NTFS permissions issue in QuickTime 7.x for Windows
From: Geoff Strickler <geoff.strickler () gmail com>
Date: Tue, 20 Sep 2011 16:42:51 -0600

In Dec 2010, Apple released QT 7.6.9. One of the included fixes was for
CVE-2010-0530 <http://support.apple.com/kb/HT4447>, which I had reported to
Apple. While 7.6.9 corrects the problem with new installations, it does not
revoke the inappropriate NTFS permissions that may have been granted by
previous installations of QT 7.6.8 or earlier. The problem goes back to at
least 7.5.5, possibly earlier versions.

Despite repeatedly pointing out to Apple that any fix needed to correct any
permissions on existing installations, they did not do so, and it appears
that they aren't going to. Therefore, I'm releasing the details of the
vulnerability, and a batch file to correct (on most machines) the
inappropriate NTFS permissions granted by earlier versions of QTWin.

Below is a batch file that, when run as an administrator, will remove the
inappropriate permissions from all accessible user profiles on a W2k, XP,
Vista, or Win7 machine. If you're running NT4, running Windows Server, or
have restricted access to any user profile directories, the following script
may need modification.

Network administrators who need support in correcting permissions on a large
network of machines may contact the author for PAID support and/or scripts
better suited to cleaning up permissions on a large number of computers.

This software is offered as is, without warranty, and with no free support.

Geoff Strickler
On-line Transaction Consultants.

Below is the text of the
batch file.

@echo off
  rem Version 1.00 - Sept 20, 2011 by Geoff Strickler.
  rem About the author: Geoff Strickler [geoff.strickler at
  rem  gmail.com] is the person who originally found and reported
  rem  the vulnerability now known as CVE-2010-0530.

rem ---- Purpose:
  rem This program fixes removes the inappropriate permissions that were
  rem  set by QuickTime for Windows versions prior to 7.6.9.
  rem Attempt to correct permissions in all user profiles on this machine.

rem ---- Background:
  rem Apple provided a fix for CVE-2010-0530 in QuickTime 7.6.9, however,
  rem  Apple's fix [http://support.apple.com/kb/HT4447] fails to correct
  rem  the permissions in systems where inappropriate permissions have
  rem  already been granted by previous versions of QuickTime.

  rem This fix is not needed on systems where where the volume containing
  rem  the user profile directories is a FAT-32 volume since those
  rem  don't support user ACLs.

rem ---- Legal disclaimers:
  rem This software provided free of charge, as-is, with no warranties
  rem  expressed or implied. You assume all liability for any damages,
  rem  including incidental or consequential damages. no free support is
  rem  available from the author as I've already spent far too much time
  rem  finding and reporting the problem, and in developing this fix for
  rem  what Apple didn't remedy.


rem ---- Compatibility notes:
  rem This script is believed to be safe for use on W2k, XP, Vista, and Win7
  rem  systems. 

  rem The author has has only tested it on XP and Win7.

  rem It is NOT RECOMMENDED for Windows Servers

  rem It is NOT RECOMMENDED for NT4 systems, and might not be appropriate
  rem  for W2k or XP systems that are an in-place upgrade from NT4 or
  rem  earlier systems.

  rem For unsupported systems, either adapt it yourself, or contact the
  rem author for PAID support.

rem ---- Operation and usage notes:
  rem This script uses a "targeted" approach that will remove explicit (but
  rem  not inherited) permissions granted to specific subdirectories in all
  rem  user profile directories for which the user who executes it has
  rem  permissions to change permissions. Therefore, it's recommended that
  rem  this be executed by an administrator. It can be executed by non-
  rem  administrators, but in that case, it will typically only correct the
  rem  permissions in the current user's profile since that's the only
  rem  profile a non-administrator has access to change by default.

  rem The cacls command is deprecated in Vista and Win7, however, it still
  rem  works correctly. icacls is the replacement command, however, it's not
  rem  supported on XP and earlier system so cacls is used for maximum
  rem  compatibility.

rem ---- Start of script:
  rem Write a logfile to "CVE-2010-0530-log.txt" in the current user's
  rem  temporary directory.
echo %0 >%temp%\CVE-2010-0530-log.txt

  rem Make sure NT command extensions are enabled
setlocal EnableExtensions

  rem Since there is no environment variable that gives the base directory
  rem  containing all the user profiles, use the current user profile
  rem  directory (%userprofile%), then append "\..\*.*" to access it's
  rem  parent directory and get a list of all user profile directories.

  rem Iterate through all the user profile directories.
for /D %%i in ("%userprofile%\..\*.*") do (
   rem with NT4 and later, the command extensions allow some modification of
   rem environment variables. %%~i returns the same as %%i, but without the
   rem  leading and trailing quotes.
 echo . >>%temp%\CVE-2010-0530-log.txt
 echo %%~i >>%temp%\CVE-2010-0530-log.txt
 echo %%~i

   rem -------- revoke permissions for XP and earlier systems
   rem  from %userprofile%\Local Settings\Application Data\Apple Computer
   rem  and it's "QuickTime" subdirectory.
   rem  Notes on NT4 systems and possibly on W2k/XP systems that were
   rem  created as in-place upgrades from NT4 or earlier systems:
   rem The author recommends using the "one-profile-shotgun" script on
   rem  each possibly affected user on such systems rather than modifying
   rem  this script for that purpose.
   rem Only remove permissions from the two directories known to be
   rem  affected. Revoke permissions from:
   rem  %%~i\Local Settings\Application Data\Apple Computer
 cacls "%%~i\Local Settings\Application Data\Apple Computer" /e /c /r
"everyone" >>%temp%\CVE-2010-0530-log.txt
   rem and %%~i\Local Settings\Application Data\Apple Computer\QuickTime
 cacls "%%~i\Local Settings\Application Data\Apple Computer\QuickTime" /e /c
/r "everyone" >>%temp%\CVE-2010-0530-log.txt
   rem -------- revoke permissions for Vista/Win7 systems
   rem from %userprofile%\AppData\LocalLow\Apple Computer
   rem  and it's "QuickTime" subdirectory.
   rem You may replace the below commands with the equivalent icacls
   rem  command, but it's not necessary.
   rem Only remove permissions from the two directories known to
   rem  be affected.
   rem  Revoke them from %%~i\AppData\LocalLow\Apple Computer
 cacls "%%~i\AppData\LocalLow\Apple Computer" /e /c /r "everyone"
   rem  and from %%~i\AppData\LocalLow\Apple Computer\QuickTime
 cacls "%%~i\AppData\LocalLow\Apple Computer\QuickTime" /e /c /r "everyone"

   rem --------
   rem If you have files or directories in this user profile that were
   rem  affected by the cacls commands above, and you want them to be
   rem  accessible by "everyone", add cacls command(s) below to allow
   rem  that access.
   rem [your cacls command(s) here]
   rem --------

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]