BID:23608

Apple Quicktime QTJava toQTPointer() Java Handling Arbitrary Code Execution Vulnerability

Info

Apple Quicktime QTJava toQTPointer() Java Handling Arbitrary Code Execution Vulnerability

Bugtraq ID:	23608
Class:	Input Validation Error
CVE:	CVE-2007-2175
Remote:	Yes
Local:	No
Published:	Apr 23 2007 12:00AM
Updated:	Oct 24 2007 04:36PM
Credit:	Shane Macaulay and Dino Dai Zovi are credited with the discovery of this vulnerability.
Vulnerable:	Apple QuickTime Player 7.1.5 Apple QuickTime Player 7.1.4 Apple QuickTime Player 7.1.3 Apple QuickTime Player 7.1.2 Apple QuickTime Player 7.1.1 Apple QuickTime Player 7.0.4 Apple QuickTime Player 7.0.3 Apple QuickTime Player 7.0.2 Apple QuickTime Player 7.0.1 Apple QuickTime Player 7.0 Apple QuickTime Player 6.5.2 Apple QuickTime Player 6.5.1 Apple QuickTime Player 6.5 Apple QuickTime Player 6.1 Apple QuickTime Player 5.0.2 - Apple Mac OS 9 9.2.2 - Apple Mac OS 9 9.2.2 - Apple Mac OS 9 9.2.1 - Apple Mac OS 9 9.2.1 - Apple Mac OS 9 9.2 - Apple Mac OS 9 9.2 - Apple Mac OS 9 9.1 - Apple Mac OS 9 9.1 - Apple Mac OS 9 9.0.4 - Apple Mac OS 9 9.0.4 - Apple Mac OS 9 9.0 - Apple Mac OS 9 9.0 - Apple Mac OS X 10.1.5 - Apple Mac OS X 10.1.5 - Apple Mac OS X 10.1.4 - Apple Mac OS X 10.1.4 - Apple Mac OS X 10.1.3 - Apple Mac OS X 10.1.3 - Apple Mac OS X 10.1.2 - Apple Mac OS X 10.1.2 - Apple Mac OS X 10.1.1 - Apple Mac OS X 10.1.1 - Apple Mac OS X 10.1 - Apple Mac OS X 10.1 - Apple Mac OS X 10.1 - Apple Mac OS X 10.1 - Apple Mac OS X 10.0.4 - Apple Mac OS X 10.0.4 - Apple Mac OS X 10.0.3 - Apple Mac OS X 10.0.3 - Apple Mac OS X 10.0.2 - Apple Mac OS X 10.0.1 - Apple Mac OS X 10.0.1 - Apple Mac OS X 10.0 - Apple Mac OS X 10.0 - Microsoft Windows 2000 Advanced Server SP2 - Microsoft Windows 2000 Advanced Server SP2 - Microsoft Windows 2000 Advanced Server SP1 - Microsoft Windows 2000 Advanced Server SP1 - Microsoft Windows 2000 Advanced Server - Microsoft Windows 2000 Advanced Server - Microsoft Windows 2000 Datacenter Server SP2 - Microsoft Windows 2000 Datacenter Server SP2 - Microsoft Windows 2000 Datacenter Server SP1 - Microsoft Windows 2000 Datacenter Server SP1 - Microsoft Windows 2000 Datacenter Server - Microsoft Windows 2000 Datacenter Server - Microsoft Windows 2000 Professional SP2 - Microsoft Windows 2000 Professional SP2 - Microsoft Windows 2000 Professional SP1 - Microsoft Windows 2000 Professional SP1 - Microsoft Windows 2000 Professional - Microsoft Windows 2000 Professional - Microsoft Windows 2000 Server SP2 - Microsoft Windows 2000 Server SP2 - Microsoft Windows 2000 Server SP1 - Microsoft Windows 2000 Server SP1 - Microsoft Windows 2000 Server - Microsoft Windows 2000 Server - Microsoft Windows 2000 Terminal Services SP2 - Microsoft Windows 2000 Terminal Services SP2 - Microsoft Windows 2000 Terminal Services SP1 - Microsoft Windows 2000 Terminal Services SP1 - Microsoft Windows 2000 Terminal Services - Microsoft Windows 2000 Terminal Services - Microsoft Windows 95 SR2 - Microsoft Windows 95 SR2 - Microsoft Windows 95 - Microsoft Windows 95 - Microsoft Windows 98 - Microsoft Windows 98 - Microsoft Windows 98SE - Microsoft Windows 98SE - Microsoft Windows ME - Microsoft Windows ME - Microsoft Windows NT Enterprise Server 4.0 SP6a - Microsoft Windows NT Enterprise Server 4.0 SP6a - Microsoft Windows NT Enterprise Server 4.0 SP6 - Microsoft Windows NT Enterprise Server 4.0 SP6 - Microsoft Windows NT Enterprise Server 4.0 SP5 - Microsoft Windows NT Enterprise Server 4.0 SP5 - Microsoft Windows NT Enterprise Server 4.0 SP4 - Microsoft Windows NT Enterprise Server 4.0 SP4 - Microsoft Windows NT Enterprise Server 4.0 SP3 - Microsoft Windows NT Enterprise Server 4.0 SP3 - Microsoft Windows NT Enterprise Server 4.0 SP2 - Microsoft Windows NT Enterprise Server 4.0 SP2 - Microsoft Windows NT Enterprise Server 4.0 SP1 - Microsoft Windows NT Enterprise Server 4.0 SP1 - Microsoft Windows NT Enterprise Server 4.0 - Microsoft Windows NT Enterprise Server 4.0 - Microsoft Windows NT Server 4.0 SP6a - Microsoft Windows NT Server 4.0 SP6a - Microsoft Windows NT Server 4.0 SP6 - Microsoft Windows NT Server 4.0 SP6 - Microsoft Windows NT Server 4.0 SP5 - Microsoft Windows NT Server 4.0 SP5 - Microsoft Windows NT Server 4.0 SP4 - Microsoft Windows NT Server 4.0 SP4 - Microsoft Windows NT Server 4.0 SP3 - Microsoft Windows NT Server 4.0 SP3 - Microsoft Windows NT Server 4.0 SP2 - Microsoft Windows NT Server 4.0 SP2 - Microsoft Windows NT Server 4.0 SP1 - Microsoft Windows NT Server 4.0 SP1 - Microsoft Windows NT Server 4.0 - Microsoft Windows NT Server 4.0 - Microsoft Windows NT Terminal Server 4.0 SP6a - Microsoft Windows NT Terminal Server 4.0 SP6 - Microsoft Windows NT Terminal Server 4.0 SP6 - Microsoft Windows NT Terminal Server 4.0 SP5 - Microsoft Windows NT Terminal Server 4.0 SP5 - Microsoft Windows NT Terminal Server 4.0 SP4 - Microsoft Windows NT Terminal Server 4.0 SP4 - Microsoft Windows NT Terminal Server 4.0 SP3 - Microsoft Windows NT Terminal Server 4.0 SP3 - Microsoft Windows NT Terminal Server 4.0 SP2 - Microsoft Windows NT Terminal Server 4.0 SP2 - Microsoft Windows NT Terminal Server 4.0 SP1 - Microsoft Windows NT Terminal Server 4.0 SP1 - Microsoft Windows NT Terminal Server 4.0 - Microsoft Windows NT Terminal Server 4.0 - Microsoft Windows NT Workstation 4.0 SP6a - Microsoft Windows NT Workstation 4.0 SP6a - Microsoft Windows NT Workstation 4.0 SP6 - Microsoft Windows NT Workstation 4.0 SP6 - Microsoft Windows NT Workstation 4.0 SP5 - Microsoft Windows NT Workstation 4.0 SP5 - Microsoft Windows NT Workstation 4.0 SP4 - Microsoft Windows NT Workstation 4.0 SP4 - Microsoft Windows NT Workstation 4.0 SP3 - Microsoft Windows NT Workstation 4.0 SP3 - Microsoft Windows NT Workstation 4.0 SP2 - Microsoft Windows NT Workstation 4.0 SP2 - Microsoft Windows NT Workstation 4.0 SP1 - Microsoft Windows NT Workstation 4.0 SP1 - Microsoft Windows NT Workstation 4.0 - Microsoft Windows NT Workstation 4.0 Apple QuickTime Player 7.1 Apple QuickTime Player 6 - Apple Mac OS 9 9.2.2 - Apple Mac OS 9 9.2.2 - Apple Mac OS 9 9.2.1 - Apple Mac OS 9 9.2.1 - Apple Mac OS 9 9.2 - Apple Mac OS 9 9.2 - Apple Mac OS 9 9.1 - Apple Mac OS 9 9.1 - Apple Mac OS 9 9.0.4 - Apple Mac OS 9 9.0.4 - Apple Mac OS 9 9.0 - Apple Mac OS 9 9.0 - Apple Mac OS X 10.1.5 - Apple Mac OS X 10.1.4 - Apple Mac OS X 10.1.4 - Apple Mac OS X 10.1.3 - Apple Mac OS X 10.1.3 - Apple Mac OS X 10.1.2 - Apple Mac OS X 10.1.2 - Apple Mac OS X 10.1.1 - Apple Mac OS X 10.1.1 - Apple Mac OS X 10.1 - Apple Mac OS X 10.1 - Apple Mac OS X 10.1 - Apple Mac OS X 10.1 - Apple Mac OS X 10.0.4 - Apple Mac OS X 10.0.4 - Apple Mac OS X 10.0.3 - Apple Mac OS X 10.0.3 - Apple Mac OS X 10.0.2 - Apple Mac OS X 10.0.2 - Apple Mac OS X 10.0.1 - Apple Mac OS X 10.0.1 - Apple Mac OS X 10.0 - Apple Mac OS X 10.0 - Microsoft Windows 2000 Advanced Server SP2 - Microsoft Windows 2000 Advanced Server SP2 - Microsoft Windows 2000 Advanced Server SP1 - Microsoft Windows 2000 Advanced Server SP1 - Microsoft Windows 2000 Advanced Server - Microsoft Windows 2000 Advanced Server - Microsoft Windows 2000 Datacenter Server SP2 - Microsoft Windows 2000 Datacenter Server SP2 - Microsoft Windows 2000 Datacenter Server SP1 - Microsoft Windows 2000 Datacenter Server SP1 - Microsoft Windows 2000 Datacenter Server - Microsoft Windows 2000 Datacenter Server - Microsoft Windows 2000 Professional SP2 - Microsoft Windows 2000 Professional SP2 - Microsoft Windows 2000 Professional SP1 - Microsoft Windows 2000 Professional SP1 - Microsoft Windows 2000 Professional - Microsoft Windows 2000 Professional - Microsoft Windows 2000 Server SP2 - Microsoft Windows 2000 Server SP2 - Microsoft Windows 2000 Server SP1 - Microsoft Windows 2000 Server SP1 - Microsoft Windows 2000 Server - Microsoft Windows 2000 Server - Microsoft Windows 2000 Terminal Services SP2 - Microsoft Windows 2000 Terminal Services SP2 - Microsoft Windows 2000 Terminal Services SP1 - Microsoft Windows 2000 Terminal Services SP1 - Microsoft Windows 2000 Terminal Services - Microsoft Windows 2000 Terminal Services - Microsoft Windows 95 SR2 - Microsoft Windows 95 SR2 - Microsoft Windows 95 - Microsoft Windows 95 - Microsoft Windows 98 - Microsoft Windows 98 - Microsoft Windows 98SE - Microsoft Windows 98SE - Microsoft Windows ME - Microsoft Windows ME - Microsoft Windows NT Enterprise Server 4.0 SP6a - Microsoft Windows NT Enterprise Server 4.0 SP6a - Microsoft Windows NT Enterprise Server 4.0 SP6 - Microsoft Windows NT Enterprise Server 4.0 SP6 - Microsoft Windows NT Enterprise Server 4.0 SP5 - Microsoft Windows NT Enterprise Server 4.0 SP5 - Microsoft Windows NT Enterprise Server 4.0 SP4 - Microsoft Windows NT Enterprise Server 4.0 SP4 - Microsoft Windows NT Enterprise Server 4.0 SP3 - Microsoft Windows NT Enterprise Server 4.0 SP3 - Microsoft Windows NT Enterprise Server 4.0 SP2 - Microsoft Windows NT Enterprise Server 4.0 SP2 - Microsoft Windows NT Enterprise Server 4.0 SP1 - Microsoft Windows NT Enterprise Server 4.0 SP1 - Microsoft Windows NT Enterprise Server 4.0 - Microsoft Windows NT Enterprise Server 4.0 - Microsoft Windows NT Server 4.0 SP6a - Microsoft Windows NT Server 4.0 SP6a - Microsoft Windows NT Server 4.0 SP6 - Microsoft Windows NT Server 4.0 SP6 - Microsoft Windows NT Server 4.0 SP5 - Microsoft Windows NT Server 4.0 SP5 - Microsoft Windows NT Server 4.0 SP4 - Microsoft Windows NT Server 4.0 SP4 - Microsoft Windows NT Server 4.0 SP3 - Microsoft Windows NT Server 4.0 SP3 - Microsoft Windows NT Server 4.0 SP2 - Microsoft Windows NT Server 4.0 SP2 - Microsoft Windows NT Server 4.0 SP1 - Microsoft Windows NT Server 4.0 SP1 - Microsoft Windows NT Server 4.0 - Microsoft Windows NT Server 4.0 - Microsoft Windows NT Terminal Server 4.0 SP6a - Microsoft Windows NT Terminal Server 4.0 SP6 - Microsoft Windows NT Terminal Server 4.0 SP6 - Microsoft Windows NT Terminal Server 4.0 SP5 - Microsoft Windows NT Terminal Server 4.0 SP5 - Microsoft Windows NT Terminal Server 4.0 SP4 - Microsoft Windows NT Terminal Server 4.0 SP4 - Microsoft Windows NT Terminal Server 4.0 SP3 - Microsoft Windows NT Terminal Server 4.0 SP3 - Microsoft Windows NT Terminal Server 4.0 SP2 - Microsoft Windows NT Terminal Server 4.0 SP2 - Microsoft Windows NT Terminal Server 4.0 SP1 - Microsoft Windows NT Terminal Server 4.0 SP1 - Microsoft Windows NT Terminal Server 4.0 - Microsoft Windows NT Terminal Server 4.0 - Microsoft Windows NT Workstation 4.0 SP6a - Microsoft Windows NT Workstation 4.0 SP6a - Microsoft Windows NT Workstation 4.0 SP6 - Microsoft Windows NT Workstation 4.0 SP6 - Microsoft Windows NT Workstation 4.0 SP5 - Microsoft Windows NT Workstation 4.0 SP5 - Microsoft Windows NT Workstation 4.0 SP4 - Microsoft Windows NT Workstation 4.0 SP4 - Microsoft Windows NT Workstation 4.0 SP3 - Microsoft Windows NT Workstation 4.0 SP3 - Microsoft Windows NT Workstation 4.0 SP2 - Microsoft Windows NT Workstation 4.0 SP2 - Microsoft Windows NT Workstation 4.0 SP1 - Microsoft Windows NT Workstation 4.0 SP1 - Microsoft Windows NT Workstation 4.0 - Microsoft Windows NT Workstation 4.0

Not Vulnerable:	Apple QuickTime Player 7.1.6

Discussion

Apple Quicktime QTJava toQTPointer() Java Handling Arbitrary Code Execution Vulnerability

QuickTime is prone to a vulnerability that may aid in the remote compromise of a vulnerable computer.

The issue occurs when a Java-enabled browser is used to view a malicious website. QuickTime must also be installed.

Attackers may exploit this issue to execute arbitrary code in the context of a user running the vulnerable application. Failed exploit attempts will likely result in denial-of-service conditions.

This issue is exploitable through both Safari and Mozilla Firefox running on Mac OS X. Reports indicate that Firefox on Windows platforms may also be an exploit vector.

Reports also indicate that Internet Explorer 6 and 7 running on Windows XP may be an exploit vector, but that a sandboxing feature may interfere with successful exploits. Neither of these points has been confirmed.

Exploit / POC

Apple Quicktime QTJava toQTPointer() Java Handling Arbitrary Code Execution Vulnerability

An exploit designed to leverage this issue was demonstrated as part of the CanSec Macbook Challenge, a competition to create a working exploit against a fully updated MacBook.

The following Java code demonstrates this issue by crashing affected browsers:

// Initialize QT
QTSession.open();

// Get a handle to anything
byte b[] = new byte[1 /*arbitrary*/];
QTHandle h = new QTHandle(b);

// Turn the handle into a pointer object. The
// large negative value throws off bounds checking.
QTPointerRef p = h.toQTPointer(-2000000000 /*off*/, 10 /*size*/);

// Write to it.
p.copyFromArray(0 /*offset*/, b /*source*/, 0, 1 /*length*/);

UPDATE (October 22, 2007): An exploit update was released by Core Security for IMPACT v7. Users can obtain this update by selecting 'Get Updates' on the IMPACT Welcome Screen.

Solution / Fix

Apple Quicktime QTJava toQTPointer() Java Handling Arbitrary Code Execution Vulnerability

Solution:
The vendor has released version 7.1.6 to address this issue.

Apple QuickTime Player 7.1

Apple iTunesSetup.exe
QuickTime 7.1.6 with iTunes for Windows XP/2000
http://www.apple.com/quicktime/download/

Apple QuickTime716.dmg
For Mac OS X v10.4.9 and Mac OS X v10.3.9
http://www.apple.com/quicktime/download/

Apple QuickTimeInstaller.exe
QuickTime 7.1.6 for Windows XP/2000
http://www.apple.com/quicktime/download/

Apple QuickTime Player 7.1.1

Apple iTunesSetup.exe
QuickTime 7.1.6 with iTunes for Windows XP/2000
http://www.apple.com/quicktime/download/

Apple QuickTime716.dmg
For Mac OS X v10.4.9 and Mac OS X v10.3.9
http://www.apple.com/quicktime/download/

Apple QuickTimeInstaller.exe
QuickTime 7.1.6 for Windows XP/2000
http://www.apple.com/quicktime/download/

Apple QuickTime Player 7.1.2

Apple iTunesSetup.exe
QuickTime 7.1.6 with iTunes for Windows XP/2000
http://www.apple.com/quicktime/download/

Apple QuickTime716.dmg
For Mac OS X v10.4.9 and Mac OS X v10.3.9
http://www.apple.com/quicktime/download/

Apple QuickTimeInstaller.exe
QuickTime 7.1.6 for Windows XP/2000
http://www.apple.com/quicktime/download/

Apple QuickTime Player 7.1.3

Apple iTunesSetup.exe
QuickTime 7.1.6 with iTunes for Windows XP/2000
http://www.apple.com/quicktime/download/

Apple QuickTime716.dmg
For Mac OS X v10.4.9 and Mac OS X v10.3.9
http://www.apple.com/quicktime/download/

Apple QuickTimeInstaller.exe
QuickTime 7.1.6 for Windows XP/2000
http://www.apple.com/quicktime/download/

Apple QuickTime Player 7.1.4

Apple iTunesSetup.exe
QuickTime 7.1.6 with iTunes for Windows XP/2000
http://www.apple.com/quicktime/download/

Apple QuickTime716.dmg
For Mac OS X v10.4.9 and Mac OS X v10.3.9
http://www.apple.com/quicktime/download/

Apple QuickTimeInstaller.exe
QuickTime 7.1.6 for Windows XP/2000
http://www.apple.com/quicktime/download/

Apple QuickTime Player 7.1.5

Apple iTunesSetup.exe
QuickTime 7.1.6 with iTunes for Windows XP/2000
http://www.apple.com/quicktime/download/

Apple QuickTime716.dmg
For Mac OS X v10.4.9 and Mac OS X v10.3.9
http://www.apple.com/quicktime/download/

Apple QuickTimeInstaller.exe
QuickTime 7.1.6 for Windows XP/2000
http://www.apple.com/quicktime/download/

References

Apple Quicktime QTJava toQTPointer() Java Handling Arbitrary Code Execution Vulnerability

References:

BREAKING: MacBook Vuln In Quicktime, Affects Win32 Apple Code (Thomas Ptacek)
BREAKING: The Bug Report That Would Not Die: Dino�??s Finding Works In IE7 (Thomas Ptacek)
Hot Off The Matasano SMS Queue: CanSec Macbook Challenge Won (Thomas Ptacek)
Cisco TelePresence Video Communication Server (VCS) Homepage (Cisco)
Details on Dino�??s QuickTime Advisory (With Code Snippet) (Thomas Ptacek)
Mac Hacked by QuickTime Bug "As Serious as ANI" (eWeek)
Mac OS X Homepage (Apple)
Apple QTJava toQTPointer() Pointer Arithmetic Memory Overwrite Vulnerability (ZDI)
Vulnerability Note VU#420668 Apple QuickTime for Java QTPointerRef heap memory c (US-CERT)