Bugtraq mailing list archives
Re: [SPSadvisory#41]Apple Quick Time Plug-in Buffer Overflow
From: Dan Harkless <dan-bugtraq () DILVISH SPEED NET>
Date: Wed, 31 Jan 2001 12:53:33 -0800
UNYUN <shadowpenguin () BACKSECTION NET> writes:
SPS Advisory #41 Apple Quick Time Plug-in Buffer Overflow UNYUN <shadowpenguin () backsection net> Shadow Penguin Security (http://shadowpenguin.backsection.net) -------------------------------------------------------------- [Date] July 31, 2001 [Vulnerable] QuickTime Player 4.1.2 for Windows (Japanese) [Not vulnerable] unknown [Overview] There is a exploitable buffer overflow bug in quick time plug-in for windows. This problem occurs when the visitor clicks the shown movie in the browser. Quick time plug-in doesn't check the length of HREF parameter in EMBED tag appropriately, Quick time overflows when the long string is specified in HREF. This buffer overflow overwrites the local buffer, the codes which are written in the EMBED tag can be executed in the client host. [Risk] If the HTML file which contains the cracking code in EMBED tag is opened and visitor clicks the shown movie, the cracking code will be executed on the client host. This overflow contains the possibility of the virus and trojans infection, sytsem destruction, intrusion, and so on. [Details] We explain the details of this problem under the environment of Windows98(SE/Japanes)+QuickTime Player 4.1.2 for Windows+Internet Explorer 5.0. You can check this problem easily by the following simple HTML file. <html> <embed src="c:\program files\quicktime\sample.mov" href="aaaa... long string (730 characters)" width=60 height=60 autoplay="true" target="QUICKTIMEPLAYER"> </html>
You don't mention whether you've tried this on other versions of the OS, browser, or player. FWIW, I tried it with QuickTime Player 4.1.2 on Windows 2000 (U.S.) with Internet Explorer 5.00.3103.1000 and didn't get a crash. Tried with 730 characters and with 7300. Also tried with Netscape Communicator 4.76 on the same platform. There I had to change the src from the "c:\Non-Microsoft\QuickTime-4.1.2\Sample.mov" that IE accepts to the standards-compliant "file:///C|/Non-Microsoft/QuickTime-4.1.2/Sample.mov", but again, no crash. ---------------------------------------------------------------------- Dan Harkless | To prevent SPAM contamination, please dan-bugtraq () dilvish speed net | do not mention this private email SpeedGate Communications, Inc. | address in Usenet posts. Thank you.
Current thread:
- [SPSadvisory#41]Apple Quick Time Plug-in Buffer Overflow UNYUN (Jan 31)
- Re: [SPSadvisory#41]Apple Quick Time Plug-in Buffer Overflow Dan Harkless (Jan 31)