11.27.07
Quicktime RSTP Response Vulnerability
Yet another one of these exploits... I find this one to be somewhat humourous... if for no reason other than I see it as a massive Apple failing... Apple has failed miserably. How did they fail? In two ways.
1. Quicktime was not compiled to take advantage of ASLR on Vista.
This is simple enough, you pass in the /dynamicbase switch to the linker... Visual Studio 2005 SP1 will even let you set it up in the linker options.
2. Apple saw this issue or a damn similar one back in 2002.
Thanks goes to Joel Esler for pointing this one out. CVE-2002-0252 describes a buffer overflow in the Content Type header. The SecurityFocs description of this vulnerability reads:
Apple QuickTime For Windows does not perform sufficient bounds checking of the "Content-Type" header. This issue may be exploited if a server responds with a maliciously crafted "Content-Type" header to a HTTP request for a media file. A "Content-Type" header of 500+ characters is sufficient to trigger this condition, causing stack variables to be overwritten in the process.
With this new vulnerability, we see that the overflow is again in the Content-Type... as one of the vulns on milw0rm makes evident:
header = (
'RTSP/1.0 200 OK\r\n'
'CSeq: 1\r\n'
'Date: 0x00 :P\r\n'
'Content-Base: rtsp://0.0.0.0/1.mp3/\r\n'
'Content-Type: %s\r\n' # <-- overflow
'Content-Length: %d\r\n'
'\r\n')
So I'm saying it.... Apple failed.
