Apple (QuickTime exploit) with a twist

[Symantec]

Apple (QuickTime exploit) with a twist
<p>Four days after news of the recent <a href="http://www.symantec.com/enterprise/security_response/weblog/2007/11/0day_exploit_for_apple_quickti.html">Apple QuickTime vulnerability</a> began to spread, a new proof-of-concept exploit, with a twist, has been published. While the shell code in the previous exploit was contained within a malicious RTSP data stream, this time the shell code is sent via JavaScript, separate from the stream. </p>

<p>Let’s break down how this might play out. A client requests a Web page from a malicious site. The page that is sent contains malicious shell code and a request for a QuickTime movie. If the client is using Internet Explorer, the shell code is written to a heap area for later use. Meanwhile, the browser receives the QuickTime movie and then opens it with QuickTime, creating an RTSP stream to the malicious server. Only the RTSP server in this scenario is hosting a hacked version, which actually sends back a stream that overwrites the stack in the client’s QuickTime install. The end of the buffer overflow then calls the shell code that was previously written to the heap, and voila!, the malicious code is executed. </p>

<p>This method of exploiting the vulnerability has its advantages and disadvantages. On the plus side, the server hosting the exploit must have a hacked RTSP server for this to work, since standard RTSP servers will not operate in this way. On the downside, this new exploit makes it much easier for attackers to use their own shell code in an attack using this vulnerability. </p>

<p>The good news is that this exploit is easily enough avoided by taking a few precautionary measures. Symantec antivirus products with the latest definitions will detect this threat as <a href="http://www.symantec.com/business/security_response/writeup.jsp?docid=2007-112808-4202-99">Trojan.Quimkids</a>. We also recommend the following options if you’d like to further protect yourself from such attacks:</p>

<p><strong>Prohibit the RSTP protocol on your networks</strong><br />
Unless there is a need for using this protocol, it is best to avoid it for the time being.</p>

<p><strong>Disable QuickTime browser objects</strong><br />
If QuickTime ActiveX controls in Internet Explorer and plug-ins in Firefox are disabled, the exploit will not work. </p>

<p><strong>Disable JavaScript where possible</strong><br />
If the script cannot execute, it cannot write shell code to the heap.</p>

<p><strong>Avoid untrusted QuickTime files</strong><br />
If you’re unsure of the source of a QuickTime file, do not execute it.</p>

<p><a href="http://en.wikipedia.org/wiki/Domo_Arigato">Domo arigato</a> to Kazumasa Itabashi for his work in analyzing this new exploit.</p>
http://www.symantec.com/enterprise/security_response/weblog/2007/11/apple_quicktime_exploit_with_a.html
http://www.symantec.com/enterprise/security_response/weblog/2007/11/apple_quicktime_exploit_with_a.html
Wed, 28 Nov 2007 08:11:10 -0800