QuickTime Player SMIL Buffer Overflow and Metasploit Exploit
On the 26th July 2010, Krystian Kloskowski discovered a vulnerability in QuickTime Player 7.6.6 for Windows caused by a buffer overflow in the application’s error logging.
The original advisory states:
The vulnerability is caused due to a boundary error in QuickTimeStreaming.qtx when constructing a string to write to a debug log file. This can be exploited to cause a stack-based buffer overflow by e.g. tricking a user into viewing a specially crafted web page that references a SMIL file containing an overly long URL.
Successful exploitation of this vulnerability leads to the ability of executing arbitrary code on the victim’s computer.
As QuickTime is installed on many Windows systems these days (it’s included as part of iTunes), this vulnerability poses a real threat. As always users should beware of clicking on unknown links, but ultimately if someone wants to get you to visit a malicious page, they can.
In this case users should update QuickTime asap. Apple has released QuickTime 7.6.7 which fixes this issue.
[Update] Check out the video below for a demo of the Metasploit module in action:
- Apple QuickTime 7.6.7 “_Marshaled_pUnk” Code Execution Vulnerability and Metasploit Exploit
- Apple Releases QuickTime 7.6.9 Security Update
- Apple Releases Slew of Security Updates (OSX, Safari, iTunes, iOS 5, aTV)
- iPhone 4.0.2/iPad 3.2.2 Update Patches JailbreakMe Vulnerabilities
- Safari Errorjacking Vulnerability and Exploit [Patched]