QuickTime Player SMIL Buffer Overflow and Metasploit Exploit
On the 26th July 2010, Krystian Kloskowski discovered a vulnerability in QuickTime Player 7.6.6 for Windows caused by a buffer overflow in the application’s error logging.
The original advisory states:
The vulnerability is caused due to a boundary error in QuickTimeStreaming.qtx when constructing a string to write to a debug log file. This can be exploited to cause a stack-based buffer overflow by e.g. tricking a user into viewing a specially crafted web page that references a SMIL file containing an overly long URL.
Successful exploitation of this vulnerability leads to the ability of executing arbitrary code on the victim’s computer.
A couple of days ago, Joshua Drake (aka. jduck) submitted a working exploit module to the Metasploit Framework.
As QuickTime is installed on many Windows systems these days (it’s included as part of iTunes), this vulnerability poses a real threat. As always users should beware of clicking on unknown links, but ultimately if someone wants to get you to visit a malicious page, they can.
In this case users should update QuickTime asap. Apple has released QuickTime 7.6.7 which fixes this issue.
[Update] Check out the video below for a demo of the Metasploit module in action:
Metasploit_Apple_Quicktime_Smil_Debug from 4xteam on Vimeo.
Related posts:
- Apple QuickTime 7.6.7 “_Marshaled_pUnk” Code Execution Vulnerability and Metasploit Exploit
- Apple Releases QuickTime 7.6.9 Security Update
- Apple Releases Slew of Security Updates (OSX, Safari, iTunes, iOS 5, aTV)
- iPhone 4.0.2/iPad 3.2.2 Update Patches JailbreakMe Vulnerabilities
- Safari Errorjacking Vulnerability and Exploit [Patched]