Skip to content

Posts tagged ‘exploit’

15
Aug

QuickTime Player SMIL Buffer Overflow and Metasploit Exploit

On the 26th July 2010, Krystian Kloskowski discovered a vulnerability in QuickTime Player 7.6.6 for Windows caused by a buffer overflow in the application’s error logging.

The original advisory states:

The vulnerability is caused due to a boundary error in QuickTimeStreaming.qtx when constructing a string to write to a debug log file. This can be exploited to cause a stack-based buffer overflow by e.g. tricking a user into viewing a specially crafted web page that references a SMIL file containing an overly long URL.

Successful exploitation of this vulnerability leads to the ability of executing arbitrary code on the victim’s computer.

A couple of days ago, Joshua Drake (aka. jduck) submitted a working exploit module to the Metasploit Framework.

As QuickTime is installed on many Windows systems these days (it’s included as part of iTunes), this vulnerability poses a real threat. As always users should beware of clicking on unknown links, but ultimately if someone wants to get you to visit a malicious page, they can.

In this case users should update QuickTime asap. Apple has released QuickTime 7.6.7 which fixes this issue.

[Update] Check out the video below for a demo of the Metasploit module in action:

Metasploit_Apple_Quicktime_Smil_Debug from 4xteam on Vimeo.

3
Aug

JailbreakMe and the PDF Exploit

[Update] JailbreakMe 3.0 for iOS 4.3.3 is out!

JailbreakMe.com by comex (et al.) now provides an easy way of remotely jailbreaking the iPhone, iPad and iPod – including those running iOS up to 4.0.1.

The technique works thanks to a specially-crafted PDF document which exploits a vulnerability in the font engine library (possibly libfreetype) used by Mobile Safari. Another local privilege escalation exploit (possibly in IOKit) is then used to gain root access on the device, allowing for the jailbreak to take place.

Depending on the device used to visit jailbreakme.com, the site will deliver one of its existing payloads, to perform the initial exploit. During the jailbreak it will download an additional 3.7MB bin file.

Although this may seem like a great ‘feature’ to potential jailbreakers, users should be aware that a severe underlying flaw exists which allows this remote jailbreaking to take place. Until Apple patches this, iPhone users should beware of visiting untrusted sites, as this same exploit could potentially be modified to carry out attacks on legitimate non-jailbroken iPhones.

Here’s a video of someone jailbreaking Apple Stores for fun.

[Update 4/8/10] ultrasn0w update brings iPhone 4 carrier unlock.

[Update 11/8/10] iOS 4.0.2/3.2.2 update patches these two vulnerabilities.

[Update 12/8/10] comex has released the source code for the jailbreak exploit.

css.php