Severity: Medium
11 January, 2008
Summary:
- This vulnerability affects: Quicktime 7.3.1.70 and earlier, on Windows and Mac computers
- How an attacker exploits it: By enticing one of your users into opening a specially crafted web site, RTSP stream, or Quicktime media file
- Impact: The attacker could either crash Quicktime or execute code with the victim’s privileges
- What to do: See Solution section for workaround, because no patch exists yet.
Severity: Medium
11 January, 2008
Summary:
- This vulnerability affects: Quicktime 7.3.1.70 and earlier, on Windows and Mac computers
- How an attacker exploits it: By enticing one of your users into opening a specially crafted web site, RTSP stream, or Quicktime media file
- Impact: The attacker could either crash Quicktime or execute code with the victim’s privileges
- What to do: See Solution section for workaround, because no patch exists yet.
Exposure:
Yesterday, a security researcher named Luigi Auriemma released an advisory describing a zero day vulnerability in the latest version of Apple Quicktime for Windows and Mac. His advisory describes a buffer overflow vulnerability involving the way Quicktime handles the Real Time Streaming Protocol (RTSP).
When you open an RTSP stream, Quicktime first tries to connect to the hosting RTSP server using TCP port 554. If that fails, Quicktime tries a fallback connection method using TCP port 80 — the HTTP port. According to Auriemma, Quicktime doesn’t properly handle certain replies received during this fallback connection. Specifically, if Quicktime receives an overly-long HTTP 404 error during this fallback connection, the error triggers a buffer overflow flaw in Quicktime.
By enticing one of your users into opening a specially crafted RTSP stream, an attacker could exploit this flaw to either crash Quicktime, or to execute code on your user’s computer. A successful attacker inherits the privileges of the victim, so, if you typically extend local admin privileges to your users, the attacker could potentially exploit this flaw to gain complete control of the victim’s computer. To lure your users to a malicious RTSP steam, an attacker could embed the stream into a special file called a Quicktime Media Link. A Quicktime Media Link file typically has a .QTL name extension, but attackers can change the .QTL extension to any other Quicktime supported extension (e.g. .MOV, ,AIFF, .MP3, etc.) and Quicktime will still process the file properly. This means an attacker could also exploit this flaw by enticing your users into downloading and opening malicious Quicktime media files, or even by visiting a web page that hosts a malicious Quicktime media file.
Unfortunately, Auriemma released his advisory without first informing Apple of the flaw. Furthermore, he released a Proof-of-Concept (PoC) exploit for this vulnerability that crashes Quicktime. We’ve tested this PoC and confirmed that it works. When we contacted Auriemma, he confirmed to us that he could modify his PoC exploit to execute code.
With no patch, and PoC widely available, we consider this vulnerability a critical risk for Quicktime and iTunes users (current versions of iTunes also ship with Quicktime). If you use these Apple multimedia products, you should implement the workarounds described in the Solution section of this alert as soon as possible.
Note: Auriemma’s alert claims that this flaw also affects Quicktime for Mac. However, in a post to the Bugtraq mailing-list, Marcello Barnaba claims that Auriemma’s PoC did not work on a Mac running OS X 10.5.1 and the latest version of Quicktime. We have not been able to determine whether or not this vulnerability really affects all Mac versions of Quicktime.
Solution Path:
Since Auriemma released this vulnerability without first informing Apple, Apple hasn’t had time to create and release a fix. Blocking the RTSP protocol (TCP port 554) does NOT help mitigate the risk of this vulnerability. Although this vulnerability involves RTSP, the flaw actually lies in the way Quicktime handles the fallback RTSP connection, which occurs over TCP port 80. You must allow port 80 in order for you users to browse the web. Instead, if you allow (or suspect that users have installed) Quicktime or iTunes in your network, we recommend you apply some or all of the workarounds listed below, until Apple releases a patch.
- Disable file association for QuickTime files. This prevents Windows from automatically using Quicktime to open media files that your users double-click on. This can be accomplished by deleting all of the registry keys that start with:
HKEY_CLASSES_ROOT\QuickTime.
For instance, delete keys such as:
- HKEY_CLASSES_ROOT\QuickTime.aiff
- HKEY_CLASSES_ROOT\QuickTime.mov
- HKEY_CLASSES_ROOT\QuickTime.mp4
- HKEY_CLASSES_ROOT\QuickTime.3gp
Keep in mind, this workaround also prevents Windows from associating legitimate media files with Quicktime. After making this change, you will no longer be able to open legitimate Quicktime files by double-clicking on them. Instead, you will have to run Quicktime, then open the media manually from inside Quicktime.
- Disable the Quicktime ActiveX control in Internet Explorer (IE). Quicktime installs an IE ActiveX control used to process Quicktime media you encounter while browsing the web. Disabling the Quicktime ActiveX control helps guard you from exploits that rely upon enticing you to malicious web sites with embedded Quicktime media. To disable the Quicktime ActiveX control you must set the killbit for the following CLSIDs:
{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}
{4063BE15-3B08-470D-A0D5-B37161CFFD69} For more information on disabling ActiveX controls by setting killbits, see this Microsoft Knowledge Base article. Of course, this workaround prevents you from viewing legitimate web-based Quicktime media in your browser as well.
- Disable the Quicktime plugin in Mozilla-based browsers (Firefox). Quicktime installs a Firefox plugin used to process Quicktime media you encounter while browsing the web. Disabling this plugin helps prevent attackers from exploiting this vulnerability by enticing you to malicious web sites with embedded Quicktime media. You can learn how to uninstall Firefox plugins here. Of course, this workaround prevents you from viewing legitimate web-based Quicktime media in you browser as well.
- Block all Quicktime media content at your gateway. Unfortunately, attackers can exploit this vulnerability by enticing one of your users into downloading a specially crafted Quicktime media file. Theoretically, an attacker could trigger this attack with just about any media file that Quicktime processes, including .mov, .mp3, .qtl, and .avi files, to name a few. If you block all possible media files at your gateway, you can protect your network from this attack vector. However, this would prevent your users from receiving many legitimate media files as well, so this option suits only the strictest organizations.
When Apple patches Quicktime, we will update this alert.
For All WatchGuard Users:
Many of WatchGuard’s Firebox models allow you to prevent your users from downloading certain media files via the web or emails. If you like, you can temporarily mitigate the risk of this vulnerability by using your Firebox’s HTTP, SMTP, and POP3 proxy services to block all the media files that Quicktime handles. However, many different media files trigger this vulnerability, and blocking them all also prevents your users from downloading many legitimate media files. Therefore, we encourage you to rely on the other workarounds described above, instead.
Status:
We’ll update you as soon as Apple releases a patch or update of Quicktime.
References:
This alert was researched and written by Corey Nachreiner, CISSP