[VulnWatch] [DR018] Quartz Composer / QuickTime 7 information leakage

From: David Remahl (vuln_at_remahl.se)
Date: 05/12/05

  • Next message: Paul Laudanski: "[VulnWatch] Re: phpbb 2.0.15 released - patches high critical vuln"
    To: SecurityTracker <bugs@securitytracker.com>, VulnWatch <vulnwatch@vulnwatch.org>, Secunia <vuln@secunia.com>, Full-Disclosure <full-disclosure@lists.grok.org.uk>, Seifried's Security list <security@lists.seifried.org>, Heise Security <red@heisec.com>, SecuriTeam <news@securiteam.com>, BugTraq <bugtraq@securityfocus.com>
    Date: Thu, 12 May 2005 02:00:39 +0200

    Hash: SHA1

    The canonical URI of this advisory is <http://remahl.se/david/vuln/

    This advisory concerns an as-yet unpatched problem in QuickTime 7 on
    Mac OS X 10.4. The reason for disclosure before a vendor patch is
    that another person realized the potential problem independently and
    posted a message about it to the public mailing list quartzcomposer-
    dev (hosted by Apple).

    The suggested workaround is to disable the QuickTime browser plugin
    until a fix is available from the vendor.

    / Regards, David Remahl

    DR018: Quartz Composer / QuickTime 7 information leakage

       Date of discovery: 2005-04-26
    Date of publication: 2005-05-11
           Discovered by: David Remahl <david@remahl.se>
            Advisory URL: http://remahl.se/david/vuln/018/
                    CVEs: n/a [as of this writing, the author is aware of
    no CVEs assigned to this vulnerability]
          Classification: information exposure; design error
                 License: Public Domain

         Verified vulnerable:
             * Apple Mac OS X 10.4 (QuickTime 7)
         Verified safe:
             * Apple Mac OS X 10.3.9 (QuickTime 6.5, 7)
             * QuickTime for Windows


    Quartz Composer files are created with the Quartz Composer
    application included with the developer tools. The compositions (QTZ
    files) it creates can be used as screen savers, viewed as they are in
    the application or embedded as QT atoms in a .mov container. As such,
    they can be viewed in a wide-ranging array of environments, including
    a web browser, Keynote 2 and the Finder.

    Compositions have access to a number of powerful tools (patches),
    each providing or acting-upon information, ultimately resulting in a
    graphic composition. The design assumption seems to be that these
    details should always be contained within the presentation. However,
    by combining patches that provide advanced system information with
    patches that load information from the Internet, a malicious .mov
    file (viewed for example by the QuickTime web plugin) can leak this
    information to an external host.

    This issue has not been addressed by Apple yet, and because details
    of the potential exploit appeard in a public forum shortly after I
    had notified the vendor, a fix may still be some time away. A
    temporary work-around is disabling the QuickTime plugin and treating
    Quartz Composer files with suspicion.


    The information that can be leaked by this method includes (but may
    not be limited to):
          local user name (long and short)
          computer name
          local IP
          OS / kernel version
          CPU / RAM / GPU configuration
          names (human-readable) of Bonjour services on the local
          local or system time
          volume of audio input
          lists of images (including pdfs) matching arbitrary
    spotlight queries
          lists of images (including pdfs) in specific directories
    (relative to / or ~)
          the existence of image and movie files can indicate the
    existance of certain software packages

    This information can be used for profiling of potential victims, for
    further use in attacks against the user's system or phising related
    social engineering.


    A proof-of-concept in the form of a Quartz Composer composition
    embedded in a .mov file is avaiilable at the following link. Please
    see that document for more information.



    The basic attack works as follows:
         1. A patch providing the information (for example the Host
    Info patch) is created (A)
         2. The output of (A) is connected to a JavaScript patch
    which uses encodeURIComponent() to URI encode the string (B).
         3. The output of (B) is connected to a String Printer which
    results in a URI, for example (C)
         4. The output of (C) is connected to the URL input
    connection of either the Image Downloader patch or the RSS Feed
    patch. (D)
         5. The output of (D) must be used somehow, otherwise this
    part of the patch graph will not be used. Rendering the output (via a
    String to Image) to a 0-sized billboard is fine.
         6. When the (D) patch is activated, it will access the URI
    (output of (C)), thus leaking the restricted information to an HTTP
    host of the attacker's choice.


    Apple Computer's security team was contacted with information about
    the issue on 2005-05-06. Following a discussion of this problem on
    the public quartzcomposer-dev mailinglist (initiated by a third-
    party), the full details of the problems were released on May 11.


    Apple Computer
          2005-05-10, 04:50 UTC: Confirmed receipt of problem report
    (did not confirm issue).
    Version: GnuPG v1.4.1 (Darwin)

    -----END PGP SIGNATURE-----

  • Next message: Paul Laudanski: "[VulnWatch] Re: phpbb 2.0.15 released - patches high critical vuln"