RSS RSS Twitter Twitter
troubleshooting/tutorials/security

01/02/2007, 1:10pm, EST

Tuesday, January 2nd

'Month of bugs' reveals QuickTime exploit

A security analyst who elected to kick off the new year with one month of Apple bugs has published the first flaw -- which resides in Apple's QuickTime software. A new post states that a vulnerability in the QuickTime rstp URL handler could allow malicious users to remotely execute code via a stack-based buffer overflow. "By supplying a specially crafted string, an attacker could overflow a stack-based buffer, using either HTML, Javascript or a QTL file as attack vector, leading to an exploitable remote arbitrary code execution condition," the anonymous security expert wrote. The example exploit, which requires a working Ruby interpreter, creates a QTL file that users can open locally or that is served remotely via a Web server. The poster notes that while the sample exploit itself is trivial in nature, the code could easily be modified to use shell code. The author also notes that the only known workaround for Mac users is to disable the rtsp:// URL handler or uninstall QuickTime entirely.


Filed under: troubleshooting

, , 11comments, del.icio.us, slashdot, digg, buzz , Twitter



11 comments
Reader Reactions (Please use <i></i> for italic text)

subscribe to comments
for this article




Expand All   Global Settings
fritzw1957
I suspect...
0
01/02, 1:19pm, EST
a Security Update forthcoming from Apple. While Apple hasn't always been fast at releasing some updates, they will probably address this "bug" soon enough.
Fresh-Faced Recruit
Joined Nov 2004
User is offline
sixcolors
Bug reporter
0
01/02, 1:38pm, EST
I generally publish stuff like this to apple's beg reporter. That way it gets fixed. All this does is give those who would actually do something malicious the methods to do so.

Why do I take this stance? Well it's simple. People who use exploits on the general public are idiots. They do not have the ability to find actual security flaws and exploit them. They require someone else to find them, publish them and they then follow directions.

I'll stick to being constructive instead of being an egomaniacal ass.
Fresh-Faced Recruit
Joined Oct 2001
User is offline
smittie
Exploitation indeed
0
01/02, 1:52pm, EST
The real exploitation here is LHM. LHM seeks to exploit the media in order to gain his fifteen minutes of fame. Whether LHM wants to prove that he is L33t and pwnz u or wants to get someone's attention so that they will give him a job or some other goal, it is still plain and simple exploitation of the media.

It would be interesting to find out if any of the things that LHM will tell us about over the next 29 days are actually orginal. I suspect not.

In the end, as sixcolors has already pointed out, mature software engineers report bugs and security issue through established bug reporting systems so that the bugs can get fixed. Children and those with ego issues do other things.

Enjoy the spotlight LHM. I hope you find what you're really looking for.

Smittie
Fresh-Faced Recruit
Joined Jan 2007
User is offline
t6hawk
A security analyst?
0
01/02, 1:55pm, EST
This guy shouldn't be called a security analyst. Real analysts use their names.
Dedicated MacNNer
Joined Jan 2001
User is offline
smittie
Hum?
0
01/02, 2:01pm, EST
Someone smarter than me needs to look into this further but it appears to be that LHM's first security issue is either known by Apple or has already been fixed. The following quote is from this page on Apple's support site:

"QuickTime Streaming Server

CVE-ID: CVE-2006-1456

Available for: Mac OS X Server v10.3.9, Mac OS X Server v10.4.6

Impact: Maliciously-crafted RTSP requests may lead to crashes or arbitrary code execution

Description: By carefully crafting an RTSP request, an attacker may be able to trigger a buffer overflow during message logging. This may lead to the arbitrary code execution with the privileges of the QuickTime Streaming Server. This update adresses the issue by properly handling the boundary conditions. Credit to the Mu Security research team for reporting this issue."

Is this not the same issue that LHM claims to be reporting??
Fresh-Faced Recruit
Joined Jan 2007
User is offline
smittie
RE: Hum?
0
01/02, 2:02pm, EST
Sorry. The url didn't post. It is:

http://docs.info.apple.com/article.html?artnum=303737

Smittie
Fresh-Faced Recruit
Joined Jan 2007
User is offline
smittie
RE: Hum?
0
01/02, 2:05pm, EST
I suppose the unique aspect that LHM is reporting is that the rtsp request affects not only QTSS but QuickTime client as well.

Fresh-Faced Recruit
Joined Jan 2007
User is offline
mgpalma
yawn
0
01/02, 2:48pm, EST
I can't wait to see what's next.
Fresh-Faced Recruit
Joined Sep 2000
User is offline
williamdrover
aaaarghh
0
01/02, 2:54pm, EST
Actually ther 'bug' is that I watched a movie of this 'analyst's' mother in Quictime and it made me smash my face through my monitor in horror, thus rendering the entire computer useless. It's way more serious than he leads you to believe!
Fresh-Faced Recruit
Joined Jan 2005
User is offline
Rosyna
Already a fix...
0
01/02, 3:50pm, EST
There's already a fix for it available at http://www.unsanity.org/archives/mac_os_x/the_month_of_trolly_trolls_and.php
Forum Regular
Joined Aug 2001
User is offline
additional comments:..1..2..Next
Your Comments

In order to post comments: If you are a registered member, please login with your MacNN Forums username and password otherwise please uncheck the checkbox below.


Registered Member?
macnn forums login:

macnn forums password:

Not a member of the MacNN forums? Register now for free.

MacNN iPodNN Electronista
top searches
1. apple
2. iphone
3. apple TV
4. ipod
5. mac
6. BBC
7. icons
8. icon
9. macbook
10. leopard
search for more ..
RSS Feeds

Have the latest content delivered to your desktop via RSS. Use the links below to get access to a specific blog, news, or reviews feed.



  MacNN -all

  MacNN Reviews

  MacNN Podcasts

  iPodNN

  Electronista

  Left Lane News
Want To Sell Your Laptop? Any Condition - receive Top Cash. Get an instant quote. Free shipping www.CashForLaptops.com

Internet Marketing School - 100% Online: Master SEO, SEM, E Commerce, Media & More with a U of San Francisco Certificate.

Autodesk Inventor For Digital Prototypes: Use Inventor To Virtually Model, Test, and Iterate in 3D & Get To Market Faster!

Buy from The Apple Store, iTunes.com, Amazon.com, TechDepot, OfficeDepot, Computers4Sure, or donate.