MoAB #1: Apple Quicktime RTSP URL Handling Buffer Overflow Vulnerability

LMH’s “Month of Apple Bugs” has begun:

“‘LMH’ has discovered a vulnerability in Apple Quicktime, which can be exploited by malicious people to compromise a user’s system,” Secunia reports.

“The vulnerability is caused due to a boundary error when handling RTSP URLs. This can be exploited to cause a stack-based buffer overflow via a specially crafted QTL file with an overly long (more than 256 bytes) ‘src’ parameter (e.g. ‘rtsp://[any character]:[>256 bytes]’),” Secunia reports. “Successful exploitation allows execution of arbitrary code. The vulnerability is confirmed in version 7.1.3.100 (Windows version) and reportedly affects both Microsoft Windows and Mac OS X versions.”

Secunia reports, “Solution: Do not open untrusted QTL files.”

More info here.

“This issue has been successfully exploited in QuickTime™ Version 7.1.3, Player Version 7.1.3. Previous versions should be vulnerable as well. Both Microsoft Windows and Mac OS X versions are affected,” LMH reports.

Full article here.

55 Comments

  1. “The vulnerability is confirmed in version 7.1.3.100 (Windows version) and reportedly affects both Microsoft Windows and Mac OS X versions.” (my emphasis)

    So it MIGHT be a Windows issue or a QuickTime issue (could be due to how QuickTime interacts with Windows or an issue of QuickTime itself). It MIGHT be cross platform; it might not be.

    Great way to nail down the specifics of the issue! NOT!

    I just love all these people claiming, “Successful exploitation allows execution of arbitrary code.” Just because you can get the process(or) to look at the data as code, does not mean it can be an exploiting piece of code. There are lots of restrictions in the OS and QT as to what code can and cannot do even when it runs.

    It would be much more interesting if the people putting forth this “exploit” were to say that they had been able to run code that actually <b>DID/b> something rather than the old saw about being able to run “arbitrary code”. Until someone has shown — even in a lab environment — that truly malicious code can be run to effect some nefarious action then I call this one a non issue.

    Should Apple fix it? YES.
    Is it a non issue at this point? YES

  2. hey i thought i was the only one with similar feelings. i’m running a mac pro, used to have a power mac dual. i dunno, OS X and the finder feels better. hard to describe, but everything feels better and more refined on the ppc. same amount of ram too, 3 gigs

  3. This can be exploited to cause a stack-based buffer overflow via a specially crafted QTL file with an overly long (more than 256 bytes) ‘src’ parameter (e.g. ‘rtsp://[any character]:[>256 bytes]’),

    And how many normal users have this special QTL file?

    Answer 1

    Non-issue in my opinion. Which means the bugs still stand at zero.

    Next?

  4. All this talk about Intel processors leads me to question whether the vulnerability is limited to them. Is QuickTime on PPC computers not affected?

    I know QT is QuickTime, but what does the L mean in QTL? I found RTSP at the acronym finder site, but not QTL.

  5. Remember “bug” and “security risk” are two separate things. There are many many bugs in OSX.

    By the way, bug.squisher, it’d probably help if you set up the mime settings on that server so that it treats .qtl files as something other than text. Just trying to help ” width=”19″ height=”19″ alt=”smile” style=”border:0;” />

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.