MA-121.112007: Apple Quicktime - RTSP "Content-Type" Header Buffer Overflow Original Issue Date: 29th November 2007 1. Description1.1. OverviewMyCERT had received information regarding extremely critical vulnerabilities in Apple QuickTime that allow a remote attacker to execute arbitrary commands or cause denial of service condition. 1.2. ImpactMyCERT is aware that unpatched Apple QuickTime prior to version 7.3 is vulnerable in the way it handle Real Time Streaming Protocol (RTSP). The vulnerability is caused due to a boundary error when processing RTSP replies and can be exploited to cause a stack-based buffer overflow via a specially crafted RTSP reply containing an overly long "Content-Type" header. An attacker could try to convince user to open a malicious QTL file or visiting a malicious web site for successful exploitation. Note that Apple iTunes installs QuickTime, so any system with iTunes is vulnerable. We are aware of publicly available exploit code for this vulnerability. 1.3. Software Affected1.3.1. Apple QuickTime prior to 7.3
1.3.2. Apple iTunes
1.3.3. Microsoft Windows
1.3.4. Apple Mac OS X 2. SolutionWe are currently unaware any solution for this problem. However we want to suggest that users might try the following workaround to help mitigate the problem. 2.1. Block RTSP (rtsp://) ProtocolMyCERT strongly recommends all internet user to block temporarily tcp port 554 and udp port 6970-6999 with the proxy or firewall rules to mitigate the problem. Please be noted that blocking only these ports numbers is not sufficient due to variety of port numbering used by the protocol. 2.2. Disable the QuickTime ActiveX controls in Internet ExplorerThe QuickTime ActiveX controls might be disabled by setting the killbit in the CLSID as follows: The following text can be saved as a .REG file and imported to set the kill bit for these controls: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ ActiveX Compatibility\{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}]"Compatibility Flags"=dword:00000400 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ ActiveX Compatibility\{4063BE15-3B08-470D-A0D5-B37161CFFD69}]"Compatibility Flags"=dword:00000400
Note: Modifying registry is done at your own risk. Please consider a proper registry backup before attempting to modify registry. We do not liable for any software losses or malfunction due to modifying registry manually. 2.3 Disable Mozilla QuickTime PluginFirefox users may uninstall the plugin by clicking on Tools > Add-ons and find out QuickTime plugin to be uninstalled. 2.4 Disable the file association for QuickTimeDisable the file association for QuickTime file types help prevent windows applications from using Apple QuickTime to open QuickTime files. This can be accomplished by deleting the following registry keys: HKEY_CLASSES_ROOT\QuickTime.*
This will remove the association for approximately 32 file types that are configured to open with the QuickTime Player software. Note: Modifying registry is done at your own risk. Please consider a proper registry backup before attempting to modify registry. We do not liable for any software losses or malfunction due to modifying registry manually. 2.5 Do Not follow Unsolicited LinksAttacks involving the aforementioned vulnerabilities require user to load a specially crafted QTL file. Therefore do not click on unsolicited links received via email, forums or chat programs. 3. Solution3.1 Backdooring MP3 Files
http://www.gnucitizen.org/blog/backdooring-mp3-files/ 3.2 Firewalls & QuickTime
http://www.apple.com/quicktime/resources/qt/us/proxy/ 3.3 Secunia Vulnerability Advisory:
http://secunia.com/advisories/27755/ 3.4 Remote Hacker Automatic Control
http://www.beskerming.com/security/2007/11/25/74/QuickTime_-_Remote_hacker_automatic_control |
