header-logo
Suggest Exploit
vendor:
QuickTime
by:
Security Explorations
9,3
CVSS
HIGH
Apple QuickTime Java extensions - quicktime.util.QTByteObject initialization security checks bypass
20
CWE
Product Name: QuickTime
Affected Version From: QuickTime 7.7.3
Affected Version To: QuickTime 7.7.4
Patch Exists: YES
Related CWE: CVE-2012-1723
CPE: a:apple:quicktime
Metasploit: https://www.rapid7.com/db/vulnerabilities/apple-java-cve-2012-1723/https://www.rapid7.com/db/vulnerabilities/hpux-cve-2012-1723/https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2012-1009/https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2012-1019/https://www.rapid7.com/db/vulnerabilities/suse-cve-2012-1723/https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2012-1723/https://www.rapid7.com/db/vulnerabilities/centos_linux-cve-2012-1723/https://www.rapid7.com/db/vulnerabilities/jre-vuln-cve-2012-1723/https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2012-0729/https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2012-0730/https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2012-0734/
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows, Linux, Mac
2012

Apple QuickTime Java extensions – quicktime.util.QTByteObject initialization security checks bypass

This vulnerability allows an attacker to bypass security checks in the initialization of the quicktime.util.QTByteObject class. This can be exploited to execute arbitrary code by loading malicious classes.

Mitigation:

Upgrade to the latest version of QuickTime.
Source

Exploit-DB raw data:

/*## (c) SECURITY EXPLORATIONS    2012 poland                                #*/
/*##     http://www.security-explorations.com                                #*/

/* Apple QuickTime Java extensions                                            */
/* quicktime.util.QTByteObject initialization security checks bypass          */

In order to test the POC code for the reported Issue 22, manually add
Vuln22Setup.class and Vuln22Setup$1.class to the original QTJava.zip
file from your CLASSPATH environment variable. This file is usually
located in lib\ext directory of your JRE base dir:

Microsoft Windows [Wersja 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. Wszelkie prawa zastrzezone.

c:\>set
ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\Internet\AppData\Roaming
CLASSPATH=.;C:\_SOFTWARE\jre6\lib\ext\QTJava.zip
COMMANDER_DRIVE=C:
...

Both Vuln22Setup and Vuln22Setup$1 classes mimic undisclosed and not
yet patched, Oracle's Issue 15.

Successfull exploit run should lead to the execution of notepad.exe and
c:\se.txt file creation. Additionally, Java console output similar to the
one denoted below should be observed:

Java Plug-in 1.6.0_33
Using JRE version 1.6.0_33-b03 Java HotSpot(TM) Client VM
User home directory = C:\Users\Internet

----------------------------------------------------
c:   clear console window
f:   finalize objects on finalization queue
g:   garbage collect
h:   display this help message
l:   dump classloader list
m:   print memory usage
o:   trigger logging
q:   hide console
r:   reload policy configuration
s:   dump system and deployment properties
t:   dump thread list
v:   dump thread stack
x:   clear classloader cache
0-5: set trace level to <n>
----------------------------------------------------

Security manager = sun.plugin2.applet.Applet2SecurityManager@15cda3f
QTSession.hasSecurityRestrictions() = true
Created: MyQTByteObject
using off 0x24d00000 for Windows 7 (x86)
found Marker instance at 0x251e0008
Security manager = null

===
PoC
===

https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/19401.zip

========
Advisory
========

https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/19401.pdf

Navigation

Suggest Exploit

Services By CQR