Month of Apple Bugs: Quicktime RTSP Exploit

by Erica Sadun

The first bug of the Month of Apple Bugs has gone live and describes overflowing a stack for arbitrary code execution. It supposedly affects both Windows and Mac QuickTime 7.1.3. I personally do not have the security background to assess whether this is a real or critical vulnerability so I look forward to your feedback via e-mail or comments.

6 Comments

PXLated
2007-01-02 13:01:49
So far, from all the forums/sites/posts I've read, no one has actually gotten the thing to work. Sounds like a lot of sizzle but no steak.
James Bailey
2007-01-02 16:00:30
It looks real to me. These sorts of exploits are difficult to run reliably though someone could probably get it working better with a lot of work. Mostly it will just crash though from what I can see. I might attempt to get a better handle on it later.


For now, protect yourself by going to System Preferences->Quicktime->Advanced->MIME Settings...->Streaming->RTSP Stream Descriptor and turn it off. If there is something on the web that you really want to view, you can just turn it back on temporarily.


It looks real enough that I expect a patch from Apple in a week or two.

James Bailey
2007-01-02 16:02:49
Oh and the second exploit is posted now. It is a similar buffer overrun in VLC using the udp:// protocol. I'm thinking that this new one isn't going to cause much panic.


Have they already run out of bugs in actual Apple products?

Michael
2007-01-03 07:42:16
An ex-Apple guy, Landon Fuller, who was an employee in the their BSD technology group has a project to, if possible, provide run-time fixes for these bugs as they come.


http://landonf.bikemonkey.org/code/macosx/


Perhaps one should say MoAB is his washpot (Ps. 60 in case anyone's curious - I've a feeling there are probably a few more good MoAB/Moab jokes to be wrung out of the King James Bible.)


Anyway, since this is a runtime patch it does involve installing a third-party hack. SANS notes:


"... this fix requires a third party application to be loaded which may introduce its own set of issues and vulnerabilities!"


http://isc.sans.org/diary.php?storyid=1993


But maybe some people will want to do that; and it's an interesting project anyway.


Scott Pattison
2007-02-13 15:50:56
I've been experiencing this error ever since installing 7.1.3. I questioned Apple a long time ago and they seem to be doing nothing for Windows users. Same problem exists if using Quicktime through Real Player for the live video stream at www.reagan.com m-f 3-6 pac. time. I haven't found a true solution anywhere yet. I can't believe Apple hasn't addressed this more openly.
Ada Wakeman
2007-11-21 13:41:05
Well, i really wanna know if you found the answer to your question because i have a similar problem; i don't have the security background to assess.
Ada Arizona Employee Handbook