Unused parameter exposes QuickTime users
by Steve Ragan - Sep 2 2010, 08:30A parameter in Apple’s QuickTime software, which is no longer in use, could lead to a total compromise if exploited. The code, which is almost 10 years old, is remotely exploitable and will bypass Microsoft’s ASLR depending on the attack vector.
The unused parameter, called '_Marshaled_pUnk', was discovered by Rubén Santamarta, head of Security Assessment for Wintercore.
“Do not hype this issue beyond [what] it deserves. This time Backdoor != malicious code but a horrible trick a developer implemented during the development cycle. These hacks could end up having a harmful impact,” Santamarta urged.
The parameter has existed for years, and was used to draw contents onto an existing window instead of creating a new one, Santamarta explained. He found the original usage by examining an older version of QTPlugin.ocx from 2004.
An attack would use the _Marshaled_pUnk parameter as a means to push malicious code into memory, thus allowing remote code execution. According to Santamarta, a successful attack would allow for complete control over a system.
A proof-of-concept example defeated ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention) on Windows 7, Vista, and XP. The proof-of-concept attack worked by using Windows Live Messenger DLLs, which are loaded by default into Internet Explorer without ASLR flags.
“Any DLL that is loaded within the browser process that does not support ASLR may be a potential attack vector. This includes in-browser plugins like Flash, as well as other third-party add-ins and even other ActiveX controls,” HD Moore, CSO at Rapid7 and chief architect for the Metasploit project, explained to The Tech Herald.
“This flaw will likely be used in drive-by attacks, due to the simplicity of the bug, and the prevalence of both QuickTime and Internet Explorer,” he added.
We asked Moore how common it was to see a developer use a parameter and, after it is dropped, fail to remove it from source. After all, this is an unusual discovery.
“It is uncommon to see a parameter like this in a shipping component,” he said, adding that the _Marshaled_pUnk issue is “one of the few cases I have seen as it applies to ActiveX controls.”
“While other controls have shipped with insecure (by design) features, this one is strange in that it is not directly usable within the web control.”
What about correction? Is hard code auditing and quality assurance the only means of prevention?
“That is a good question,” Moore said. “In this specific case, I have no idea. This is not a typical oversight for most ActiveX developers.”
Odds are, _Marshaled_pUnk was useful at the time, but later improvements to QuickTime rendered it obsolete. It is a mystery as to why the parameter itself was not scrubbed, however.
The reason DEP and ASLR exists is due to flaws similar to the one discovered by Santamarta. Use of the two security measures is part of Microsoft’s SDL. The problem is legacy code and, in some cases, new incarnations of many popular applications fail to use the Microsoft protections during development.
Apple has had nothing to say on the discovery as of yet. Metasploit Express customers were able to access an exploit module for the QuickTime’s _Marshaled_pUnk as of Wednesday morning. Metasploit users can likely expect it soon.
The initial advisory for the issue can be found here.
Comment on this Story