In an old post I talked about a bug able to crash QuickTime on startup, here’s a QuickTime crash that occours when you close the application. The bugged code is something like:
movzx edx, ax
push edx ; lpData
push 1 ; dwType
push 0 ; Reserved
push eax ; lpValueName
push ebp ; hKey
call ds:RegSetValueExW
Do you see anything strange? Have a look at RegSetValueEx parameters, the last one is defined as:
__in_opt const BYTE *lpData
It’s a pointer to string. Pay attention to the previous instruction, movzx. The content of edx is limited to 16bits and it can cause stack buffer overflow. I don’t know anything about the value stored inside ax, but I’m not interesting in it.
The crash occours under particular conditions. Again, you have to change something inside QTPlayerSession xml file (located inside “Application Data/Apple Computer/QuickTime”). Here’s an example of a possible list stored inside the xml file:
QuickTime parses the file and create the entries inside the right registry key. The snippet I posted above will not be executed in normal condition, but it’s possible to run it cheating a little. Try modifying the file creating two equal entries:
Run QuickTime, close it and the program will crash due to a stack buffer overflow.
(Un)fortunately it’s not possible to exploit the bug, and due to the nature of the bug I don’t think it will cause problems to the users, it’s only an annoying box to close. If you have a crash like that you can try looking at the xml file…
Related Posts
- QuickTime (not exploitable) bug leads to a crash
In an old post I talked about a bug able to crash QuickTime on startup, here’s a QuickTime crash that occours when you close the application. The bugged code is something like:
movzx edx, ax
p... - QuickTime (not exploitable) bug leads to a crash
In an old post I talked about a bug able to crash QuickTime on startup, here’s a QuickTime crash that occours when you close the application. The bugged code is something like:
movzx edx, ax
p... - Johnny Depp car crash death video leads to malware
A fake story about Johnny Depp's death in a car crash has been exploited by hackers, who have used it to spread malware. Learn more at www.sophos.com... - Malware family “Chepvil” leads rogueware “XP Anti-Virus 2011″.
One after another malware family trying to panic user to install fake security application. Now the Chepvil malware which comes via email as an attachment. The email as shown below:
Email Snip
The a... - Large spam campaign “Unread messages” from Twitter leads to pharmacy sites
MX Lab, http://www.mxlab.eu, started to intercept a large spam campaign with the subject “Twitter – You have X unread message(s)”, where the X is a number from 1 to 3, that leads to... - “Twitter Notifications” spam emails leads to US Drugs web site
MX Lab, http://www.mxlab.eu, started to intercept a spam campaign with the subject “Twitter Notifications”, send from randomly spoofed email addresses, that leads to U.S. Drugs web site.
... - Spammer’s blunder leads to widespread split personality malware attack
We're seeing a widespread malware attack in our spam traps this morning - and what's making it unusual is that it appears not to be able to decide what it is.
When you first see the subject line, you ... - Tepuro Advertising leads us to some more bad names – please treat all domains with extreme caution
Thanks to industrypace.com for the info (the only thing I would point out is that just because they use a Chinese registrar, doesn’t make the bad guys themselves Chinese…). There is link to a yo... - Blog: Mistyping leads to infections!
Mistyping leads to infections
Full story: Securelist / All Updates... - IE zero-day bug leads to squabble between Microsoft, researcher
[Editor's Note: The original version of this story was published before receiving proper vetting, and many of you rightly chastised us for it. We apologize and present the foll...
Posted on 09 February 2011. Tags: crash, exploitable, leads, QuickTime
