[DR018] Quartz Composer / QuickTime 7 information leakage

To: SecurityTracker <bugs@xxxxxxxxxxxxxxxxxxx>, VulnWatch <vulnwatch@xxxxxxxxxxxxx>, Secunia <vuln@xxxxxxxxxxx>, Full-Disclosure <full-disclosure@xxxxxxxxxxxxxxxxx>, Seifried's Security list <security@xxxxxxxxxxxxxxxxxx>, Heise Security <red@xxxxxxxxxx>, SecuriTeam <news@xxxxxxxxxxxxxx>, BugTraq <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: [DR018] Quartz Composer / QuickTime 7 information leakage
From: David Remahl <vuln@xxxxxxxxx>
Date: Thu, 12 May 2005 02:00:39 +0200
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The canonical URI of this advisory is <http://remahl.se/david/vuln/018/>.

This advisory concerns an as-yet unpatched problem in QuickTime 7 onMac OS X 10.4. The reason for disclosure before a vendor patch isthat another person realized the potential problem independently andposted a message about it to the public mailing list quartzcomposer-dev (hosted by Apple).

The suggested workaround is to disable the QuickTime browser pluginuntil a fix is available from the vendor.


/ Regards, David Remahl

DR018: Quartz Composer / QuickTime 7 information leakage
=================================

  Date of discovery: 2005-04-26
Date of publication: 2005-05-11
      Discovered by: David Remahl <david@xxxxxxxxx>
       Advisory URL: http://remahl.se/david/vuln/018/

CVEs: n/a [as of this writing, the author is aware ofno CVEs assigned to this vulnerability]

     Classification: information exposure; design error
            License: Public Domain

AFFECTED PRODUCTS
    Verified vulnerable:
        * Apple Mac OS X 10.4 (QuickTime 7)
    Verified safe:
        * Apple Mac OS X 10.3.9 (QuickTime 6.5, 7)
        * QuickTime for Windows

INTRODUCTION

Quartz Composer files are created with the Quartz Composerapplication included with the developer tools. The compositions (QTZfiles) it creates can be used as screen savers, viewed as they are inthe application or embedded as QT atoms in a .mov container. As such,they can be viewed in a wide-ranging array of environments, includinga web browser, Keynote 2 and the Finder.

Compositions have access to a number of powerful tools (patches),each providing or acting-upon information, ultimately resulting in agraphic composition. The design assumption seems to be that thesedetails should always be contained within the presentation. However,by combining patches that provide advanced system information withpatches that load information from the Internet, a malicious .movfile (viewed for example by the QuickTime web plugin) can leak thisinformation to an external host.

This issue has not been addressed by Apple yet, and because detailsof the potential exploit appeard in a public forum shortly after Ihad notified the vendor, a fix may still be some time away. Atemporary work-around is disabling the QuickTime plugin and treatingQuartz Composer files with suspicion.


IMPACT

The information that can be leaked by this method includes (but maynot be limited to):

    ∙     local user name (long and short)
    ∙     computer name
    ∙     local IP
    ∙     OS / kernel version
    ∙     CPU / RAM / GPU configuration

∙ names (human-readable) of Bonjour services on the localnetwork

    ∙     local or system time
    ∙     volume of audio input

∙ lists of images (including pdfs) matching arbitraryspotlight queries∙ lists of images (including pdfs) in specific directories(relative to / or ~)∙ the existence of image and movie files can indicate theexistance of certain software packages

This information can be used for profiling of potential victims, forfurther use in attacks against the user's system or phising relatedsocial engineering.


DEMONSTRATION

A proof-of-concept in the form of a Quartz Composer compositionembedded in a .mov file is avaiilable at the following link. Pleasesee that document for more information.


    http://remahl.se/david/vuln/018/demo.html

DETAILS

The basic attack works as follows:

1. A patch providing the information (for example the HostInfo patch) is created (A)2. The output of (A) is connected to a JavaScript patchwhich uses encodeURIComponent() to URI encode the string (B).3. The output of (B) is connected to a String Printer whichresults in a URI, for example (C)4. The output of (C) is connected to the URL inputconnection of either the Image Downloader patch or the RSS Feedpatch. (D)5. The output of (D) must be used somehow, otherwise thispart of the patch graph will not be used. Rendering the output (via aString to Image) to a 0-sized billboard is fine.6. When the (D) patch is activated, it will access the URI(output of (C)), thus leaking the restricted information to an HTTPhost of the attacker's choice.


VENDOR CONTACT

Apple Computer's security team was contacted with information aboutthe issue on 2005-05-06. Following a discussion of this problem onthe public quartzcomposer-dev mailinglist (initiated by a third-party), the full details of the problems were released on May 11.


RESPONSE

Apple Computer

∙ 2005-05-10, 04:50 UTC: Confirmed receipt of problem report(did not confirm issue).

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFCgpysFlFiDoclYIURAucPAJ9CYHddNaBbv5DMf77FEQk4UIbOdwCdFERf
/UINoKuuHPIrsMAKQVY4xbQ=
=LKr3
-----END PGP SIGNATURE-----

Prev by Date: RE: TCP/IP implementations do not adequately validate ICMP error messages
Next by Date: Firefox 1.0.4 released. Several vulnerabilities fixed
Previous by thread: Yappa-NG Multiple Vulnerabilities
Next by thread: Firefox 1.0.4 released. Several vulnerabilities fixed
Index(es):
- Date
- Thread