Great…just came to know from “El Reg” how an obsolete parameter in a program separate from OS can wreak havoc. Worse, when it was a development flaw which has been in the lurch,undetected for last 9 years. A spanish security researcher,Ruben Santamarta recently unearthed a backdoor in Apple Quicktime player that can be used to remotely exploit arbitrary code on Windows based systems. The backdoor “_Marshaled_pUnk” is bizzare in nature as it is the work of an Apple developer who added it to to the QuickTime code base and then, most likely, forgot to remove it when it was no longer needed.Adding salt to it, this can be used to exploit to take FULL control of even the latest of Windows OS- Windows 7. As told by H D Moore, CSO of Rapid7 and chief architect of the Metasploit project, to “El Reg” on monday -
“The bug is is pretty bizarre,It's not a standard vulnerability in the sense that a feature was implemented poorly. It was more kind of a leftover development piece that was left in production. It's probably an oversight.”
How the punk pwned ?
Schemes like DEP , or data execution prevention prevents any code from being executed & ASLR, or address space layout randomization, loads code into locations that an attacker cant predict there by securing parameter to some extent in Windows architecture. “_Marshaled_pUnk” however creates an object pointer equivalent that an attacker can use to load & malicious code into computer memory. In a witty maneuver, Santamarta used a technique called return oriented programming also known as ROP to load code by loading WindowsLiveLogin.dll into memory & reordered the commands in a way that allowed him to gain control of the testbed. Using the Microsoft DLL not only allowed him to know where in memory it would load, it also allowed him to get the code executed.
What next ?
Santamarta confirmed the exploit on the XP, Vista, and 7 versions of Windows. He also said that the parameter existed in QuickTime version dating back to 2001, when it could be used to draw contents into an existing window instead of creating a new one. The functionality was eventually removed from newer versions but the line lived on. Combined with an unrandomized DLL like the one for Windows Live, it represents a serious threat to end users. The flaw has demonstrated that the threat comes from the programs that fail to use ASLR & DEP protections, surprisingly as reviewed by Secunia ,a large number of popular applications — including Quicktime, Foxit Reader, Google Picasa, OpenOffice.org, RealPlayer, and VLC Player — neglect to use one or the other.
Till then..wait for Apple to release a patch for the 9 year old Punk.
like this post ? you can buy me a beer :)