Threat Level: green Handler on Duty: Rick Wanner

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Apple QuickTime 7.3 RTSP Response 0day

Published: 2007-11-26
Last Updated: 2007-11-29 18:02:05 UTC
by Joel Esler (Version: 9)
1 comment(s)

Thank you all for writing in!!  We appreciate it, things have been a little crazy around the ISC today, so we haven't been able to throw some stuff up on the diary about the Quicktime bug.  (We've had to wake everyone up, they all ate turkey..tryptophan... it's not pretty, anyway...)

As outlined by Secunia, Apple's Quicktime 7.2 and 7.3 has a overwrite condition via incorrect rtsp parsing.  Check it out here

There are several things you can do until this gets patched (just remember to undo them after you patch!).

1) Block the RTSP protocol.  Ports are 554/tcp and 6970-6999/udp.

CORRECTION:  The RTSP protocol can go over any port. (Thank you for correcting me.)  The US-CERT exact verbiage says:

"Blocking the RTSP protocol with proxy or firewall rules may help mitigate this vulnerability. Note that RTSP (default 554/tcp and 6970-6999/udp) may use a variety of port numbers, so blocking the protocol based on a particular port may not be sufficient."

Excuse my poor paraphrasing.

2) Set the Killbit for Quicktime CLSID's:


There are some other recommendations over at the US-CERT site.  But like I said, remember to undo them after the patch, or you will be wondering why things aren't working with your Quicktime streams. 

Please remember that Quicktime is a component of iTunes...


UPDATE:  We have received a report that exploits are now working for Vista, XP, IE6, IE7, and Safari 3.0 on Windows.  Keep in mind that other attack vectors may be vulnerable as well.

UPDATE-2:  Firefox has been reported as an exploit vector as well.

UPDATE-3:  Thanks to a friend of mine:  What's wrong with this picture?  Boy this vulnerability looks familiar...

UPDATE-4:  We recommend following US-CERT's guidelines.  I've been asked alot "what do you know, what can I do".  Welp, that's what I recommend.

 UPDATE-5:  Looks like the exploit is now affecting OSX.  With this single exploit it affects:

"+leopard_ppc +leopard_x86 +tiger_x86 +tiger_ppc +win_xpsp2"

Joel Esler

1 comment(s)
Diary Archives