Apple Safari WebKit Counter Vulnerability (Oct 7, 2010)

/in /by

Safari is a graphical web browser developed by Apple and included as part of the Mac OS X operating system. Safari became Apple’s default browser beginning with Mac OS X v10.3 “Panther” and it is also the native browser for the iOS. A version of Safari for the Microsoft Windows operating system, first released on June 11, 2007, supports Windows XP, Windows Vista, and Windows 7. As of 2010, Safari is the fourth most widely used browser in the US. Safari offers numerous features such as processing HTML, images, scripting languages, and various other popular Internet specifications.

Safari’s browsing functionality is built on a rendering engine, called WebKit. WebKit has a development toolkit which allows third party developers to build applications that use Internet technologies such as HTML, HTTP, and others. WebKit provides WebCore, an HTML parser, and JavaScriptCore, which is a JavaScript engine. WebKit also supports styling using CSS.

Cascading Style Sheets (CSS) is a style sheet language used to describe the presentation semantics (the look and formatting) of a document written in a markup language. It’s most common application is to style web pages written in HTML and XHTML, but the language can also be applied to any kind of XML document, including SVG and XUL. CSS can define color, font, text alignment, size, borders, spacing, layout and many other typographic characteristics. One of these characteristics is the ability to create counters to count objects. These counters can perform functions such as numbering elements inside a web document. There are several properties associated with counters, counter-reset sets which identifier will be incremented and by what amount; counter-increment actually increments the counter by the specified amount or the default, which is one. The example below numbers the elements inside a list:

    
 
term
 
definition
 
term
 
definition
 
term
 
definition

In the above code, a counter term is created for the list. Next, the numbering scheme is applied to the list, placing a monotonically increasing digit before each item in the list.

A memory corruption vulnerability exists in Apple Safari. The vulnerability is due to an error in the function that destroys a widget. It causes the counter object pointing at invalid memory. A remote attacker can exploit this vulnerability to inject and execute arbitrary code. Any code injected will be executed within the security context of the currently logged in user.

SonicWALL UTM team has researched this vulnerability, and created the following GAV signatures for the exploits.

  • Safari.RenderingCounter.AS.1
  • Safari.RenderingCounter.AS.2

The CVE identifier for this vulnerability is CVE-2010-1784.

HP Data Protector Express Stack BO (Oct 1st, 2010)

/in /by

HP OpenView Storage Data Protector is a backup solution for enterprise and distributed environments. The Data Protector environment consists of various components and services controlled by a management console. The management console provides quick access to track all Data Protector Express objects, including jobs, media, and scheduling rotation schemes. The login screen allows to enter the host name or the IP address of the target server to which the user wants to log in. The default host is the local machine, however, remote hosts can be accessed via hostname or IP. The console accepts the username and password credential combination to authenticate users. The default username is ‘Admin’ with a blank password.

The login credentials are exchanged over TCP port 3817. The protocol specification is unknown to the public as it is proprietary. The session starts with a handshake packet that includes the computer name of the client system and the database name, among other information. The handshake packet is followed by a packet containing login credentials.

The credentials packet has the following format:

 Offset     Length  Description ---------- ------- ----------------------------------- 0x0000     2       Command (x51x84) 0x0002     10 0x000C     4       Size 0x0010     4 0x0014     x       username 0x0014+x   y       password

A buffer overflow vulnerability exists in HP OpenView Storage Data Protector software. The vulnerability is due to a boundary error in the method used to parse the username value. The vulnerable code allocates a limited size stack buffer for the username and calls a strcpy function to copy the null terminated string into the buffer. The code does not verify the length of the source string before copying it into the said buffer. As a result of this, if an overly large username is provided in the packet, the stack buffer can be overflowed, overwriting critical stack data such as the function return addresses and the SEH pointer.

Remote unauthenticated attackers could exploit this vulnerability by sending a crafted login request to the target server. Successful exploitation of this vulnerability may allow for arbitrary code injection and execution with the privileges of the affected service. If the attack is not successful, the service will terminate abnormally causing a Denial of Service condition.

SonicWall has released an IPS signature to address a known exploit targeting this vulnerability. The following signature was released:

  • 5803 – HP Data Protector Express DtbClsLogin BO Attempt

This vulnerability has been assigned CVE-2010-3007 by mitre. The vendor has released an advisory regarding this issue.

Oficla Trojan Spam Campaign (October 1, 2010)

/in /by

SonicWALL UTM Research team observed a Facebook spam campaign involving a newer variant of Oficla Trojan in the last 3 days. The spam emails arrive with a zip archived attachment which contains the Oficla Trojan executable. The e-mail is drafted to appear as a Facebook password reset notification.

Campaign #1

Attachment: FacebookPassword.zip
Subject: Facebook password has been changed! ID444

Email Body:
————————
How to Avoid Moving Scams
Mass. woman pleads guilty in glass-eating scheme
————————

Campaign #2

Attachmentc: FaceBook_Password_Nr2829.zip
Subject: Your New Facebook password

Email Body:
————————
Dear user of facebook.

Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.

Thanks,
Your Facebook.
————————

Campaign #3

Attachmentc: FaceBook_Password_Nr27477.zip
Subject: Facebook Password Reset Confirmation!

Email Body:
————————
Dear user of facebook.

Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.

Thanks,
Your Facebook.
————————

Sample email messages looks like:

screenshot

screenshot

screenshot

The executable files inside the attachment looks like this:

screenshot

If the user opens the malicious attachment then it performs following activities on the victim’s machine:

  • Network Activity:
    • It connects to C&C server and receives commands

      • screenshot

    • It donwloads file from URL specified in command
    • It send process information to remote C&C server

      • screenshot

  • File Activity:

    It creates the following files

    • %temp%4.tmp – Detected as GAV: Oficla.AFZ (Trojan)
    • %temp%5.tmp – Detected as GAV: Scar.CUQT (Trojan)
    • %windirsystem32bfky.ojo – Detected as GAV: Oficla.AFZ (Trojan)
    • %windirsystem32svrwsc.exe – Detected as GAV: Scar.CUQT (Trojan)
  • Process Activity:
    • It injects itself into running svchost.exe process
  • Registry Activity:
    • It creates HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSvrWsc: %windirsystem32svrwsc.exe ensuring infection on system restart
    • It modifies HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon with new value “Explorer.exe rundll32.exe bfky.ojo bwapp” ensuring malicious dll is loaded on system restart

SonicWALL Gateway AntiVirus provides protection against this Oficla Trojan variant with GAV: Oficla.AHB (Trojan) signature. [517,120 hits recorded in last 3 days]

screenshot

FakeAV Downloader – CV spam (Sept 24, 2010)

/in /by

SonicWALL UTM Research team observed a new wave of Resume spam campaign starting at noon today. The e-mails contain a zip archive attached which contains the malicious executable file inside it. This is different from the FakeAV html campaign that we reported last week.

Resume spam campaign involves e-mails pretending to contain CV document attached with the e-mail. This spam theme was last used by Bredolab authors back in July, 2010. SonicWALL UTM Research team has received more than 20,000 e-mail copies from this spam campaign so far and it is still going on.

Some of the E-mail subjects we have seen in this campaign so far:

  • The resume document is attached.
  • I have attached the resume.
  • Please find attached.
  • Enclosed please find.
  • Here’s that file that you wanted.
  • Enclosed is my CV for your consideration. Thanks

Sample e-mail messages looks like:

screenshot

The zip archive attachment contains a malicious executable file – cv.exe which is a new variant of FakeAV Downloader Trojan. Upon execution, it leads to the download and installation of FakeAV malware[Antivirus Safebrowser] on the victim machine and asks for payment.

screenshot

It attempts to connect to multiple malicious domains to download malware executables and related configuration files:

  • (REMOVED)lups.com/a/ad
  • (REMOVED)hamed.org/any3/5-direct.ex
  • (REMOVED)ndconvince.org/avt/avt_db
  • (REMOVED)ort.com/customers/getbuild.php

The following files are dropped onto the victim machine:

  • (User Favorites)_favdata.dat
  • (User Temp)asd94.tmp.exe [Detected as GAV: Conficker.gen (Worm)]
  • (User Temp)asd95.tmp.exe [Detected as GAV: Conficker.gen (Worm)]
  • (User Temp)asd96.tmp.exe [Detected as GAV: Conficker.gen (Worm)]
  • (User Temp)asd97.tmp.exe [Detected as GAV: Conficker.gen (Worm)]
  • (User Temp)eapp32hst.dll [Detected as GAV: ZPACK.GEN_187 (Trojan)]
  • (User Temp)wscsvc32.exe [Detected as GAV: Conficker.gen (Worm)]
  • (Program FilesAnViavt.db
  • (Program FilesAnViavt.exe [Detected as GAV: Kryptik.AT_7 (Trojan)]
  • (User Temp)dfrgsnapnt.exe [Detected as GAV: FraudLoad.XFUP (Trojan)]

If the user attempts to open any other legitimate executable file, the FakeAV malware will block the application launch and display a fake infection message as seen below for Calculator program:

screenshot

As seen before in other FakeAV malware analysis, it subsequently starts scanning the system files and displays more fake infections prompting the user to purchase the application in order to clean up the infections.

screenshot

SonicWALL Gateway AntiVirus provides protection against this FakeAV Downloader Trojan by GAV: Kryptik.AJD (Trojan) signature.

screenshot

IBM Lotus Domino iCalendar Stack BO (Sept 24, 2010)

/in /by

Lotus Domino is an IBM server product that provides enterprise e-mail and collaboration capabilities. The server can be used as an application server for Lotus Notes applications as well as a web server. One of the components contained in Domino is the calendar. With the calendar, a user can book and share appointments with other users. Domino supports the iCalendar technology which enables scheduling. iCalendar defines a file format which allows Internet users to send meeting requests and tasks to other users. These requests may be sent via email, or be shared as files with the .ics extension. Recipients of the iCalendar data file can respond to the sender easily or propose another meeting date and time.

The iCalendar specification is defined by RFC 5545. It is based on the earlier vCalendar specification by the Internet Mail Consortium (IMC). iCalendar data files are plain text files with either an .ics or .ifb extension. The top-level element in iCalendar is the Calendaring and Scheduling Core Object, a collection of calendar and scheduling information. This information will typically consist of a single iCalendar object. However, multiple iCalendar objects can be grouped together as well. The first and last lines in the file must be “BEGIN:VCALENDAR” and “END:VCALENDAR” respectively. The body of the calendar is contained between these lines. An example of an iCalendar object follows:

BEGIN:VCALENDAR VERSION:2.0 BEGIN:VEVENT UID:test@test.com ORGANIZER;CN=test:MAILTO:test@test.com DTSTART:20100922T171111Z DTEND:20100923T041111Z SUMMARY:test END:VEVENT END:VCALENDAR

A stack buffer overflow vulnerability exists in IBM Lotus Domino server. The vulnerability is due to a boundary error in the nrouter service while handling crafted calendar event messages. The vulnerable code allocates a fixed size buffer to write the value of one of the headers of an event message. However, the code uses a strcpy function to copy the string value into the stack buffer. In case of an overly long string value being supplied in the affected header, the said buffer can be overflowed, allowing for overwriting the function return addresses and other critical data on the stack.
A remote attacker can exploit this vulnerability by sending a crafted email message to the target SMTP server. Successful exploitation may allow for arbitrary code injection and execution with the privileges of the nrouter process. Code injection that does not result in execution would terminate the service and cause a denial of service condition.

SonicWALL has released an IPS signature to address this issue. The following signature has been released:

    • 5767 – IBM Lotus Domino iCalendar Stack Buffer Overflow Attempt

    • In addition to the new signature, SonicWALL has numerous existing signatures that detect and block popular shellcode which is often used in exploitation attempts of this type of vulnerability. The vendor has released a security bulletin regarding the issue and available patches.

    New FakeAV HTML Spam (Sept 16, 2010)

    /in /by

    SonicWALL UTM Research team observed a high volume of FakeAV related e-mail spam campaign during the last two days. These e-mails arrive with a malicious HTML attachment and used different themes to lure users into opening the file. The HTML attachment will eventually redirect users to a FakeAV drive-by download web page.

    SonicWALL UTM Research team has received more than 200,000 e-mail copies from this spam campaign so far and it is still going on.

    The following are the email samples used in this campaign:

    Sample #1
    Subject: Employment letter for visa application
    Attachment: jun wang letter.html
    Email Body:
    ————————
    Hi:

    Attached please find the employment letter for Jun Wang’s H-1B visa application in Canada.
    Please print it out with your company letterhead and sign. Please mail the original along
    with the original H-1B approval notice to Jun Wang at your earliest convenience

    Thank you
    ————————

    The e-mail message looks like below:

      screenshot

    Sample #2
    Subject: find a copy of the letter
    Attachment: copy of the letter.html
    Email Body:
    ————————
    Hello

    Attached please find a copy of the letter. Eva should we send the original I-797 to Jun?
    Jun, please confirm receipt of the I-94 from Eva.

    Thank you
    ————————

    The e-mail message looks like below:

      screenshot

    Sample #3
    Subject: Invoice for Floor Replacement
    Attachment: Invoice-Stocketon.html
    Email Body:
    ————————
    Hi,
    Please see attached invoice for stockton floor project. Thanks!
    ————————

    The e-mail message looks like below:

      screenshot

    Malware Installation:

    This instance of FakeAV spam wave used an HTML file attachment that redirects users to a FakeAV download page instead of the usual Trojan downloader we’ve seen before and covered in this previous SonicAlert

    Once the user opens the HTML file attachment, it will redirect to this webpage-{hxxp://dark-[removed]in.com/x.html} with following message:

      screenshot

    Soon after, the user will see a fake virus infection alert prompting to download a Microsoft Security Assessment Tool to fix the problem.

      screenshot

    Regardless of the user input to the alert window, it will show the fake AV scanning seen below:

      screenshot

    After it finishes scanning, it will show the message below to continue removing detected Viruses. At this point, the User’s computer is not yet infected but only made to believe so that the User will unknowingly continue to download and install the FakeAV.

      screenshot

    If the user clicks on remove all button, it will prompt for the downloading of the FakeAV installer.

      screenshot

    SonicWALL Gateway AntiVirus provided protection against these spammed FakeAV variants via following signatures:

    • GAV: VBS.Drost1 (Trojan)- 14 million hits in last 48 hours
    • GAV: Suspicious#fakeav_14 (Trojan) – 1,416 Hits

      screenshot

      screenshot

    Microsoft Security Bulletins Coverage (Sep 15, 2010)

    /in /by

    SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of September, 2010. A list of issues reported, along with SonicWALL coverage information follows:

    MS10-061 Vulnerability in Print Spooler Service Could Allow Remote Code Execution

    • CVE-2010-2729 – Print Spooler Service Impersonation Vulnerability
      IPS 5686 MS Print Spooler Service Executable File Reception
      IPS 5691 MS Print Spooler Service Remote Code Execution PoC (MS10-061)

    MS10-062 Vulnerability in MPEG-4 Codec Could Allow Remote Code Execution

    • CVE-2010-0818 – MPEG-4 Codec Vulnerability
      IPS 5694 MS MPEG-4 Codec Remote Code Execution PoC (MS10-062)

    MS10-063 Vulnerability in Unicode Scripts Processor Could Allow Remote Code Execution

    • CVE-2010-2738 – Uniscribe Font Parsing Engine Memory Corruption Vulnerability
      Note: There are no known public exploits targeting this vulnerability.

    MS10-064 Vulnerability in Microsoft Outlook Could Allow Remote Code Execution

    • CVE-2010-2728 – Heap Based Buffer Overflow in Outlook Vulnerability
      SPY 1814 Malicious RTF File Download

    MS10-065 Vulnerabilities in Microsoft Internet Information Services (IIS) Could Allow Remote Code Execution

    • CVE-2010-1899 – IIS Repeated Parameter Request Denial of Service Vulnerability
      Note: There is no way to differentiate malformed and legitimate traffic.

    • CVE-2010-2730 – Request Header Buffer Overflow Vulnerability
      IPS 5689 Excessive HTTP Request Headers Attempt

    • CVE-2010-2731 – Directory Authentication Bypass Vulnerability
      IPS 5687 MS IIS Directory Authentication Bypass Attempt

    MS10-066 Vulnerability in Remote Procedure Call Could Allow Remote Code Execution

    • CVE-2010-2567 – RPC Memory Corruption Vulnerability
      Note: There is no way to differentiate malformed and legitimate traffic.

    MS10-067 Vulnerability in WordPad Text Converters Could Allow Remote Code Execution

    • CVE-2010-2563 – WordPad Word 97 Text Converter Memory Corruption Vulnerability
      Note: There are no known public exploits targeting this vulnerability.

    MS10-068 Vulnerability in Local Security Authority Subsystem Service Could Allow Elevation of Privilege

    • CVE-2010-0820 – LSASS Heap Overflow Vulnerability
      Note: There are no known public exploits targeting this vulnerability.

    MS10-069 Vulnerability in Windows Client/Server Runtime Subsystem Could Allow Elevation of Privilege

    • CVE-2010-1891 – CSRSS Local Elevation of Privilege Vulnerability
      Note: Local elevation of privilege

    New mass-mailing worm seen in the wild (Sep 10, 2010)

    /in /by

    SonicWALL UTM Research team observed a new variant of Autorun worm spreading in the wild. The worm spreads through e-mails, removable storage and network shares. The e-mail campaigns contains a link which points to the Autorun worm. The email looks like below:

    Link to PDF file [Mass-mailing worm]

    Subject: Here you have

    Email Body:
    ————————

    Hello:

    This is The Document I told you about,you can find it Here.http://www.{removed}/library/PDF_Document21.025542010.pdf

    Please check it and reply as soon as possible.

    Cheers,
    ————————

    Link to WMV file [Adult Spam]

    Subject: Just for you

    Email Body:
    ————————

    Hello:

    This is The Free Dowload Sex Movies,you can find it Here.

    http://www.{removed}/library/SEX21.025542010.wmv

    Enjoy Your Time.

    Cheers,
    ————————

    Sample e-mails message looks like this:

    screenshot

    screenshot

    If the user download and opens the file then it performs following activities on the victim’s machine:

    • Network Activity:
      • It connects to members.multimania.co.uk and downloads multiple files. The malicious account hosting these files was disabled by Lycos UK.

    • File Activity:

      It creates the following files

      • C:autorun.inf
      • C:open.exe (copy of itself) – Detected as GAV: AutoRun.ICO (Worm)
      • C:{Logged on User} CV 2010.exe (copy of itself) – Detected as GAV: AutoRun.ICO (Worm)
      • %windir%autorun.inf
      • %windir%autorun2.inf
      • %windir%csrss.exe (copy of itself) – Detected as GAV: AutoRun.ICO (Worm)
      • %windir%ff.exe – Detected as GAV: Pass.A_2 (Hacktool)
      • %windir%gc.exe – Detected as GAV: NetPass.FX (Hacktool)
      • %windir%ie.exe – Detected as GAV: IEPassView.G (Hacktool)
      • %windir%im.exe – Detected as GAV: Messen.HX (Hacktool)
      • %windir%op.exe – Detected as GAV: PassView.A (Hacktool)
      • %windir%pspv.exe – Detected as GAV: PSPassView.A (Hacktool)
      • %windir%rd.exe – Detected as GAV: IEPassView.G (Hacktool)
      • %windir%re.exe – Detected as GAV: PSExec.D (Hacktool)
      • %windir%re.iq
      • %windir%{Logged on User} CV 2010.exe (copy of itself) – Detected as GAV: AutoRun.ICO (Worm)
      • %windir%tryme1.exe
      • %windir%vb.vbs – Detected as GAV: VBS.TRZ (Trojan)
      • %windir%system{Logged on User} CV 2010.exe (copy of itself) – Detected as GAV: AutoRun.ICO (Worm)
      • %windir%systemupdate.exe (copy of itself) – Detected as GAV: AutoRun.ICO (Worm)
      • %windir%system32SendEmail.dll – Detected as GAV: Sendmail.MOK (Hacktool)

      It replaces the following files

      • %windir%system32driversetchosts

      It deletes the following files

      • All .exe files on the desktop

    • Process Acitivty:

      It creates the following process in memory

      • %windir%csrss.exe

    • Registry Activity:
      • It adds HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonShell:”Explorer.exe C:WINDOWScsrss.exe” to ensure infection on reboot
      • It disables Windows Security Center Service by deleteing HKLMSYSTEMCurrentControlSetServiceswscsvc:Start
      • It disables Windows AutoUpdate Service by deleteing HKLMSYSTEMCurrentControlSetServiceswuauserv:Start
      • It creates multiple registry entries that intercept execution calls to processes.
        It adds the value “C:WINDOWScsrss.exe” to HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options{process}Debugger

    • Propagation:
      • It mass emails itself using the email campaigns seen above
      • It copied itself on to removable storage media as open.exe and replaces autorun.inf to launch itself

        •     screenshot

      • It copies itself on to the following locations using the vb.vbs script created
            screenshot

    • Harvesting Credentials:
      • It download multiple password harvesting tools and harvests user credentials

    SonicWALL Gateway AntiVirus provides protection against this Autorun worm variant with the following signatures
    GAV: AutoRun.ICO (Worm)
    GAV: IEPassView.G (Hacktool)
    GAV: NetPass.FX (Hacktool)
    GAV: PassView.A (Hacktool)
    GAV: Pass.A_2 (Hacktool)
    GAV: Messen.HX (Hacktool)
    GAV: PSPassView.A (Hacktool)
    GAV: PsExec.D (Hacktool)
    GAV: Sendmail.MOK (Hacktool)
    GAV: VBS.TRZ (Trojan)

    screenshot screenshot screenshot screenshot

    MySQL Denial of Service Vulnerabilities (Sep 9, 2010)

    /in /by

    MySQL is an open-source relational database which supports SQL. The database has a number of built-in SQL functions which are designed to help users with the task of querying and updating data. MySQL uses the MySQL protocol to communicate with clients over the network. By default, MySQL server listens for connections on TCP port 3306.

    Two different denial-of-service vulnerabilities exist in MySQL server. The first vulnerability is due to an error while handling joins involving a table with a unique SET column. When one uses LIKE function to query specially joined tables, the LIKE function will fail. The second vulnerability is due to errors while performing comparisons in IN and CASE functions. Specifically, MySQL does not properly handle cases when one of the compared values is NULL. MySQL databases prior to version 5.1.49 are prone to these vulnerabilities.

    A remote attacker can exploit these vulnerabilities by sending crafted queries to the target server. Successful exploitation would cause the database server to terminate abnormally, resulting in the denial-of-service condition. The impact of the vulnerabilities is mitigated by the requirement of a successful authentication.

    SonicWALL has released multiple IPS signatures to detect and block specific exploitation attempts targeting these vulnerabilities. The signatures are listed below:

    • 5572 MySQL Unique SET Column Join DoS 1
    • 5573 MySQL Unique SET Column Join DoS 2
    • 5672 MySQL IN and CASE DoS 1
    • 5673 MySQL IN and CASE DoS 2
    • 5674 MySQL IN and CASE DoS 3

    Apple QuickTime QTPlugin Code Execution (Sept 2, 2010)

    /in /by

    QuickTime is an extensible proprietary multimedia framework developed by Apple Inc., capable of handling various formats of digital video, picture, sound, panoramic images, and interactivity. It is available for Mac OS classic (System 7 onwards), Mac OS X and Microsoft Windows operating systems.

    QuickTime provides the ability for third-party components, called QuickTime plugins. QTPlugin.ocx, a web browser plugin, is one of them, which is installed by default with Apple QuickTime. This plugin enables users to play many types of movies through a web browser. It is available for both Mac and Windows platforms. Users can configure in QuickTime what MIME types the QTPlugin should handle in a web browser. The supported MIME types include movie streaming (RTSP and SDP), AVI, FLC, QuickTime Movie, MPEG, MP3, and more.

    This plugin can be instantiated as an ActiveX object either by using the ClassID or the Program ID. The QTPlugin.ocx is assigned the ClassID 02BF25D5-8C17-4B23-BC80-D3488ABDDC6B and the ProgID QuickTime.QuickTime. The object instantiation through the ClassID is done using the tag as following:

    < object id="ctrl" classid="clsid:{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}" >

    whereas the ProgID can be used either in JavaScript or VBScript as in the following, respectively:

    var ctrl = new ActiveXObject("QuickTime.QuickTime"); Set ctrl = CreateObject("QuickTime.QuickTime")

    The QTPlugin exposes various methods and parameters. One of the parameters supported by the QTPlugin control is _Marshaled_pUnk. The _Marshaled_pUnk parameter value represents a marshalled pointer value. Marshalling is a process of transforming the memory representation of data to a format that is suitable for storage or transmission.

    A code execution vulnerability exists in Apple QuickTime player web browser plugin. Specifically, the vulnerability is due to a design error while parsing the value of the _Marshaled_pUnk parameter. A remote attacker can exploit this vulnerability to execute arbitrary code in the security context of the logged in user.

    SonicWALL UTM team has researched this vulnerability and released IPS signatures for an attack attempts addressing this issue:

    • 5592 Apple QuickTime ActiveX _Marshaled_pUnk Attribute Setting

    The vendor has released an advisory regarding this issue. The vulnerability has been assigned CVE-2010-0211 by mitre.

    Pin It on Pinterest