=======================================================================================================================
 Apple QuickTime Player version 7.64.17.73 <= Insecure DLL Hijacking
Vulnerability (cfnetwork.dll, corefoundation.dll)
=======================================================================================================================


1. OVERVIEW

The Apple QuickTime Player application is vulnerable to Insecure DLL
Hijacking Vulnerability. Similar terms that describe this
vulnerability have been come up with Remote Binary Planting, and
Insecure DLL Loading/Injection/Hijacking/Preloading.


2. PRODUCT DESCRIPTION

A powerful multimedia technology with a built-in media player,
QuickTime lets you view Internet video, HD movie trailers, and
personal media in a wide range of file formats. And it lets you enjoy
them in remarkably high
quality.(http://www.apple.com/quicktime/what-is/)


3. VULNERABILITY DESCRIPTION

The Picture Viewer of the Apple QuickTime Player application passes an
insufficiently qualified path in loading its external library -
"cfnetwork.dll, corefoundation.dll"
when a user opens its associated file with extensions -  mac, pic, pntg, qtif.


4. VERSIONS AFFECTED

7.64.17.73 and probably lower version of 7.x


5. PROOF-OF-CONCEPT/EXPLOIT

http://core.yehg.net/lab/pr0js/advisories/dll_hijacking/quicktime/poc/quicktime_7.64.17.73-dll-hijacking.zip

Tested Platform: Windows XP Service Pack 3 (Fresh Windows)


6. IMPACT

Attackers can trigger a successful exploit against a victim user in a
number of ways such as placing a malicious external
library file made as hidden attribute and a seemingly interesting file
in network shares, usb drives, file sharing networks,
social networks, ..etc  


7. SOLUTION

Upgrade to the latest version.
Software Vendors who bundle this version of QuickTime in their
software packages should update it.


8. VENDOR

Apple Inc
http://www.apple.com/quicktime/


9. CREDIT

This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.


10. DISCLOSURE TIME-LINE

N/A: vulnerability discovered
N/A: notified vendor
09-12-2010: vulnerability disclosed


11. REFERENCES

Original Advisory URL:
http://core.yehg.net/lab/pr0js/advisories/dll_hijacking/[quicktime]_7.64.17.73_insecure_dll_hijacking
Workaround Solution: http://support.microsoft.com/kb/2264107
Workaround Solution:
https://www.microsoft.com/technet/security/advisory/2269637.mspx#EGF
Developer Solution:
http://msdn.microsoft.com/en-us/library/ff919712%28v=VS.85%29.aspx
Unofficial DLL Hijacking List:
http://www.corelan.be:8800/index.php/2010/08/25/dll-hijacking-kb-2269637-the-unofficial-list/
Testing for DLL Hijacking:
http://core.yehg.net/lab/pr0js/view.php/when_testing_for_dll_hijacking.txt

#yehg [09-12-2010]