Vulnerabilities > CVE-2010-1818 - Access of Uninitialized Pointer vulnerability in Apple Quicktime
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
The IPersistPropertyBag2::Read function in QTPlugin.ocx in Apple QuickTime 6.x, 7.x before 7.6.8, and other versions allows remote attackers to execute arbitrary code via the _Marshaled_pUnk attribute, which triggers unmarshalling of an untrusted pointer.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Exploit-Db
description Apple QuickTime "_Marshaled_pUnk" Backdoor Param Client-Side Arbitrary Code Execution. CVE-2010-1818. Dos exploit for windows platform id EDB-ID:14843 last seen 2016-02-01 modified 2010-08-30 published 2010-08-30 reporter Ruben Santamarta source https://www.exploit-db.com/download/14843/ title Apple QuickTime "_Marshaled_pUnk" Backdoor Param Client-Side Arbitrary Code Execution description Apple QuickTime 7.6.7 _Marshaled_pUnk Code Execution. CVE-2010-1818. Local exploit for windows platform id EDB-ID:16589 last seen 2016-02-02 modified 2011-01-08 published 2011-01-08 reporter metasploit source https://www.exploit-db.com/download/16589/ title Apple QuickTime 7.6.7 _Marshaled_pUnk Code Execution
Metasploit
description | This module exploits a memory trust issue in Apple QuickTime 7.6.7. When processing a specially-crafted HTML page, the QuickTime ActiveX control will treat a supplied parameter as a trusted pointer. It will then use it as a COM-type pUnknown and lead to arbitrary code execution. This exploit utilizes a combination of heap spraying and the QuickTimeAuthoring.qtx module to bypass DEP and ASLR. This module does not opt-in to ASLR. As such, this module should be reliable on all Windows versions. NOTE: The addresses may need to be adjusted for older versions of QuickTime. |
id | MSF:EXPLOIT/WINDOWS/BROWSER/APPLE_QUICKTIME_MARSHALED_PUNK |
last seen | 2020-05-26 |
modified | 2017-07-24 |
published | 2010-08-30 |
references | |
reporter | Rapid7 |
source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/apple_quicktime_marshaled_punk.rb |
title | Apple QuickTime 7.6.7 _Marshaled_pUnk Code Execution |
Nessus
NASL family | Windows |
NASL id | QUICKTIME_768.NASL |
description | The version of QuickTime installed on the remote Windows host is older than 7.6.8. Such versions are reportedly affected by two vulnerabilities : - An input validation issue in the QTPlugin.ocx ActiveX control could allow an attacker to force the application to jump to a location in memory controlled by the attacker through the optional |
last seen | 2020-06-01 |
modified | 2020-06-02 |
plugin id | 49260 |
published | 2010-09-16 |
reporter | This script is Copyright (C) 2010-2018 Tenable Network Security, Inc. |
source | https://www.tenable.com/plugins/nessus/49260 |
title | QuickTime < 7.6.8 Multiple Vulnerabilities (Windows) |
Oval
accepted | 2013-07-29T04:01:57.739-04:00 | ||||||||||||||||
class | vulnerability | ||||||||||||||||
contributors |
| ||||||||||||||||
definition_extensions |
| ||||||||||||||||
description | The IPersistPropertyBag2::Read function in QTPlugin.ocx in Apple QuickTime 6.x, 7.x before 7.6.8, and other versions allows remote attackers to execute arbitrary code via the _Marshaled_pUnk attribute, which triggers unmarshaling of an untrusted pointer. | ||||||||||||||||
family | windows | ||||||||||||||||
id | oval:org.mitre.oval:def:7523 | ||||||||||||||||
status | accepted | ||||||||||||||||
submitted | 2010-09-16T17:30:00.000-05:00 | ||||||||||||||||
title | Apple Quicktime QTPlugin.ocx ActiveX IPersistPropertyBag2::Read Function _Marshaled_pUnk Memory Corruption | ||||||||||||||||
version | 11 |
Packetstorm
data source | https://packetstormsecurity.com/files/download/93312/apple_quicktime_marshaled_punk.rb.txt |
id | PACKETSTORM:93312 |
last seen | 2016-12-05 |
published | 2010-08-30 |
reporter | Ruben Santamarta |
source | https://packetstormsecurity.com/files/93312/Apple-QuickTime-7.6.7-_Marshaled_pUnk-Code-Execution.html |
title | Apple QuickTime 7.6.7 _Marshaled_pUnk Code Execution |
Saint
bid | 42841 |
description | Apple QuickTime QTPlugin.ocx _Marshaled_pUnk Code Execution |
id | misc_quicktime |
osvdb | 67705 |
title | quicktime_qtpluginocx_marshaled_punk |
type | client |
References
- http://lists.apple.com/archives/security-announce/2010/Sep/msg00003.html
- http://reversemode.com/index.php?option=com_content&task=view&id=69&Itemid=1
- http://support.apple.com/kb/ht4339
- http://threatpost.com/en_us/blogs/new-remote-flaw-apple-quicktime-bypasses-aslr-and-dep-083010
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7523
- https://www.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/apple_quicktime_marshaled_punk.rb