Vulnerabilities > CVE-2010-1818 - Access of Uninitialized Pointer vulnerability in Apple Quicktime

047910
CVSS 9.3 - CRITICAL
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
apple
CWE-824
critical
nessus
exploit available
metasploit

Summary

The IPersistPropertyBag2::Read function in QTPlugin.ocx in Apple QuickTime 6.x, 7.x before 7.6.8, and other versions allows remote attackers to execute arbitrary code via the _Marshaled_pUnk attribute, which triggers unmarshalling of an untrusted pointer.

Common Weakness Enumeration (CWE)

Exploit-Db

  • descriptionApple QuickTime "_Marshaled_pUnk" Backdoor Param Client-Side Arbitrary Code Execution. CVE-2010-1818. Dos exploit for windows platform
    idEDB-ID:14843
    last seen2016-02-01
    modified2010-08-30
    published2010-08-30
    reporterRuben Santamarta
    sourcehttps://www.exploit-db.com/download/14843/
    titleApple QuickTime "_Marshaled_pUnk" Backdoor Param Client-Side Arbitrary Code Execution
  • descriptionApple QuickTime 7.6.7 _Marshaled_pUnk Code Execution. CVE-2010-1818. Local exploit for windows platform
    idEDB-ID:16589
    last seen2016-02-02
    modified2011-01-08
    published2011-01-08
    reportermetasploit
    sourcehttps://www.exploit-db.com/download/16589/
    titleApple QuickTime 7.6.7 _Marshaled_pUnk Code Execution

Metasploit

descriptionThis module exploits a memory trust issue in Apple QuickTime 7.6.7. When processing a specially-crafted HTML page, the QuickTime ActiveX control will treat a supplied parameter as a trusted pointer. It will then use it as a COM-type pUnknown and lead to arbitrary code execution. This exploit utilizes a combination of heap spraying and the QuickTimeAuthoring.qtx module to bypass DEP and ASLR. This module does not opt-in to ASLR. As such, this module should be reliable on all Windows versions. NOTE: The addresses may need to be adjusted for older versions of QuickTime.
idMSF:EXPLOIT/WINDOWS/BROWSER/APPLE_QUICKTIME_MARSHALED_PUNK
last seen2020-05-26
modified2017-07-24
published2010-08-30
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/apple_quicktime_marshaled_punk.rb
titleApple QuickTime 7.6.7 _Marshaled_pUnk Code Execution

Nessus

NASL familyWindows
NASL idQUICKTIME_768.NASL
descriptionThe version of QuickTime installed on the remote Windows host is older than 7.6.8. Such versions are reportedly affected by two vulnerabilities : - An input validation issue in the QTPlugin.ocx ActiveX control could allow an attacker to force the application to jump to a location in memory controlled by the attacker through the optional
last seen2020-06-01
modified2020-06-02
plugin id49260
published2010-09-16
reporterThis script is Copyright (C) 2010-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/49260
titleQuickTime < 7.6.8 Multiple Vulnerabilities (Windows)

Oval

accepted2013-07-29T04:01:57.739-04:00
classvulnerability
contributors
  • nameJ. Daniel Brown
    organizationDTCC
  • nameShane Shaffer
    organizationG2, Inc.
  • nameShane Shaffer
    organizationG2, Inc.
  • nameMaria Kedovskaya
    organizationALTX-SOFT
definition_extensions
commentApple QuickTime is installed
ovaloval:org.mitre.oval:def:12443
descriptionThe IPersistPropertyBag2::Read function in QTPlugin.ocx in Apple QuickTime 6.x, 7.x before 7.6.8, and other versions allows remote attackers to execute arbitrary code via the _Marshaled_pUnk attribute, which triggers unmarshaling of an untrusted pointer.
familywindows
idoval:org.mitre.oval:def:7523
statusaccepted
submitted2010-09-16T17:30:00.000-05:00
titleApple Quicktime QTPlugin.ocx ActiveX IPersistPropertyBag2::Read Function _Marshaled_pUnk Memory Corruption
version11

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/93312/apple_quicktime_marshaled_punk.rb.txt
idPACKETSTORM:93312
last seen2016-12-05
published2010-08-30
reporterRuben Santamarta
sourcehttps://packetstormsecurity.com/files/93312/Apple-QuickTime-7.6.7-_Marshaled_pUnk-Code-Execution.html
titleApple QuickTime 7.6.7 _Marshaled_pUnk Code Execution

Saint

bid42841
descriptionApple QuickTime QTPlugin.ocx _Marshaled_pUnk Code Execution
idmisc_quicktime
osvdb67705
titlequicktime_qtpluginocx_marshaled_punk
typeclient