Three new exploits posted in the Web takes advantage of a vulnerability in QuickTime Player v7.3 in the way it handles response from a video/audio streaming server via Real Time Streaming Protocol (RTSP). RTSP controls the delivery of audio and video data with real-time properties.
The exploits were designed to send a malformed RTSP response header that results to remote code execution on computers that uses QuickTime Player.
Sample of a normal RTSP response:
Sample of a malformed RTSP response:
Notice the Content-Type Field with has malformed type. Examples of valid values for this field are ‘Application’, ‘Text’, ‘Audio’, ‘Image’.
The following are the scenarios of how a machine can be attacked:
The attacker executes the exploit on his/her own computer, listening on port 554 (port 554 – default port for RTSP protocol). The attacker’s machine then tries to wait for RTSP request from its victim.
The attacker creates a Web site with the malicious RTSP link embedded (redirected to the exploit) or pops a message with the exact media link location of the exploit to the victim’s Messenger.
The victim is then enticed to visit the malicious link or view the media opens the link using QuickTime Player.
The exploit listening on port 554 is triggered to send a response with a malformed RTSP header.
Voila! The shell code is executed on the victim’s machine.
Another attack vector that can be used is through visiting a Web site that has embedded script/objects that directs RTSP connections to a malicious remote server.
As of this writing, there is still no patch that addresses this vulnerability. To prevent these kinds of attacks, visiting sites and/or opening links from unknown sources should be avoided. It is also better if connections through port 554 are blocked until a patch for this vulnerability becomes available.