Apple QuickTime – QuickTime.util.QTByteObject Initialization Security Checks Bypass

• Exploit Database
• 17 阅读

• 作者： Security Explorations
  日期： 2012-06-26
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/19401/

• /*## (c) SECURITY EXPLORATIONS2012 poland#*/
  /*## http://www.security-explorations.com#*/
  
  /* Apple QuickTime Java extensions*/
  /* quicktime.util.QTByteObject initialization security checks bypass*/
  
  In order to test the POC code for the reported Issue 22, manually add
  Vuln22Setup.class and Vuln22Setup$1.class to the original QTJava.zip
  file from your CLASSPATH environment variable. This file is usually
  located in lib\ext directory of your JRE base dir:
  
  Microsoft Windows [Wersja 6.1.7601]
  Copyright (c) 2009 Microsoft Corporation. Wszelkie prawa zastrzezone.
  
  c:\>set
  ALLUSERSPROFILE=C:\ProgramData
  APPDATA=C:\Users\Internet\AppData\Roaming
  CLASSPATH=.;C:\_SOFTWARE\jre6\lib\ext\QTJava.zip
  COMMANDER_DRIVE=C:
  ...
  
  Both Vuln22Setup and Vuln22Setup$1 classes mimic undisclosed and not
  yet patched, Oracle's Issue 15.
  
  Successfull exploit run should lead to the execution of notepad.exe and
  c:\se.txt file creation. Additionally, Java console output similar to the
  one denoted below should be observed:
  
  Java Plug-in 1.6.0_33
  Using JRE version 1.6.0_33-b03 Java HotSpot(TM) Client VM
  User home directory = C:\Users\Internet
  
  ----------------------------------------------------
  c: clear console window
  f: finalize objects on finalization queue
  g: garbage collect
  h: display this help message
  l: dump classloader list
  m: print memory usage
  o: trigger logging
  q: hide console
  r: reload policy configuration
  s: dump system and deployment properties
  t: dump thread list
  v: dump thread stack
  x: clear classloader cache
  0-5: set trace level to <n>
  ----------------------------------------------------
  
  Security manager = sun.plugin2.applet.Applet2SecurityManager@15cda3f
  QTSession.hasSecurityRestrictions() = true
  Created: MyQTByteObject
  using off 0x24d00000 for Windows 7 (x86)
  found Marker instance at 0x251e0008
  Security manager = null
  
  ===
  PoC
  ===
  
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/19401.zip
  
  ========
  Advisory
  ========
  
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/19401.pdf