Pompei PartyGNUCITIZEN’s Petko D. Petkov (AKA pdp) just posted an interesting 0DAY disclosure about a Quicktime bug allowing JavaScript chrome privilege escalation on Gecko-based browsers — in other words, a full fledged remote arbitrary code execution vulnerability.

If you run one of those demos on Microsoft Windows, you’ll see pretty things happening, like calc.exe being launched behind your back.
Both Petko and I said this vulnerability is theoretically cross-platform, but as many reported it couldn’t actually be reproduced on Mac OS X.
It doesn’t come as a real surprise, though, since this is just another cross-application URI dispatching bug, and the Apple OS has already shown to manage this issue in a much saner way than its counterpart from Redmond.
At any rate, on Windows at least, this can be exploited to do anything the currently logged user can.
Scary, right?

However, thanks to Billy Rios, Thor Larholm and other “URI handler gangsters”, NoScript users are protected from this and similar possible exploits since 22-Jun-2007.

Even if gnucitizen.org is in your whitelist, nothing bad will happen thanks to the specific top-level chrome protection implemented almost 3 months ago.

Hmm… alert(Math.round((new Date(2007, 5, 22) - new Date(2007, 8, 12)) / 3600 / 24 / 1000)) ==> -82 ;)

11 Responses to “-82DAY: NoScript pwns Quicktime pwning Firefox”

  1. #1 hmm says:

    that’s interesting.

    have you ever thought about just overhauling the javascript engine in firefox to only exec the known good instead of the known bad? that is sort of the direction you’re heading with noscript, but it seems to be less manageable than, say, limiting the function calls implementing in the ff javascript stack to a discrete few. thoughts?

  2. #2 securology says:

    Another separation of code and data issue …

    Again. Just another example of why it is important to separate executable code from data objects …

  3. #3 bugstomper says:

    The proof of concept doesn’t work on my Firefox 2.0.0.6 under MacOS 10.4.9, and I don’t have NoScript installed. When I try his POC, I first get an alert telling me that I’m trying to authenticate as username chrome%20javascript on site mozilla.org that does not require authentication, it may be an attempt to trick me, and asking if mozilla.org is the site I want to visit. Even if I click Yes, the resulting URL is not a chrome one, but is http://mozilla.org/…. followed by what looks like the attempted exploit code. Instead of running the exploit, that simply results in a 404 not found error from mozilla.org.

    pdp says on his site that the vulnerability is cross-platform, and I see everyone quoting him on that, but he also said he doesn’t have a Mac and hasn’t tried it on one.

  4. #4 Giorgio says:

    @hmm:
    You wrote:

    ever thought about just overhauling the javascript engine in firefox to only exec the known good instead of the known bad?
    […]limiting the function calls implementing in the ff javascript stack to a discrete few[…]

    Can you show me what’s “known good” and what’s “known bad” with JavaScript?
    It’s a Turing complete, dynamic and the browser DOM allows it to do the same thing in a million of ways, so good luck with that.
    Just to stay with the DOM API, I’d just not know where to start: XMLHttpRequest? document.cookie? window.location? Image? node.innerHTML? document.createNode?
    Any suggestion is welcome…

    @bugstomper:
    you’re right, it doesn’t work on Mac OS X and the reason is quite clear. I’m updating my post to reflect this.

  5. #5 Quicktime bug dangerous for Firefox users « says:

    […] users can protect themselves against this exploit by using the NoScript extension. According to this post at hackademix.net, the addon will prevent Petkov’s exploit from working even if a user has […]

  6. #6 ·¨-=[WHK]=-¨· » Archive » Zero day en QuickTime de apple permite la ejecución de códigos remotamente ( says:

    […] hackademix.net » -82DAY: NoScript pwns Quicktime pwning Firefox […]

  7. #7 hackademix.net » Don't Open That Doc! says:

    […] seen MP3 tunes pwning Firefox (and NoScript promptly counter-pwning), Windows playlists pwning browser security, and finally PDF documents pwning Windows PCs. This […]

  8. #8 hackademix.net » Java, Quicktime and Other Good News says:

    […] “Quicktime pwns default browsers” bug, after being worked around by Mozilla with the release of Firefox 2.0.0.7, has been […]

  9. #9 hackademix.net » Old NoScript Tricks Blocking New Vulnerabilities says:

    […] It happened in the past and it’s happening again: a new directory traversal vulnerability with potential for private data exposure has been publicly disclosed and confirmed by Mozilla, but NoScript users are protected since August 2007. […]

  10. #10 Old NoScript Tricks Blocking New Vulnerabilities | CorrectServer.com - Servers and Server Software says:

    […] It happened in the past and it’s happening again: a new directory traversal vulnerability with potential for private data exposure has been publicly disclosed and confirmed by Mozilla, but NoScript users have been protected since August 2007. […]

  11. #11 Eve says:

    Funnily enough (nothing to do with the post that is scary enough) that pic is on display at the Amsterdam “Torture Museum”. Visited it last month!

    Small world…

Bad Behavior has blocked 35813 access attempts in the last 7 days.