Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Apple QuickTime - QuickTime.util.QTByteObject Initialization Security Checks Bypass

🗓️ 26 Jun 2012 00:00:00Reported by Security ExplorationsType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 29 Views

Bypass of QuickTime.util.QTByteObject Security Checks

Code
/*## (c) SECURITY EXPLORATIONS    2012 poland                                #*/
/*##     http://www.security-explorations.com                                #*/

/* Apple QuickTime Java extensions                                            */
/* quicktime.util.QTByteObject initialization security checks bypass          */

In order to test the POC code for the reported Issue 22, manually add
Vuln22Setup.class and Vuln22Setup$1.class to the original QTJava.zip
file from your CLASSPATH environment variable. This file is usually
located in lib\ext directory of your JRE base dir:

Microsoft Windows [Wersja 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. Wszelkie prawa zastrzezone.

c:\>set
ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\Internet\AppData\Roaming
CLASSPATH=.;C:\_SOFTWARE\jre6\lib\ext\QTJava.zip
COMMANDER_DRIVE=C:
...

Both Vuln22Setup and Vuln22Setup$1 classes mimic undisclosed and not
yet patched, Oracle's Issue 15.

Successfull exploit run should lead to the execution of notepad.exe and
c:\se.txt file creation. Additionally, Java console output similar to the
one denoted below should be observed:

Java Plug-in 1.6.0_33
Using JRE version 1.6.0_33-b03 Java HotSpot(TM) Client VM
User home directory = C:\Users\Internet

----------------------------------------------------
c:   clear console window
f:   finalize objects on finalization queue
g:   garbage collect
h:   display this help message
l:   dump classloader list
m:   print memory usage
o:   trigger logging
q:   hide console
r:   reload policy configuration
s:   dump system and deployment properties
t:   dump thread list
v:   dump thread stack
x:   clear classloader cache
0-5: set trace level to <n>
----------------------------------------------------

Security manager = sun.plugin2.applet.Applet2SecurityManager@15cda3f
QTSession.hasSecurityRestrictions() = true
Created: MyQTByteObject
using off 0x24d00000 for Windows 7 (x86)
found Marker instance at 0x251e0008
Security manager = null

===
PoC
===

https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/19401.zip

========
Advisory
========

https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/19401.pdf

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
26 Jun 2012 00:00Current
7.4High risk
Vulners AI Score7.4
apple quicktimejava extensionssecurity issueexploitpoc codenotepad creationsecurity managervulnerability
29