Exploit for unknown platform in category remote exploits
{"id": "1337DAY-ID-9038", "type": "zdt", "bulletinFamily": "exploit", "title": "Apple Quicktime /w IE .qtl Version XAS Remote Exploit PoC", "description": "Exploit for unknown platform in category remote exploits", "published": "2007-09-18T00:00:00", "modified": "2007-09-18T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/9038", "reporter": "Aviv Raff", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2018-01-04T07:06:30", "viewCount": 6, "enchantments": {"score": {"value": 0.1, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.1}, "sourceHref": "https://0day.today/exploit/9038", "sourceData": "=========================================================\r\nApple Quicktime /w IE .qtl Version XAS Remote Exploit PoC\r\n=========================================================\r\n\r\n\r\n<!--\r\nPerforming XAS (Cross Application Scripting) attacks automatically (read \"no user interaction\") \r\nis very easy, as I showed before in my \"shutting down skype\" proof-of-concept.\r\n\r\nBut, what if you are using a limited web environment, where you can't use iframes or scripts to \r\nautomate your pwning? Several limited web environments (e.g. blogger.com blog system) does not \r\nallow using iframes or script, but they do allow embedding QuickTime movies.\r\n\r\nFew days ago, pdp found that it is possible to use QuickTime .qtl files to execute code from \r\nremote, when the default browser is Firefox. This is a variant of the good old MOAB #3 and \r\npdp's own MP3 backdooring exploit. It uses a simple \"-chrome\" command-line switch injection.\r\n\r\nAs this is a Firefox only exploit, I looked for ways to do the same in Internet Explorer. \r\nI found that it is also possible to perform all other noted XAS attacks using QuickTime.\r\n\r\nSo now, if you are in a limited web environment, you can just embed a .qtl file and conduct \r\nan automated XAS attack against the visitor of the web page.\r\n\r\nThe following is the QuickTime .qtl version of the \"shutting down skype\" PoC:\r\n-->\r\n \r\n<?xml version=\"1.0\">\r\n<?quicktime type=\"application/x-quicktime-media-link\"?>\r\n<embed src=\"nothing.mp3\" autoplay=\"true\" qtnext=\"skype:\" /shutdown\"/>\r\n\r\n\r\n\n# 0day.today [2018-01-04] #", "_state": {"dependencies": 1645280011, "score": 1659766679, "epss": 1678812679}}
Apple Quicktime /w IE .qtl Version XAS Remote Exploit PoC