exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New


Posted Aug 7, 2005
Authored by David Remahl

This advisory concerns an as-yet unpatched problem in QuickTime 7 on Mac OS X 10.4.

tags | advisory
systems | apple, osx
SHA-256 | e7ce6810a1cc4cc40d313e30ebb902b919e44fc8a46b32f75a1d7c496a33a8d2


Change Mirror Download
Hash: SHA1

The canonical URI of this advisory is <http://remahl.se/david/vuln/

This advisory concerns an as-yet unpatched problem in QuickTime 7 on
Mac OS X 10.4. The reason for disclosure before a vendor patch is
that another person realized the potential problem independently and
posted a message about it to the public mailing list quartzcomposer-
dev (hosted by Apple).

The suggested workaround is to disable the QuickTime browser plugin
until a fix is available from the vendor.

/ Regards, David Remahl

DR018: Quartz Composer / QuickTime 7 information leakage

Date of discovery: 2005-04-26
Date of publication: 2005-05-11
Discovered by: David Remahl <david@remahl.se>
Advisory URL: http://remahl.se/david/vuln/018/
CVEs: n/a [as of this writing, the author is aware of
no CVEs assigned to this vulnerability]
Classification: information exposure; design error
License: Public Domain

Verified vulnerable:
* Apple Mac OS X 10.4 (QuickTime 7)
Verified safe:
* Apple Mac OS X 10.3.9 (QuickTime 6.5, 7)
* QuickTime for Windows


Quartz Composer files are created with the Quartz Composer
application included with the developer tools. The compositions (QTZ
files) it creates can be used as screen savers, viewed as they are in
the application or embedded as QT atoms in a .mov container. As such,
they can be viewed in a wide-ranging array of environments, including
a web browser, Keynote 2 and the Finder.

Compositions have access to a number of powerful tools (patches),
each providing or acting-upon information, ultimately resulting in a
graphic composition. The design assumption seems to be that these
details should always be contained within the presentation. However,
by combining patches that provide advanced system information with
patches that load information from the Internet, a malicious .mov
file (viewed for example by the QuickTime web plugin) can leak this
information to an external host.

This issue has not been addressed by Apple yet, and because details
of the potential exploit appeard in a public forum shortly after I
had notified the vendor, a fix may still be some time away. A
temporary work-around is disabling the QuickTime plugin and treating
Quartz Composer files with suspicion.


The information that can be leaked by this method includes (but may
not be limited to):
• local user name (long and short)
• computer name
• local IP
• OS / kernel version
• CPU / RAM / GPU configuration
• names (human-readable) of Bonjour services on the local
• local or system time
• volume of audio input
• lists of images (including pdfs) matching arbitrary
spotlight queries
• lists of images (including pdfs) in specific directories
(relative to / or ~)
• the existence of image and movie files can indicate the
existance of certain software packages

This information can be used for profiling of potential victims, for
further use in attacks against the user's system or phising related
social engineering.


A proof-of-concept in the form of a Quartz Composer composition
embedded in a .mov file is avaiilable at the following link. Please
see that document for more information.



The basic attack works as follows:
1. A patch providing the information (for example the Host
Info patch) is created (A)
2. The output of (A) is connected to a JavaScript patch
which uses encodeURIComponent() to URI encode the string (B).
3. The output of (B) is connected to a String Printer which
results in a URI, for example (C)
4. The output of (C) is connected to the URL input
connection of either the Image Downloader patch or the RSS Feed
patch. (D)
5. The output of (D) must be used somehow, otherwise this
part of the patch graph will not be used. Rendering the output (via a
String to Image) to a 0-sized billboard is fine.
6. When the (D) patch is activated, it will access the URI
(output of (C)), thus leaking the restricted information to an HTTP
host of the attacker's choice.


Apple Computer's security team was contacted with information about
the issue on 2005-05-06. Following a discussion of this problem on
the public quartzcomposer-dev mailinglist (initiated by a third-
party), the full details of the problems were released on May 11.


Apple Computer
• 2005-05-10, 04:50 UTC: Confirmed receipt of problem report
(did not confirm issue).
Version: GnuPG v1.4.1 (Darwin)

Login or Register to add favorites

File Archive:

September 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    2 Files
  • 2
    Sep 2nd
    21 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    17 Files
  • 5
    Sep 5th
    34 Files
  • 6
    Sep 6th
    29 Files
  • 7
    Sep 7th
    11 Files
  • 8
    Sep 8th
    25 Files
  • 9
    Sep 9th
    0 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    26 Files
  • 12
    Sep 12th
    23 Files
  • 13
    Sep 13th
    17 Files
  • 14
    Sep 14th
    22 Files
  • 15
    Sep 15th
    16 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    19 Files
  • 19
    Sep 19th
    60 Files
  • 20
    Sep 20th
    23 Files
  • 21
    Sep 21st
    15 Files
  • 22
    Sep 22nd
    8 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    17 Files
  • 26
    Sep 26th
    3 Files
  • 27
    Sep 27th
    13 Files
  • 28
    Sep 28th
    5 Files
  • 29
    Sep 29th
    12 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By