PDA

View Full Version : Quartz Composer / QuickTime 7 information leakage


MacBytes
May 12, 2005, 09:51 AM
http://www.macbytes.com/images/bytessig.gif (http://www.macbytes.com)

Category: --- Special Topics
Link: Quartz Composer / QuickTime 7 information leakage (http://www.macbytes.com/link.php?sid=20050512105112)

Posted on MacBytes.com (http://www.macbytes.com)
Approved by Mudbug

Mudbug
May 12, 2005, 09:54 AM
if you're a bit timid to try the proof of concept page, this is what you would have seen:
Proof-of-concept, DR018

Below is a Quartz Composer composition embedded in a QuickTime file. If you have Mac OS X 10.4 or later and a supported system (RADEON or modern nVIDIA graphics card), it should be displayed inline (if not, you will likely get a message about a missing plugin or a dialog from QuickTime saying that you do not have all the required codecs).

Press the play button below to view the proof-of-concept. It is harmless enough ó the only thing it will do is send an MD5 hash of your long and short user names to this web server so that you can verify that there is a potential for data-leakage by going to this URL where all hashes end up. Please note that it is not necessary to have the user press the play button. Playback can be automatically started in a variety of ways.


For completeness and analysis, the source file (plain .qtz) can be downloaded too (about 128 KiB). For those who do not have a software/hardware configuration with Quartz Composer support, there is also a pre-rendered h.264 version available (about 2.8 MiB; can be played in 10.3.9 using QuickTime 7 or for example by VLC and MPlayer). Naturally, this version version of the presentation cannot leak any information.

All the files on this page are released into the public domain. Use freely. Feel free to credit the creator of the presentation, David Remahl.

Mudbug
May 12, 2005, 10:00 AM
I think one of the things most interesting to me about this is that this could potentially be seen as a very easy way of devising spyware for OS X 10.4, and Secunia only rates it as "non-critical" (http://secunia.com/advisories/15307). I think unintended sharing of data in any way, shape, form, or fashion constitutes a rather "critical" problem to deal with. Granted, it's easy to turn off for now, but still should probably be bumped up the critical scale a little IMHO.

Flying Llama
May 12, 2005, 10:01 AM
Well, at least the most important thing they can see is your long username, but...

on the hash page (the page with the results) I don't see my username of anything, just a bunch of random letters and numbers, does this mean i'm not vulnerable? :cool:

Mudbug
May 12, 2005, 10:03 AM
Well, at least the most important thing they can see is your long username, but...

on the hash page (the page with the results) I don't see my username of anything, just a bunch of random letters and numbers, does this mean i'm not vulnerable? :cool:

keep in mind that what appears random to you can probably be rather easily dissected by someone else into a pack of data that makes sense.

crap freakboy
May 12, 2005, 10:29 AM
I'm sure its all very interesting but my frontal lobes went into meltdown and I fell asleep.

Gizmotoy
May 12, 2005, 10:30 AM
Well, at least the most important thing they can see is your long username, but...

on the hash page (the page with the results) I don't see my username of anything, just a bunch of random letters and numbers, does this mean i'm not vulnerable? :cool:

No, it means you are vulnerable. What you are looking at is the MD5 hash (Typically used for CRC checking, if you're not familiar) of your username, because the author of that website is using it for demonstration purposes only. If you take the MD5 hash of your known long username, it should match what is displayed on that page. As mentioned in the article, they could easily collect and transmit a number of pieces of information about you without performing the hash first, leaving your information out in the open.

Paul O'Keefe
May 12, 2005, 10:48 AM
Instead of being labelled "Special topic" on MacBytes I think these sorts of things should be labelled "Bugs" or something.

SiliconAddict
May 12, 2005, 11:51 AM
Huh...so we can expect another front page news.com article about how OS X is so insecure and itís the end of the world and such. Great.

narco
May 12, 2005, 12:09 PM
First the Safari thing, now this? Kind of scary, but I have confidence that Apple will fix this like they normally do.

Fishes,
narco.

gunnmjk
May 12, 2005, 02:12 PM
The concept page worked the first time that I tried it, but now Safari crashes each time! The reason?

Safari *** Quartz Composer QuickTime Component: Ignored exception in _QCRuntime_SetUp() at line 492
-[QCImageLoader _Cleanup]: Patch is not running
crashdump: Safari Crashed