A few more things about the Quicktime 0-day.

First, the Snort rules have been tested. The corrected rules are attached to this post.

Second, I knew I felt déjà vu over this one. Back in 2002 there was an Content-Type vulnerability in the Japanese localized Quicktime 5.01 and 5.02 (see CVE entry CVE-2002-0252). You'd think that things would improve in the intervening 5 years.

Third, I've noticed while searching for RTSP content to test the rule that there really isn't a lot of RTSP out there. It's probably due to the ubiquitousness of HTTP, and because Firefox and IE7 have both removed rtsp:// url handlers which will reduce the attack surface of this vulnerability.

Finally, I've successfully tested the PoC code against a fully patched Quicktime 7.3 on XP SP2.

Here's what the output looks like:

C:\Snort\bin>snort -Aconsole -c ..\etc\snort.conf -i 3 -k none -l ..\log -q
11/27-10:34:07.020116  [**] [1:1071102:1] Apple Quicktime RTSP Content-Type over
flow attempt [**] [Classification: Attempted User Privilege Gain] [Priority: 1]
{TCP} 172.30.1.145:554 -> 172.30.1.141:4337