Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Active exploit site for Quicktime RTSP Response vulnerability

Published: 2007-12-02
Last Updated: 2007-12-03 01:36:14 UTC
by Maarten Van Horenbeeck (Version: 2)
0 comment(s)

Symantec is reporting an active exploit site for the QuickTime RTSP Response vulnerability described in CVE-2007-6166. Currently, the malicious stream is hosted at port 554 on the server 85.255.117.212. Upon exploitation, the following executables are downloaded:

hxxp:// 1800-search.com /000/loader.exe
hxxp:// 1800-search.com /000/dnslvc.exe

Both files are universally detected by anti virus, so this is a relatively badly executed attack. Since no vendor supplied patch is currently available, we still recommend following US-CERT's recommendations:

  • Setting the kill bit for the following Quicktime CLSIDs for Internet Explorer:
    {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}
    {4063BE15-3B08-470D-A0D5-B37161CFFD69}
  • Disabling the QuickTime plug-in for Mozilla browsers;
  • Disable QuickTime file associations;
  • Filter traffic on the common RTSP ports (554/tcp and 6970-6999/udp). This provides only partial mitigation.

Each of these does make the use of valid Quicktime content next to impossible, so please be aware of the impact this may have on your organization. 

This specific attack instance can be blocked by disallowing traffic to the following domains and IP addresses:

2005-search.com
1800-search.com
85.255.117.212
85.255.117.213
216.255.183.59 (a seeder URL to this exploit, also hosting other IE exploits)

--
Maarten Van Horenbeeck

Keywords:
0 comment(s)
Diary Archives