CVE-2010-1818

Apple QuickTime - Remote Code Execution via Untrusted Pointer Unmarshalling

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2010-1818. PoCs published by Metasploit, Ruben Santamarta, Ruben Santemarta, jduck, including Metasploit module exploits/windows/browser/apple_quicktime_marshaled_punk.

AI-analyzed exploit summary This Metasploit module exploits a memory trust issue in Apple QuickTime 7.6.7 via a crafted HTML page, leveraging heap spraying and ROP chains to bypass DEP/ASLR and achieve arbitrary code execution.

Description

The IPersistPropertyBag2::Read function in QTPlugin.ocx in Apple QuickTime 6.x, 7.x before 7.6.8, and other versions allows remote attackers to execute arbitrary code via the _Marshaled_pUnk attribute, which triggers unmarshalling of an untrusted pointer.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubylocalwindows
https://www.exploit-db.com/exploits/16589

This Metasploit module exploits a memory trust issue in Apple QuickTime 7.6.7 via a crafted HTML page, leveraging heap spraying and ROP chains to bypass DEP/ASLR and achieve arbitrary code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Apple QuickTime 7.6.6 and 7.6.7 on Windows XP SP3
No auth needed
Prerequisites: Target must visit a malicious webpage · QuickTime ActiveX control must be enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by Ruben Santamarta · textdoswindows
https://www.exploit-db.com/exploits/14843

This is a detailed technical writeup explaining the vulnerability in Apple QuickTime's QTPlugin.ocx, specifically how the '_Marshaled_pUnk' parameter can be exploited to control an IStream pointer, leading to arbitrary code execution. The analysis includes reverse engineering insights and exploitation techniques.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Complex
Reliability
Theoretical
Target: Apple QuickTime 7.x, 6.x (QTPlugin.ocx)
No auth needed
Prerequisites: Victim must visit a crafted webpage using Internet Explorer on Windows XP, Vista, or 7 with vulnerable QuickTime installed
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC GREAT
by Ruben Santemarta, jduck · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/apple_quicktime_marshaled_punk.rb

This Metasploit module exploits a memory trust issue in Apple QuickTime 7.6.7 via a crafted HTML page, leveraging heap spraying and ROP chains to bypass DEP/ASLR and achieve arbitrary code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Apple QuickTime 7.6.6 and 7.6.7
No auth needed
Prerequisites: Victim must visit a malicious webpage using Internet Explorer with QuickTime ActiveX control enabled
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (6)

Core 6
Core References
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7523
Vendor Advisory x_refsource_confirm
http://support.apple.com/kb/ht4339
Vendor Advisory vendor-advisory x_refsource_apple
http://lists.apple.com/archives/security-announce/2010/Sep/msg00003.html

Scores

EPSS 0.4267
EPSS Percentile 98.5%

Details

CWE
CWE-824
Status published
Products (47)
apple/quicktime 6.0
apple/quicktime 6.0.0
apple/quicktime 6.0.1
apple/quicktime 6.0.2
apple/quicktime 6.1
apple/quicktime 6.1.0
apple/quicktime 6.1.1
apple/quicktime 6.2.0
apple/quicktime 6.3.0
apple/quicktime 6.4.0
... and 37 more
Published Aug 31, 2010
Tracked Since Feb 18, 2026