[NT] Apple QuickTime (QuickTime.qts) Heap Overflow
From: SecuriTeam (support_at_securiteam.com)
Date: 05/02/04
- Previous message: SecuriTeam: "[EXPL] LHa Local Stack Overflow Proof of Concept"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 2 May 2004 18:56:19 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Apple QuickTime (QuickTime.qts) Heap Overflow
------------------------------------------------------------------------
SUMMARY
The Apple QuickTime media player is used for playing, interacting with or
viewing video, audio, VR or graphics files. Many popular web browsers,
media players, and other applications use their libraries to play various
QuickTime movie formats through their applications.
eEye Digital Security has discovered a critical vulnerability in QuickTime
Player. The vulnerability allows a remote attacker to reliably overwrite
heap memory with user-controlled data and execute arbitrary code within
the SYSTEM context.
This specific flaw exists within the QuickTime.qts file which many
applications access QuickTime's functionality through. By specially
crafting atoms within a movie file, a direct heap overwrite is triggered,
and reliable code execution is then possible.
DETAILS
Systems Affected:
* Apple QuickTime version 6.5
* Apple iTunes version 4.2.0.72
The code in QuickTime.qts responsible for copying Sample-to-Chunk table
entries from the 'stsc' atom data in a QuickTime-format movie into an
array allocated on the heap. According to developer.apple.com, the format
of the Sample-to-Chunk atom is as follows:
Offset Type Description
------- ------- --------------------------------
0000h DWORD atom size
0004h DWORD atom type tag ('stsc')
0008h BYTE version
0009h BYTE[3] flags
000Ch DWORD number of entries
0010h ... sample-to-chunk table data
The heap block intended to hold the sample-to-chunk table data is
allocated with a size equal to (number_of_entries + 2) * 16. By supplying
the "number of entries" field with the value 0x0FFFFFFE or greater, an
absolutely classic integer overflow results that causes an
insufficiently-sized heap block to be allocated, resulting in an equally
classic complete heap memory overwrite.
It is difficult to express just how textbook this vulnerability scenario
really is. Successful exploitation of the vulnerability is self-evident,
and therefore no further discussion is warranted. It is our sincere hope
that the vendor will make an earnest effort to increase the maturity of
its security response capabilities, so that researchers will be encouraged
to continue to work with them amicably on future security issues. Apple is
doing a disservice to its customers by incorrectly labeling this
vulnerability as a "crash bug" rather than stating correctly that
attackers can compromise systems running the affected Apple software.
References:
QuickTime: QuickTime File Format
<http://developer.apple.com/documentation/QuickTime/QTFF/index.html>
http://developer.apple.com/documentation/QuickTime/QTFF/index.html
Vendor Status:
Apple has released a patch for this vulnerability. The patch is available
via the Updates section of the affected applications. This vulnerability
has been assigned the CVE identifier CAN-2004-0431.
ADDITIONAL INFORMATION
The information has been provided by <mailto:mmaiffret@eeye.com> Marc
Maiffret.
The original article can be found at:
<http://www.eeye.com/html/Research/Advisories/AD20040502.html>
http://www.eeye.com/html/Research/Advisories/AD20040502.html
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[EXPL] LHa Local Stack Overflow Proof of Concept"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
