[NEWS] Apple QuickTime STSD Atom Heap Overflow



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Apple QuickTime STSD Atom Heap Overflow
------------------------------------------------------------------------


SUMMARY

<http://www.apple.com/quicktime/> QuickTime is "a multimedia technology
developed by Apple Computer, capable of handling various formats of
digital video, sound, text, animation, music, and immersive panoramic (and
sphere panoramic) images".

The vulnerability allows a remote attacker to reliably overwrite heap
memory with user-controlled data and execute arbitrary code in the context
of the user who executed the player or application hosting the QuickTime
plug-in.

DETAILS

Vulnerable Systems:
* Quicktime on Windows 2000
* Quicktime on Windows XP
* Quicktime on Mac OS X 10.3.9

Immune Systems:
* Apple iTunes on Windows 2000
* Apple iTunes on Windows XP
* Apple iTunes on OS X 10.3.9

This specific flaw exists within the QuickTime.qts file which many
applications access QuickTime's functionality through. By specially
crafting atoms within a movie file, a direct heap overwrite is triggered,
and reliable code execution is then possible.

The code in QuickTime.qts responsible for the size of the Sample
Description Table entries from the 'stsd' atom in a QuickTime-format movie
on the heap. According to developer.apple.com, the format of the Sample
Description Atom is as follows:

Field Description
----------------------------------------------------------------
Size - 32-bit int
Data Format - 4 char code
Reserved - 6 bytes that must be 0
Data Reference Index - 16-bit int
Hint Track Version - 16-bit unsigned int
Last compatible hint track version - 16-bit unsigned int
Max Packet Size - 32-bit int
Additional Data Table - Variable

By setting the size of the Sample Description Table to a size of 00 15 -
00 D0 will cause a heap-based overflow. By supplying the "Last compatible
hint track version" field with the value of 00 05 - 00 09, an
insufficiently-sized heap block will be allocated, resulting in a classic
complete heap memory overwrite during the RtlAllocateHeap() function and
the attacker can control memory with data taken from the filename of the
MOV file. This vulnerability can be successfully exploited via an
embedded media player in an HTML page, email, or HTML link.

References:
QuickTime: QuickTime File Format
<http://developer.apple.com/documentation/QuickTime/QTFF/index.html>
http://developer.apple.com/documentation/QuickTime/QTFF/index.html

Vendor Status:
Apple has released a patch for this vulnerability. The patch is available
via the Updates section of the affected applications.

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4092>
CVE-2005-4092


ADDITIONAL INFORMATION

The information has been provided by eEye.
The original article can be found at:
<http://www.eeye.com/html/research/advisories/AD20060111a.html>
http://www.eeye.com/html/research/advisories/AD20060111a.html



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages