[NEWS] Apple iTunes Heap Overflow (QuickTime.qts)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Apple iTunes Heap Overflow (QuickTime.qts)
------------------------------------------------------------------------


SUMMARY

iTunes is "a digital media player application, developed by Apple
Computer, for playing and organizing digital music and video files. The
program is also the interface to manage the music on Apple's popular iPod
digital audio player".

The vulnerability allows an attacker to reliably overwrite heap memory
with user-controlled data and execute arbitrary code in the context of the
user who executed iTunes.

DETAILS

Vulnerable Systems:
* Quicktime on Windows 2000
* Quicktime on Windows XP
* Quicktime on Mac OS X 10.3.9

Immune Systems:
* Apple iTunes on Windows 2000
* Apple iTunes on Windows XP
* Apple iTunes on OS X 10.3.9

This specific flaw exists within the QuickTime.qts file which many
applications access QuickTime's functionality through. By specially
crafting atoms within a movie file, a direct heap overwrite is triggered,
and reliable code execution is then possible.

The code in QuickTime.qts responsible for copying Movie Resource atom type
sizes in a QuickTime-format movie into an array allocated on the heap.
According to developer.apple.com, the format of the Movie Resource atom is
as follows:

Field Description
---------------------------
Atom Size - 4 bytes
Atom Type - 4 bytes
Data - Variable

By supplying the .MOV file with a large atom size results in a
insufficiently-sized heap block to be allocated, resulting in a complete
heap memory overwrite ultimately failing in the List_Component() function.

References:
QuickTime: QuickTime File Format
<http://developer.apple.com/documentation/QuickTime/QTFF/index.html>
http://developer.apple.com/documentation/QuickTime/QTFF/index.html

Vendor Status:
Apple has released a patch for this vulnerability. The patch is available
via the Updates section of the affected applications.

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4092>
CVE-2005-4092


ADDITIONAL INFORMATION

The original article can be found at:
<http://www.eeye.com/html/research/advisories/AD20060111b.html>
http://www.eeye.com/html/research/advisories/AD20060111b.html



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages