[NEWS] Apple Quicktime Color ID Heap Corruption (Technical Details)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Apple Quicktime Color ID Heap Corruption (Technical Details)
------------------------------------------------------------------------


SUMMARY

Remote exploitation of a heap corruption vulnerability in Apple Computer
Inc.'s QuickTime media player could allow an attacker to execute arbitrary
commands in the context of the current user

DETAILS

Affected products and/or platforms:
* Mac OS X v10.3.9 and later
* Windows Vista
* Windows XP
* Windows 2000

A 16-bit integer that identifies which color table to use. If this field
is set to 1, the default color table should be used for the specified
depth. For all depths below 16 bits per pixel, this indicates astandard
Macintosh color table for the specified depth. Depths of 16, 24, and 32
have no color table.

If the color table ID is set to 0, a color table is contained within the
sample description itself. The color table immediately follows the Color
table ID field in the sample description.

Module: Quicktime.qts Version: 7.1.3
text:670BA43E cmp word ptr [eax+54h], 0 ;Color table ?
text:670BA443 jnz loc_670BA519
text:670BA449 push ebx
text:670BA44A mov bx, [eax+5Ch] ;num of entries
text:670BA44E push 0
text:670BA450 push esi
text:670BA451 call sub_668B57C0
text:670BA456 add esp, 8
text:670BA459 cmp eax, 56h ;ERROR CODE
text:670BA45C jnz short loc_670BA46A

text:670BA46A loc_670BA46A: ; CODE XREF:
sub_670BA2E0+17C#j
text:670BA46A mov al, [esp+8+arg_4]
text:670BA46E test al, al
text:670BA470 jnz short loc_670BA47A
text:670BA472 movzx cx, bh
text:670BA476 mov ch, bl
text:670BA478 mov ebx, ecx
text:670BA47A
{...}
text:670BA4C7
text:670BA4C7 loc_670BA4C7: ; CODE XREF:
sub_670BA2E0+235#j
text:670BA4C7 mov ecx, [esi] ; byte swapping...
text:670BA4C9 lea edi, [ecx+eax*8+5Eh]
text:670BA4CD mov cx, [edi]
text:670BA4D0 movzx bx, ch
text:670BA4D4 mov bh, cl
text:670BA4D6 inc edx
text:670BA4D7 mov [edi], bx
text:670BA4DA mov ecx, [esi]
text:670BA4DC lea edi, [ecx+eax*8+60h]
text:670BA4E0 mov cx, [edi]
text:670BA4E3 movzx bx, ch
text:670BA4E7 mov bh, cl
text:670BA4E9 mov [edi], bx
text:670BA4EC mov ecx, [esi]
text:670BA4EE lea edi, [ecx+eax*8+62h]
text:670BA4F2 mov cx, [edi]
text:670BA4F5 movzx bx, ch
text:670BA4F9 mov bh, cl
text:670BA4FB mov [edi], bx
text:670BA4FE mov ecx, [esi]
text:670BA500 lea eax, [ecx+eax*8+64h]
text:670BA504 mov cx, [eax]
text:670BA507 movzx bx, ch
text:670BA50B mov bh, cl
text:670BA50D mov [eax], bx
text:670BA510 movsx eax, dx
text:670BA513 cmp eax, ebp ;(i < numofentries)
text:670BA515 jl short loc_670BA4C7

Unless otherwise stated, all data in a QuickTime movie is stored in
big-endian (Motorola) byte ordering.

poc.mov _____ _____
00000640h: 18 00 00 00 00 00 21 66 66 01 66 00 00 00 00 80 ;

00 00 => COLOR TABLE ID (WORD)
01 66 => number of entries (WORD)

We can corrupt the adjacent memory of the affected heap chunk. The amount
of heap memory that will be corrupted is limited by number of entries ,
as we can see above that value is controlled.

Successful exploitation can lead to a remote code execution within the
user's logged context.


ADDITIONAL INFORMATION

The information has been provided by <mailto:advisories@xxxxxxxxxxxxxxx>
Reversemode.
The original article can be found at:
<http://www.reversemode.com/index.php?option=com_remository&Itemid=2&func=fileinfo&id=46> http://www.reversemode.com/index.php?option=com_remository&Itemid=2&func=fileinfo&id=46



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages