lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <d65cd4390605112005n5b1e8133hd94842674d98ca4c@mail.gmail.com>
Date: Fri, 12 May 2006 11:05:10 +0800
From: Sowhat <smaillist@...il.com>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: Apple QuickTime udta ATOM Heap Overflow


Apple QuickTime udta ATOM Heap Overflow


By Sowhat of Nevis Labs
Date: 2006.05.12

http://www.nevisnetworks.com
http://secway.org/advisory/AD20060512.txt


Vendor:
Apple Inc.


Affected Versions:
Apple QuickTime versions < 7.1


Overview:
We have discovered a critical vulnerability in Quicktime Player.
The vulnerability allows an attacker to  execute arbitrary code
in the context of the user who executes QuickTime.

This vulnerability can be exploited By persuading a user to open
a carefully crafted .mov files or visit a website embedding the
malicious .mov file.


Details:
This vulnerability exists in the way Quicktime process the "udta" Atom of
the .mov files.

The layout of a udta(user data atom) atom:

                           Bytes
   _______________________											
  |    User data atom     |
  |     Atom size         | 4
  |    Type = 'udta'      | 4
  |                       |
  |   User data list      |
  |     Atom size         | 4
  | Type = user data types| 4
  |                       |
   -----------------------



By setting the value of the Atom size to a large value such as 0xFFFFFFFF,
an insufficiently-sized heap block will be allocated, and resulting in a
classic complete heap memory overwrite during the RtlAllocateHeap() function.




Vendor Response:

2006.05.06	Vendor notified via product-security@...le.com
2006.05.07	Vendor responded
2006.05.09	Vendor ask for more information
2006.05.11	Vendor released QuickTime 7.1
2006.05.12	Advisory released


Vendor was contacted in 05/06/2006, and they said:
"This message is being sent to you by a security analyst who has reviewed
your note.  The issue is being  investigated, and we appreciate the time
you have taken to report it to us. "

This vulnerability no longer exists in their new release(7.1),
However the vendor didnt formally inform me about the patch.


Greetings to Ajit, Chi, Xin, Linlin and all guys in India & US Nevis Labs


Reference:
1. http://developer.apple.com/documentation/QuickTime/QTFF/index.html
2. http://docs.info.apple.com/article.html?artnum=303752





-- 
Sowhat
http://secway.org
"Life is like a bug, Do you know how to exploit it ?"

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ