[<prev] [next>] [day] [month] [year] [list]
Message-ID: <45ED8A09.2070308@reversemode.com>
Date: Tue, 06 Mar 2007 16:34:33 +0100
From: Reversemode <advisories@...ersemode.com>
To: Securityfocus <bugtraq@...urityfocus.com>
Subject: [Reversemode Advisory] Apple Quicktime Color ID remote heap corruption
APPLE QUICKTIME
COLOR TABLE ID REMOTE HEAP CORRUPTION
Rubén Santamarta <ruben@...ersemode.com>
Affected products and/or platforms:
Mac OS X v10.3.9 and later
Windows Vista
Windows XP
Windows 2000
Color table ID
A 16-bit integer that identifies which color table to use. If this field
is set to –1, the default color table should be used for the specified
depth. For all depths below 16 bits per pixel, this indicates astandard
Macintosh color table for the specified depth. Depths of 16, 24, and 32
have no color table.
If the color table ID is set to 0, a color table is contained within the
sample description itself. The color table immediately follows the Color
table ID field in the sample description.
Module: Quicktime.qts Version: 7.1.3
.text:670BA43E cmp word ptr [eax+54h], 0 ;Color table ?
.text:670BA443 jnz loc_670BA519
.text:670BA449 push ebx
.text:670BA44A mov bx, [eax+5Ch] ;num of entries
.text:670BA44E push 0
.text:670BA450 push esi
.text:670BA451 call sub_668B57C0
.text:670BA456 add esp, 8
.text:670BA459 cmp eax, 56h ;ERROR CODE
.text:670BA45C jnz short loc_670BA46A
.text:670BA46A loc_670BA46A: ; CODE XREF:
sub_670BA2E0+17C#j
.text:670BA46A mov al, [esp+8+arg_4]
.text:670BA46E test al, al
.text:670BA470 jnz short loc_670BA47A
.text:670BA472 movzx cx, bh
.text:670BA476 mov ch, bl
.text:670BA478 mov ebx, ecx
.text:670BA47A
{...}
.text:670BA4C7
.text:670BA4C7 loc_670BA4C7: ; CODE XREF:
sub_670BA2E0+235#j
.text:670BA4C7 mov ecx, [esi] ; byte swapping...
.text:670BA4C9 lea edi, [ecx+eax*8+5Eh]
.text:670BA4CD mov cx, [edi]
.text:670BA4D0 movzx bx, ch
.text:670BA4D4 mov bh, cl
.text:670BA4D6 inc edx
.text:670BA4D7 mov [edi], bx
.text:670BA4DA mov ecx, [esi]
.text:670BA4DC lea edi, [ecx+eax*8+60h]
.text:670BA4E0 mov cx, [edi]
.text:670BA4E3 movzx bx, ch
.text:670BA4E7 mov bh, cl
.text:670BA4E9 mov [edi], bx
.text:670BA4EC mov ecx, [esi]
.text:670BA4EE lea edi, [ecx+eax*8+62h]
.text:670BA4F2 mov cx, [edi]
.text:670BA4F5 movzx bx, ch
.text:670BA4F9 mov bh, cl
.text:670BA4FB mov [edi], bx
.text:670BA4FE mov ecx, [esi]
.text:670BA500 lea eax, [ecx+eax*8+64h]
.text:670BA504 mov cx, [eax]
.text:670BA507 movzx bx, ch
.text:670BA50B mov bh, cl
.text:670BA50D mov [eax], bx
.text:670BA510 movsx eax, dx
.text:670BA513 cmp eax, ebp ;(i < numofentries)
.text:670BA515 jl short loc_670BA4C7
“Unless otherwise stated, all data in a QuickTime movie is stored in
big-endian (Motorola) byte ordering.”
poc.mov _____ _____
00000640h: 18 00 00 00 00 00 21 66 66 01 66 00 00 00 00 80 ;
00 00 => COLOR TABLE ID (WORD)
01 66 => number of entries (WORD)
We can corrupt the adjacent memory of the affected heap chunk. The
amount of heap memory that will be corrupted is limited by “number of
entries”, as we can see above that value is controlled.
Successful exploitation can lead to a remote code execution within the
user's logged context.
Attack Vectors
Quicktime Plugin – IE,Firefox...
Quicktime Player
Exploits
No exploits are released.
References:
http://docs.info.apple.com/article.html?artnum=305149
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=486
http://www.reversemode.com/index.php?option=com_remository&Itemid=2&func=fileinfo&id=46
(PDF)
Powered by blists - more mailing lists