EEYEB-20051031 Apple QuickTime Malformed GIF Heap Overflow

Release Date:
January 10, 2006

Date Reported:
October 31, 2005

Severity:
High (Code Execution)

Patch Development Time (In Days):
71 Days

Severity:
High (Code Execution)

Vendor:
Apple


Systems Affected:
Quicktime on Windows 2000
Quicktime on Windows XP
Quicktime on Mac OS X 10.3.9

Apple iTunes on Windows 2000
Apple iTunes on Windows XP
Apple iTunes on OS X 10.3.9


Overview:
eEye Digital Security has discovered a critical heap overflow in the Apple Quicktime player that allows for the execution of arbitrary code via a maliciously crafted GIF file.

This flaw has proven to allow for reliable control of data on the heap chunk and can be exploited via a web site by using ActiveX controls.

Technical Details:
When Quicktime processes the Netscape Navigator Application Extension Block of a gif file, it does not perform proper bounds checking, so it will allocate memory without checking the heap size. The heap can be overwritten in the Picture Modifier block.  
The block size calculate code such as:
.text:66A339CC                 mov     ax, [esi+0Ch]
.text:66A339D0                 xor     ecx, ecx
.text:66A339D2                 mov     [esp+34h+var_28], ecx
.text:66A339D6                 mov     [esp+34h+var_24], ecx
.text:66A339DA                 mov     [esp+34h+var_20], ecx
.text:66A339DE                 mov     [esp+34h+var_1C], ecx
.text:66A339E2                 mov     word ptr [esp+34h+var_10], cx
.text:66A339E7                 mov     [esp+34h+arg_4], eax
.text:66A339EB                 movsx   eax, ax
.text:66A339EE                 mov     word ptr [esp+34h+var_10+2], cx
.text:66A339F3                 mov     cx, [esi+8]
.text:66A339F7                 movsx   edx, cx
.text:66A339FA                 sub     eax, edx
.text:66A339FC                 movsx   edx, word ptr [esi+6]
.text:66A33A00                 add     eax, 3Eh
.text:66A33A03                 push    edi
.text:66A33A04                 movsx   edi, word ptr [esi+0Ah]
.text:66A33A08                 sar     eax, 3
.text:66A33A0B                 lea     ebx, [esi+6]
.text:66A33A0E                 and     eax, 0FFFFFFFCh
.text:66A33A11                 sub     edi, edx
.text:66A33A13                 movsx   edx, ax
.text:66A33A16                 mov     [esi+4], ax
.text:66A33A1A                 imul    edi, edx

The allocate code is :
.text:66A33A68                 push    edi
.text:66A33A69                 call    sub_668B5B30


But when it real process data to this memory, it use real decode data to write this memory 
but didn¡¯t check this heap size. This is segment of the write code function(sub_66AE0A70):
.text:66AE0B18                 movsx   edx, word ptr [edi+12h] ; default
.text:66AE0B1C                 imul    edx, [edi+0Ch]
.text:66AE0B20                 mov     ecx, [edi+4]
.text:66AE0B23                 inc     word ptr [edi+16h]
.text:66AE0B27                 mov     eax, [esp+arg_0]
.text:66AE0B2B                 add     edx, ecx
.text:66AE0B2D                 mov     [eax], edx
.text:66AE0B2F                 mov     eax, [ebp+10h]
.text:66AE0B32                 test    eax, eax
.text:66AE0B34                 jz      short loc_66AE0B62
.text:66AE0B36                 mov     ax, [ebp+1Ch]
.text:66AE0B3A                 mov     edx, [ebp+0Ch]
.text:66AE0B3D                 movzx   cx, ah
.text:66AE0B41                 mov     ch, al
.text:66AE0B43                 mov     [edx], cx
.text:66AE0B46                 movsx   eax, word ptr [edi+12h]
.text:66AE0B4A                 imul    eax, [ebp+14h]
.text:66AE0B4E                 add     eax, [ebp+10h]
.text:66AE0B51                 mov     cx, [ebp+18h]
.text:66AE0B55                 mov     [ebp+0Ch], eax
.text:66AE0B58                 mov     [ebp+1Ah], cx
.text:66AE0B5C                 mov     word ptr [ebp+1Ch], 0




Vendor Status:
Apple has released a patch for this vulnerability. The patch is available via the Updates section of the affected applications.
This vulnerability has been assigned the CVE identifier CVE-2005-3713.

Credit:
Fang Xing

Greetings:
eEye Research and especially Hugo for all his help

Copyright (c) 1998-2006 eEye Digital Security
Permission is hereby granted for the redistribution of this alert electronically.  It is not to be edited in any way without express consent of eEye.  If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission.

Disclaimer
The information within this paper may change without notice.  Use of this information constitutes acceptance for use in an AS IS condition.  There are no warranties, implied or express, with regard to this information.  In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information.  Any use of this information is at the user's own risk.