Twenty Year Anniversary

Apple Quicktime .pct Parsing Memory Corruption

Apple Quicktime .pct Parsing Memory Corruption
Posted May 15, 2012
Authored by Rodrigo Rubira Branco

Apple Quicktime does not properly parse .pct media files, which causes a corruption in module DllMain by opening a malformed file with an invalid value located in PoC repro01.pct at offset 0x20E. Quicktime Player version 7.7.1 (1680.42) on Windows XP SP 3 - PT_BR is confirmed affected. Other versions may also be affected.

tags | advisory
systems | windows, apple, xp
advisories | CVE-2012-0671
MD5 | c437473b3959e9b762550efe55331b27

Apple Quicktime .pct Parsing Memory Corruption

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Qualys Vulnerability & Malware Research Labs (VMRL)
http://www.qualys.com
http://www.dissect.pe

Memory corruption when Apple Quicktime parsers .pct file
CVE-2012-0671


INTRODUCTION

Apple Quicktime does not properly parse .pct media files, which causes
a corruption in module DllMain by opening a malformed file with an
invalid value located in PoC repro01.pct at offset 0x20E.

This problem was confirmed in the following versions of Quicktime and
Windows, other versions may be also affected.

Quicktime Player version 7.7.1 (1680.42) on Windows XP SP 3 - PT_BR.

Apple addressed the vulnerability in the May's Quicktime Patchset
(http://support.apple.com/kb/HT1222)


CVSS Scoring System

The CVSS score is: 8.6
Base Score: 10
Temporal Score: 8.6
We used the following values to calculate the scores:
Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal score is: E:POC/RL:U/RC:UR


TRIGGERING THE PROBLEM

To trigger the problem a PoC file (repro01.pct) is available to
interested parties.



DETAILS


(f28.c24): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=02a70000 ebx=04402c68 ecx=98b1cc15 edx=00000004 esi=00000000
edi=088a5000
eip=6682ead8 esp=0012bfa8 ebp=00000001 iopl=0 nv up ei pl nz
ac pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00210216
*** ERROR: Symbol file could not be found. Defaulted to export
symbols for C:\Arquivos de programas\QuickTime\QTSystem\QuickTime.qts -
QuickTime!DllMain+0x2d068:
6682ead8 668907 mov word ptr [edi],ax
ds:0023:088a5000=????
0:000> !exploitable
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at
QuickTime!DllMain+0x000000000002d068 (Hash=0x0e483076.0x0e507376)
User mode write access violations that are not near NULL are exploitable.



CREDITS

This vulnerability was discovered by Rodrigo Rubira Branco
(http://twitter.com/bsdaemon) from the Qualys Vulnerability & Malware
Research Labs (VMRL).
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk+yvggACgkQRpuC3B/O3qHFUQCfSKJq4wrKYqDLU7fD6wfB3799
rFYAn2bkvPpcY0jsE+tuP2B7E/6rltxX
=sKVJ
-----END PGP SIGNATURE-----

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

July 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    1 Files
  • 2
    Jul 2nd
    26 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    11 Files
  • 5
    Jul 5th
    13 Files
  • 6
    Jul 6th
    4 Files
  • 7
    Jul 7th
    4 Files
  • 8
    Jul 8th
    1 Files
  • 9
    Jul 9th
    16 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    32 Files
  • 12
    Jul 12th
    22 Files
  • 13
    Jul 13th
    15 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    1 Files
  • 16
    Jul 16th
    21 Files
  • 17
    Jul 17th
    15 Files
  • 18
    Jul 18th
    15 Files
  • 19
    Jul 19th
    3 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close