what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

quicktime-heap-adv-7.1.txt

quicktime-heap-adv-7.1.txt
Posted Mar 8, 2007
Authored by Piotr Bania | Site piotrbania.com

Apple QuickTime player version 7.1 on Windows suffers from a remote heap overflow vulnerability.

tags | advisory, remote, overflow
systems | windows, apple
SHA-256 | 65da3ab8f46f0b132528896188ac81e77e60eee67849338401fb5ac40456b761

quicktime-heap-adv-7.1.txt

Change Mirror Download



Apple QuickTime Player Remote Heap Overflow
by Piotr Bania <bania.piotr@gmail.com>
http://www.piotrbania.com
All rights reserved.


Severity: Critical - potencial remote code execution.


Software affected: Tested on QucikTime 7.1 (Windows version), with
all newest add-ons.


Timeline: 03/09/2006 Vulerability sent to the vendor.
03/09/2006 Initial vendor response.
06/03/2007 Security bulletin released.


Orginal url: http://www.piotrbania.com/all/adv/quicktime-heap-adv-7.1.txt




0. DISCLAIMER

Author takes no responsibility for any actions with provided informations or
codes. The copyright for any material created by the author is reserved. Any
duplication of codes or texts provided here in electronic or printed
publications is not permitted without the author's agreement.

I. BACKGROUND

Apple QuickTime Player is one of the Apple QuickTime components
used by hundreds of millions of users.


II. DESCRIPTION

Apple QuickTime Player is reported prone to remote heap overflow
vulnerability (exploitable via remotely originated content).


Lets take a look of allocated heap blocks:

----// SNIP SNIP //-------------------------------------------------
K: 66191 -> [*] HeapAlloc(0x00f00000,0x00000000,0x00000050(00000080))=0x013a0e68 end at: 0x013a0eb8
K: 66192 -> [*] HeapAlloc(0x01160000,0x00000001,0x00000057(00000087))=0x01228c40 end at: 0x01228c97
K: 66193 -> [*] HeapAlloc(0x01160000,0x00000001,0x0000002b(00000043))=0x01228cb0 end at: 0x01228cdb
-> [*] HeapFree(0x1160000,0x1,0x1228C40)
-> [*] Freed()
-> [*] HeapFree(0x1160000,0x1,0x1228CB0)
-> [*] Freed()
K: 66194 -> [*] HeapAlloc(0x01160000,0x00000001,0x00000028(00000040))=0x01228c40 end at: 0x01228c68
-> [*] HeapFree(0x1160000,0x1,0x1228C40)
-> [*] Freed()
K: 66195 -> [*] HeapAlloc(0x00f00000,0x00000008,0x00000020(00000032))=0x013a0ed0 end at: 0x013a0ef0
K: 66196 -> [*] HeapAlloc(0x01160000,0x00000001,0x00000028(00000040))=0x01228c40 end at: 0x01228c68 *(A)
-> [*] HeapFree(0x1160000,0x1,0x1228C40) *(B)
----// SNIP SNIP //-------------------------------------------------


The memory block, marked as A is being corrupted here:

----// SNIP SNIP //-------------------------------------------------
66949879 8901 MOV DWORD PTR DS:[ECX],EAX
----// SNIP SNIP //-------------------------------------------------

This leads to future problems within next operations on heap blocks, here with
freeing the broken heap memory block (freeing done by point marked as B).

The vulnerability may lead to remote code execution when specially
crafted MOV file is being loaded.


III. BONUS :)

Stack unwind:

----// SNIP SNIP //-------------------------------------------------
0013beac 77f851ee 00f80000 02884278 0013bf40 ntdll!RtlSizeHeap+0x7d7
0013bf88 77f9e227 00f80000 50000061 02884280 ntdll!RtlSizeHeap+0x1ed8
0013bffc 77f85010 00f80000 50000061 02884280 ntdll!RtlpNtEnumerateSubKey+0x65d5
0013c0d4 77f58b37 00f80000 40000061 02884280 ntdll!RtlSizeHeap+0x1cfa
0013c1a4 668f51d4 00f80000 00000001 02884280 ntdll!RtlFreeHeap+0xf9
0013c218 669644a1 02876e4e 0013c2e0 0013c33c QuickTime!theQTMLDispatcher+0x27a34
0013c234 668daf8e 00000000 00000020 00181628 QuickTime!LIST_ComponentDispatch+0x665b1
0013c250 668cd61e 02876e4e 00000000 00000000 QuickTime!theQTMLDispatcher+0xd7ee
0013c29c 77f58a3a 668a8189 00f40000 40000068 QuickTime!CallComponentFunctionWithStorage+0xd0e
0013c2a0 668a8189 00f40000 40000068 668a81bb ntdll!RtlAllocateHeap+0xe8c
0013c2ac 668a81bb 0013c2f0 0013c33c 00181588 QuickTime!DllMain+0x579e9
0013c2c0 668cd569 02852f60 73646573 636c6179 QuickTime!DllMain+0x57a1b
0013c31c 66b1ac37 02852f60 73646573 636c6179 QuickTime!CallComponentFunctionWithStorage+0xc59
0013c36c 66b1b18d 02852f60 80008002 012273c0 QuickTime!VQ_DComponentDispatch+0xd117
00000000 00000000 00000000 00000000 00000000 QuickTime!VQ_DComponentDispatch+0xd66d
----// SNIP SNIP //-------------------------------------------------


IV. POC CODE

Due to severity of this bug i will not release any proof of concept
codes for this issue.


IV. VENDOR RESPONSE

Vendor (Apple) has been noticed and released all necessary patches.


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close