Apple QuickTime versions prior to 7.5 suffer from a heap overflow vulnerability when handling PICT images.
d724e9e6944eff30016b9426e445cdaca7b49bfdefc5bb06d255042b549b2043
n.runs AG
http://www.nruns.com/ security(at)nruns.com
n.runs-SA-2008.003 16-Jul-2008
________________________________________________________________________
Vendor: Apple Inc., http://www.apple.com
Affected Products: QuickTime versions previous to 7.5
http://www.apple.com/quicktime
Affected Platforms: Mac OS X v10.3.9, Mac OS X v10.4.9 - v10.4.11,
Mac OS X v10.5 or later, Windows Vista, XP SP2
Vulnerability: Arbitrary Code Execution (remote)
Risk: CRITICAL
________________________________________________________________________
Vendor communication:
2008/03/07 initial notification to Apple Inc. that n.runs AG has
found a considerable amount of vulnerabilities in Apple
mound up-to-date default systems and default installed
products both on Mac OS 10.5 (Leopard) and iPhone 1.1.4
and that n.runs AG intends to send them in phases
to Apple Inc.
2008/03/08 Apple Inc. replies to n.runs AG including their public
pgp key and intends to use Apple Inc. RFC instead of
n.runs RFC
2008/03/08 n.runs AG replies that vulnerability reporting will only
happen under n.runs AG RFP
2008/03/11 Apple Inc. communicates to n.runs AG that n.runs AG RFP
is aligned to their RFP so we may continue with further
communication and bug reporting
2008/03/11 n.runs sends PoCs for various issues to Apple Inc.
2008/03/11 Apple Inc. validates the PoCs and informs that it has
some issues reproducing some of them.
2008/03/12 n.runs AG sends more reliable PoCs and the steps to
follow in order to reproduce the issues
2008/03/24 Apple Inc. sends a status report regarding the
vulnerabilities reported by n.runs AG
2008/03/30 n.runs AG thanks Apple Inc. for the status update and
asks for apologies for not being more responsive during
CanSecWest time frame.
2008/03/31 Apple Inc. sends a second status update and informs
about the link where the credits will appear
http://support.apple.com/kb/HT1222
2008/04/01 n.runs AG thanks for the update and sends a second pack
of vulnerabilities PoCs based on the good and fluent
communications that n.runs AG is having up to the moment
with Apple Inc.
2008/04/01 Apple Inc. thanks n.runs AG for the new PoC, validates
them and includes a status report where they describe
that some of the issues reported were known to them
and/or discovered internally prior to n.runs AG
reporting, they also inform that they added Sergio's
name and company into their system for tracking credit
information for each of the security issues. Provides
the Radar numbers assigned to each of them. Informs some
reproduction issues.
2008/04/01 n.runs AG thanks for the quick response and also
clarifies that n.runs AG expects, as described in the
RFP, to be credited for all the vulnerabilities reported
to Apple Inc. that affect the most up-to-date products
available to the public, regardless if they are
internally known to Apple Inc.
2008/04/03 Apple Inc. replies: "Yes, that's our policy: all
reporters of security bugs that were not publicly known
get credit."
2008/05/23 n.runs AG reports another vulnerability and requests a
status update for the previously reported
vulnerabilities.
2008/05/29 Apple Inc. sends a status report and asks how n.runs AG
would like to be credited if there is some specific
format.
2008/05/29 n.runs AG thanks and sends the requested information
to Apple Inc.
2008/05/31 Apple Inc. sends the status report for the last issue
reported to them and the Radar number assigned to it.
2008/07/10 n.runs AG requests a status update for the issues
reported to Apple Inc.
2008/07/11 Apple Inc. sends the status report and "informs to
n.runs AG that some of the vulnerabilities had already
been fixed and that the update was released some time
ago and that one of them was found through internal
security testing and was not correlated to n.runs AG's
report, that they would fix that, and requests the
format for the credits that n.runs AG would like
to have."
2008/07/13 n.runs AG replies the following: "As I said and you
agreed in my first mails, before sending any of my
findings, whether you found internally or if somebody
else reported the same bugs that I'm reporting, you
(Apple) have to credit me for my findings for the simple
reason that I'm reporting them to you instead of
releasing them to the public while the bugs are not
fixed. That said, I've checked all the credits given
in "iPhone 2.0 and iPod touch 2.0"
http://support.apple.com/kb/HT2351) and the ones given
in "QuickTime 7.5" http://support.apple.com/kb/HT1991,
and I haven't been credited in any of them. This is a
clear violation of our RFP. If by Monday 14.July.2008
the proper credits are not given to me, I'll release all
the vulnerabilities and bugs that I've reported to you
and also the ones I didn't report yet by
Tuesday 15.July.2008."
2008/07/15 Apple Inc. asks n.runs AG to not make public our
findings and also makes available the credits for one of
the issues reported.
2008/07/16 n.runs AG releases this advisory
________________________________________________________________________
Overview:
QuickTime is a multimedia framework developed by Apple Inc., capable of
handling various formats of digital video, media clips, sound, text,
animation, music and several types of interactive panoramic images.
Available for Classic Mac OS, Mac OS X and Microsoft Windows operating
systems it provides essential support for software packages including
iTunes, QuickTime Player (which can also serve as a helper application
for web browsers to play media files that might otherwise fail to open)
and Safari.
Description:
A remotely exploitable vulnerability has been found in the files'
parsing engine.
In detail, the following flaw was determined:
- A sign extension issue in QuickTime's handling of PICT images that
leads to a heap buffer overflow.
Impact:
This problem can lead to remote arbitrary code execution if an attacker
carefully crafts a file that exploits the aforementioned vulnerability.
The vulnerability is present in Apple QuickTime software mentioned
bove, in all platforms supported by the affected products and all the
products that use the APIs exposed by its library prior to Apple
QuickTime version 7.5.
Solution:
The vulnerability was reported on 01.Apr.2008 and Apple QuickTime
Version 7.5 has been issued to solve this vulnerability. For detailed
information about the fixes follow the link in References [1] section
of this document.
________________________________________________________________________
Credit:
Bugs found by Sergio Alvarez of n.runs AG.
________________________________________________________________________
References:
http://support.apple.com/kb/HT1991 [1]
This Advisory and Upcoming Advisories:
http://www.nruns.com/security_advisory.php
________________________________________________________________________
About n.runs:
n.runs AG is a vendor-independent consulting company specialising in the
areas of: IT Infrastructure, IT Security and IT Business Consulting. In
2007, n.runs expanded its core business area, which until then had been
project based consulting, to include the development of high-end
security solutions.
Application Protection System - Anti Virus (aps-AV) is the first
high-end security solution that n.runs is bringing to the market.
Copyright Notice:
Unaltered electronic reproduction of this advisory is permitted. For all
other reproduction or publication, in printing or otherwise, contact
security@nruns.com for permission. Use of the advisory constitutes
acceptance for use in an "as is" condition. All warranties are excluded.
In no event shall n.runs be liable for any damages whatsoever including
direct, indirect, incidental, consequential, loss of business profits or
special damages, even if n.runs has been advised of the possibility of
such damages.
Copyright 2008 n.runs AG. All rights reserved. Terms of use apply.