Check Point Software Technologies - Vulnerability Discovery Team (VDT)
http://www.checkpoint.com/defense/

Apple Quicktime Memory Corruption when parsing FPX files
CVE-2010-3801


INTRODUCTION

Apple Quicktime is a "powerful media technology that works on Mac and PC with just about 
every popular video or audio format you come across. So you can play the digital media 
you want to play".

Apple Quicktime is available as plugin to different browsers, and thus the vulnerability
can be remotely triggered.

QuickTime player does not properly parse .fpx media files, which causes a memory corruption by 
opening a malformed file with an invalid value located in PoC repro.fpx at offset 0x49.

This problem was confirmed in the following versions of Apple Quicktime and browsers, other 
versions may be also affected.

QuickTime Player version 7.6.8 (1675) in all Operating Systems
QuickTime Player version 7.6.6 (1671) in all Operating Systems

CVSS Scoring System

The CVSS score is: 9
  Base Score: 10
  Temporal Score: 9
We used the following values to calculate the scores:
  Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:C
  Temporal score is: E:POC/RL:U/RC:C


TRIGGERING THE PROBLEM

The problem is triggered by PoC repro.fpx which causes invalid memory access in all the 
refered versions and is available to interested parties only.


DETAILS


Disassembly:

668E2387   F7C7 03000000    TEST EDI,3
668E238D   75 15            JNZ SHORT QuickT_1.668E23A4
668E238F   C1E9 02          SHR ECX,2
668E2392   83E2 03          AND EDX,3
668E2395   83F9 08          CMP ECX,8
668E2398   72 2A            JB SHORT QuickT_1.668E23C4
668E239A   F3:A5            REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] <----- Crash Here

EDI = 0x089A0020
ESI = 0x61626364

(3e8.e3c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.

eax=61626560 ebx=00000000 ecx=0000007f edx=00000000 esi=61626364 edi=06d80020
eip=668e239a esp=0012dfbc ebp=0012dfc4 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206

668e239a f3a5            rep movs dword ptr es:[edi],dword ptr [esi]

0:000> !exploitable
Exploitability Classification: PROBABLY_EXPLOITABLE
Recommended Bug Title: Probably Exploitable - Read Access Violation on Block Data Move starting at QuickTime!CallComponentFunctionWithStorage+0x000000000003f20a (Hash=0x4b1e3917.0x4f031b17)
This is a read access violation in a block data move, and is therefore classified as probably exploitable.


CREDITS

This vulnerability was discovered and researched by Rodrigo Rubira Branco from Check Point Vulnerability Discovery Team (VDT).





Rodrigo Rubira Branco
Senior Security Researcher
Vulnerability Discovery Team (VDT)
Check Point Software Technologies
http://www.checkpoint.com/defense