exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Apple Quicktime Memory Corruption

Apple Quicktime Memory Corruption
Posted Dec 17, 2010
Authored by Rodrigo Rubira Branco

The Apple QuickTime player does not properly parse .fpx media files, which causes a memory corruption by opening a malformed file with an invalid value located in PoC repro.fpx at offset 0x49. Tested vulnerable are versions 7.6.8 (1675) and 7.6.6 (1671).

tags | advisory
systems | apple
advisories | CVE-2010-3801
SHA-256 | facb84d8419ffcf0bba2fe7f89e1f2ae1bc160d4a44a1f04b6c7f18419579e90

Apple Quicktime Memory Corruption

Change Mirror Download
Check Point Software Technologies - Vulnerability Discovery Team (VDT)
http://www.checkpoint.com/defense/

Apple Quicktime Memory Corruption when parsing FPX files
CVE-2010-3801


INTRODUCTION

Apple Quicktime is a "powerful media technology that works on Mac and PC with just about
every popular video or audio format you come across. So you can play the digital media
you want to play".

Apple Quicktime is available as plugin to different browsers, and thus the vulnerability
can be remotely triggered.

QuickTime player does not properly parse .fpx media files, which causes a memory corruption by
opening a malformed file with an invalid value located in PoC repro.fpx at offset 0x49.

This problem was confirmed in the following versions of Apple Quicktime and browsers, other
versions may be also affected.

QuickTime Player version 7.6.8 (1675) in all Operating Systems
QuickTime Player version 7.6.6 (1671) in all Operating Systems

CVSS Scoring System

The CVSS score is: 9
Base Score: 10
Temporal Score: 9
We used the following values to calculate the scores:
Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal score is: E:POC/RL:U/RC:C


TRIGGERING THE PROBLEM

The problem is triggered by PoC repro.fpx which causes invalid memory access in all the
refered versions and is available to interested parties only.


DETAILS


Disassembly:

668E2387 F7C7 03000000 TEST EDI,3
668E238D 75 15 JNZ SHORT QuickT_1.668E23A4
668E238F C1E9 02 SHR ECX,2
668E2392 83E2 03 AND EDX,3
668E2395 83F9 08 CMP ECX,8
668E2398 72 2A JB SHORT QuickT_1.668E23C4
668E239A F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] <----- Crash Here

EDI = 0x089A0020
ESI = 0x61626364

(3e8.e3c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.

eax=61626560 ebx=00000000 ecx=0000007f edx=00000000 esi=61626364 edi=06d80020
eip=668e239a esp=0012dfbc ebp=0012dfc4 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206

668e239a f3a5 rep movs dword ptr es:[edi],dword ptr [esi]

0:000> !exploitable
Exploitability Classification: PROBABLY_EXPLOITABLE
Recommended Bug Title: Probably Exploitable - Read Access Violation on Block Data Move starting at QuickTime!CallComponentFunctionWithStorage+0x000000000003f20a (Hash=0x4b1e3917.0x4f031b17)
This is a read access violation in a block data move, and is therefore classified as probably exploitable.


CREDITS

This vulnerability was discovered and researched by Rodrigo Rubira Branco from Check Point Vulnerability Discovery Team (VDT).





Rodrigo Rubira Branco
Senior Security Researcher
Vulnerability Discovery Team (VDT)
Check Point Software Technologies
http://www.checkpoint.com/defense
Login or Register to add favorites

File Archive:

September 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    23 Files
  • 2
    Sep 2nd
    12 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    0 Files
  • 5
    Sep 5th
    10 Files
  • 6
    Sep 6th
    8 Files
  • 7
    Sep 7th
    30 Files
  • 8
    Sep 8th
    14 Files
  • 9
    Sep 9th
    26 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    5 Files
  • 13
    Sep 13th
    28 Files
  • 14
    Sep 14th
    15 Files
  • 15
    Sep 15th
    17 Files
  • 16
    Sep 16th
    9 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    12 Files
  • 20
    Sep 20th
    15 Files
  • 21
    Sep 21st
    20 Files
  • 22
    Sep 22nd
    13 Files
  • 23
    Sep 23rd
    12 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    30 Files
  • 27
    Sep 27th
    27 Files
  • 28
    Sep 28th
    8 Files
  • 29
    Sep 29th
    14 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close