Apple QuickTime udta ATOM Heap Overflow By Sowhat of Nevis Labs Date: 2006.05.12 http://www.nevisnetworks.com http://secway.org/advisory/AD20060512.txt Vendor: Apple Inc. Affected Versions: Apple QuickTime versions < 7.1 Overview: We have discovered a critical vulnerability in Quicktime Player. The vulnerability allows an attacker to execute arbitrary code in the context of the user who executes QuickTime. This vulnerability can be exploited By persuading a user to open a carefully crafted .mov files or visit a website embedding the malicious .mov file. Details: This vulnerability exists in the way Quicktime process the "udta" Atom of the .mov files. The layout of a udta(user data atom) atom: Bytes _______________________ | User data atom | | Atom size | 4 | Type = 'udta' | 4 | | | User data list | | Atom size | 4 | Type = user data types| 4 | | ----------------------- By setting the value of the Atom size to a large value such as 0xFFFFFFFF, an insufficiently-sized heap block will be allocated, and resulting in a classic complete heap memory overwrite during the RtlAllocateHeap() function. Vendor Response: 2006.05.06 Vendor notified via product-security@apple.com 2006.05.07 Vendor responded 2006.05.09 Vendor ask for more information 2006.05.11 Vendor released QuickTime 7.1 2006.05.12 Advisory released Vendor was contacted in 05/06/2006, and they said: "This message is being sent to you by a security analyst who has reviewed your note. The issue is being investigated, and we appreciate the time you have taken to report it to us. " This vulnerability no longer exists in their new release(7.1), However the vendor didnt formally inform me about the patch. Greetings to Ajit, Chi, Xin, Linlin and all guys in India & US Nevis Labs Reference: 1. http://developer.apple.com/documentation/QuickTime/QTFF/index.html 2. http://docs.info.apple.com/article.html?artnum=303752 -- Sowhat http://secway.org "Life is like a bug, Do you know how to exploit it ?"