Check Point Software Technologies - Vulnerability Discovery Team (VDT) http://www.checkpoint.com/defense/ Apple Quicktime Memory Corruption when parsing FPX files CVE-2010-3801 INTRODUCTION Apple Quicktime is a "powerful media technology that works on Mac and PC with just about every popular video or audio format you come across. So you can play the digital media you want to play". Apple Quicktime is available as plugin to different browsers, and thus the vulnerability can be remotely triggered. QuickTime player does not properly parse .fpx media files, which causes a memory corruption by opening a malformed file with an invalid value located in PoC repro.fpx at offset 0x49. This problem was confirmed in the following versions of Apple Quicktime and browsers, other versions may be also affected. QuickTime Player version 7.6.8 (1675) in all Operating Systems QuickTime Player version 7.6.6 (1671) in all Operating Systems CVSS Scoring System The CVSS score is: 9 Base Score: 10 Temporal Score: 9 We used the following values to calculate the scores: Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:C Temporal score is: E:POC/RL:U/RC:C TRIGGERING THE PROBLEM The problem is triggered by PoC repro.fpx which causes invalid memory access in all the refered versions and is available to interested parties only. DETAILS Disassembly: 668E2387 F7C7 03000000 TEST EDI,3 668E238D 75 15 JNZ SHORT QuickT_1.668E23A4 668E238F C1E9 02 SHR ECX,2 668E2392 83E2 03 AND EDX,3 668E2395 83F9 08 CMP ECX,8 668E2398 72 2A JB SHORT QuickT_1.668E23C4 668E239A F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] <----- Crash Here EDI = 0x089A0020 ESI = 0x61626364 (3e8.e3c): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=61626560 ebx=00000000 ecx=0000007f edx=00000000 esi=61626364 edi=06d80020 eip=668e239a esp=0012dfbc ebp=0012dfc4 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206 668e239a f3a5 rep movs dword ptr es:[edi],dword ptr [esi] 0:000> !exploitable Exploitability Classification: PROBABLY_EXPLOITABLE Recommended Bug Title: Probably Exploitable - Read Access Violation on Block Data Move starting at QuickTime!CallComponentFunctionWithStorage+0x000000000003f20a (Hash=0x4b1e3917.0x4f031b17) This is a read access violation in a block data move, and is therefore classified as probably exploitable. CREDITS This vulnerability was discovered and researched by Rodrigo Rubira Branco from Check Point Vulnerability Discovery Team (VDT). Rodrigo Rubira Branco Senior Security Researcher Vulnerability Discovery Team (VDT) Check Point Software Technologies http://www.checkpoint.com/defense