NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Full-Disclosure> 2006-05

[Full-disclosure] Apple QuickTime udta ATOM Heap Overflow

From: Sowhat (smaillistgmail.com)
Date: Thu May 11 2006 - 22:05:10 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Apple QuickTime udta ATOM Heap Overflow

By Sowhat of Nevis Labs
Date: 2006.05.12

http://www.nevisnetworks.com
http://secway.org/advisory/AD20060512.txt

Vendor:
Apple Inc.

Affected Versions:
Apple QuickTime versions < 7.1

Overview:
We have discovered a critical vulnerability in Quicktime Player.
The vulnerability allows an attacker to execute arbitrary code
in the context of the user who executes QuickTime.

This vulnerability can be exploited By persuading a user to open
a carefully crafted .mov files or visit a website embedding the
malicious .mov file.

Details:
This vulnerability exists in the way Quicktime process the "udta" Atom of
the .mov files.

The layout of a udta(user data atom) atom:

                           Bytes
   _______________________
  | User data atom |
  | Atom size | 4
  | Type = 'udta' | 4
  | |
  | User data list |
  | Atom size | 4
  | Type = user data types| 4
  | |
   -----------------------

By setting the value of the Atom size to a large value such as 0xFFFFFFFF,
an insufficiently-sized heap block will be allocated, and resulting in a
classic complete heap memory overwrite during the RtlAllocateHeap() function.

Vendor Response:

2006.05.06 Vendor notified via product-securityapple.com
2006.05.07 Vendor responded
2006.05.09 Vendor ask for more information
2006.05.11 Vendor released QuickTime 7.1
2006.05.12 Advisory released

Vendor was contacted in 05/06/2006, and they said:
"This message is being sent to you by a security analyst who has reviewed
your note. The issue is being investigated, and we appreciate the time
you have taken to report it to us. "

This vulnerability no longer exists in their new release(7.1),
However the vendor didnt formally inform me about the patch.

Greetings to Ajit, Chi, Xin, Linlin and all guys in India & US Nevis Labs

Reference:
1. http://developer.apple.com/documentation/QuickTime/QTFF/index.html
2. http://docs.info.apple.com/article.html?artnum=303752

--
Sowhat
http://secway.org
"Life is like a bug, Do you know how to exploit it ?"

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]