[EEYEB-20051031] Apple QuickTime Malformed GIF Heap Overflow
EEYEB-20051031 Apple QuickTime Malformed GIF Heap Overflow
Release Date:
January 10, 2006
Date Reported:
October 31, 2005
Severity:
High (Code Execution)
Patch Development Time (In Days):
71 Days
Severity:
High (Code Execution)
Vendor:
Apple
Systems Affected:
Quicktime on Windows 2000
Quicktime on Windows XP
Quicktime on Mac OS X 10.3.9
Apple iTunes on Windows 2000
Apple iTunes on Windows XP
Apple iTunes on OS X 10.3.9
Overview:
eEye Digital Security has discovered a critical heap overflow in the Apple
Quicktime player that allows for the execution of arbitrary code via a
maliciously crafted GIF file.
This flaw has proven to allow for reliable control of data on the heap chunk
and can be exploited via a web site by using ActiveX controls.
Technical Details:
When Quicktime processes the Netscape Navigator Application Extension Block of
a gif file, it does not perform proper bounds checking, so it will allocate
memory without checking the heap size. The heap can be overwritten in the
Picture Modifier block.
The block size calculate code such as:
.text:66A339CC mov ax, [esi+0Ch]
.text:66A339D0 xor ecx, ecx
.text:66A339D2 mov [esp+34h+var_28], ecx
.text:66A339D6 mov [esp+34h+var_24], ecx
.text:66A339DA mov [esp+34h+var_20], ecx
.text:66A339DE mov [esp+34h+var_1C], ecx
.text:66A339E2 mov word ptr [esp+34h+var_10], cx
.text:66A339E7 mov [esp+34h+arg_4], eax
.text:66A339EB movsx eax, ax
.text:66A339EE mov word ptr [esp+34h+var_10+2], cx
.text:66A339F3 mov cx, [esi+8]
.text:66A339F7 movsx edx, cx
.text:66A339FA sub eax, edx
.text:66A339FC movsx edx, word ptr [esi+6]
.text:66A33A00 add eax, 3Eh
.text:66A33A03 push edi
.text:66A33A04 movsx edi, word ptr [esi+0Ah]
.text:66A33A08 sar eax, 3
.text:66A33A0B lea ebx, [esi+6]
.text:66A33A0E and eax, 0FFFFFFFCh
.text:66A33A11 sub edi, edx
.text:66A33A13 movsx edx, ax
.text:66A33A16 mov [esi+4], ax
.text:66A33A1A imul edi, edx
The allocate code is :
.text:66A33A68 push edi
.text:66A33A69 call sub_668B5B30
But when it real process data to this memory, it use real decode data to write
this memory
but didn¡¯t check this heap size. This is segment of the write code
function(sub_66AE0A70):
.text:66AE0B18 movsx edx, word ptr [edi+12h] ; default
.text:66AE0B1C imul edx, [edi+0Ch]
.text:66AE0B20 mov ecx, [edi+4]
.text:66AE0B23 inc word ptr [edi+16h]
.text:66AE0B27 mov eax, [esp+arg_0]
.text:66AE0B2B add edx, ecx
.text:66AE0B2D mov [eax], edx
.text:66AE0B2F mov eax, [ebp+10h]
.text:66AE0B32 test eax, eax
.text:66AE0B34 jz short loc_66AE0B62
.text:66AE0B36 mov ax, [ebp+1Ch]
.text:66AE0B3A mov edx, [ebp+0Ch]
.text:66AE0B3D movzx cx, ah
.text:66AE0B41 mov ch, al
.text:66AE0B43 mov [edx], cx
.text:66AE0B46 movsx eax, word ptr [edi+12h]
.text:66AE0B4A imul eax, [ebp+14h]
.text:66AE0B4E add eax, [ebp+10h]
.text:66AE0B51 mov cx, [ebp+18h]
.text:66AE0B55 mov [ebp+0Ch], eax
.text:66AE0B58 mov [ebp+1Ah], cx
.text:66AE0B5C mov word ptr [ebp+1Ch], 0
Vendor Status:
Apple has released a patch for this vulnerability. The patch is available via
the Updates section of the affected applications.
This vulnerability has been assigned the CVE identifier CVE-2005-2340.
Credit:
Fang Xing
Greetings:
eEye Research and especially Hugo for all his help
Copyright (c) 1998-2006 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express consent of
eEye. If you wish to reprint the whole or any part of this alert in any other
medium excluding electronic medium, please email alert@xxxxxxxx for permission.
Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are no
warranties, implied or express, with regard to this information. In no event
shall the author be liable for any direct or indirect damages whatsoever
arising out of or in connection with the use or spread of this information.
Any use of this information is at the user's own risk.