<<< Date Index >>>     <<< Thread Index >>>

[Reversemode Advisory] Apple Quicktime Color ID remote heap corruption



APPLE QUICKTIME
COLOR TABLE ID REMOTE HEAP CORRUPTION

Rubén Santamarta <ruben@xxxxxxxxxxxxxxx>
        
Affected products and/or platforms:
 Mac OS X v10.3.9 and later
 Windows Vista
 Windows XP
 Windows 2000

Color table ID
A 16-bit integer that identifies which color table to use. If this field
is set  to –1, the default color table should be used for the specified
depth. For all depths below 16 bits per pixel, this indicates astandard
Macintosh color table for the specified depth. Depths of 16, 24, and 32
have no color table.
If the color table ID is set to 0, a color table is contained within the
sample description itself. The color table immediately follows the Color
table ID field in the sample description.

Module: Quicktime.qts   Version: 7.1.3
.text:670BA43E       cmp     word ptr [eax+54h], 0      ;Color table ?
.text:670BA443       jnz     loc_670BA519
.text:670BA449       push    ebx
.text:670BA44A       mov     bx, [eax+5Ch]              ;num of entries
.text:670BA44E       push    0
.text:670BA450       push    esi
.text:670BA451       call    sub_668B57C0
.text:670BA456       add     esp, 8
.text:670BA459       cmp     eax, 56h                   ;ERROR CODE
.text:670BA45C       jnz     short loc_670BA46A

.text:670BA46A loc_670BA46A:                           ; CODE XREF:
sub_670BA2E0+17C#j
.text:670BA46A                 mov     al, [esp+8+arg_4]
.text:670BA46E                 test    al, al
.text:670BA470                 jnz     short loc_670BA47A
.text:670BA472                 movzx   cx, bh
.text:670BA476                 mov     ch, bl
.text:670BA478                 mov     ebx, ecx
.text:670BA47A
{...}
.text:670BA4C7
.text:670BA4C7 loc_670BA4C7:                           ; CODE XREF:
sub_670BA2E0+235#j
.text:670BA4C7                 mov     ecx, [esi]       ; byte swapping...
.text:670BA4C9                 lea     edi, [ecx+eax*8+5Eh]
.text:670BA4CD                 mov     cx, [edi]
.text:670BA4D0                 movzx   bx, ch
.text:670BA4D4                 mov     bh, cl
.text:670BA4D6                 inc     edx
.text:670BA4D7                 mov     [edi], bx
.text:670BA4DA                 mov     ecx, [esi]
.text:670BA4DC                 lea     edi, [ecx+eax*8+60h]
.text:670BA4E0                 mov     cx, [edi]
.text:670BA4E3                 movzx   bx, ch
.text:670BA4E7                 mov     bh, cl
.text:670BA4E9                 mov     [edi], bx
.text:670BA4EC                 mov     ecx, [esi]
.text:670BA4EE                 lea     edi, [ecx+eax*8+62h]
.text:670BA4F2                 mov     cx, [edi]
.text:670BA4F5                 movzx   bx, ch
.text:670BA4F9                 mov     bh, cl
.text:670BA4FB                 mov     [edi], bx
.text:670BA4FE                 mov     ecx, [esi]
.text:670BA500                 lea     eax, [ecx+eax*8+64h]
.text:670BA504                 mov     cx, [eax]
.text:670BA507                 movzx   bx, ch
.text:670BA50B                 mov     bh, cl
.text:670BA50D                 mov     [eax], bx
.text:670BA510                 movsx   eax, dx
.text:670BA513                 cmp     eax, ebp      ;(i < numofentries)
.text:670BA515                 jl      short loc_670BA4C7

“Unless otherwise stated, all data in a QuickTime movie is stored in
big-endian (Motorola) byte ordering.”

poc.mov       _____                   _____     
00000640h: 18 00 00 00 00 00 21 66 66 01 66 00 00 00 00 80 ;

00 00  => COLOR TABLE ID    (WORD)
01 66  => number of entries (WORD)



We can corrupt the adjacent memory of the affected heap chunk. The
amount of heap memory that will be corrupted is limited by “number of
entries”, as we can see above that value is controlled.

Successful exploitation can lead to a remote code execution within the
user's logged context.

Attack Vectors

        Quicktime Plugin – IE,Firefox...
        Quicktime Player


Exploits
No exploits are released.

References:
http://docs.info.apple.com/article.html?artnum=305149
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=486
http://www.reversemode.com/index.php?option=com_remository&Itemid=2&func=fileinfo&id=46
(PDF)