Advisories
11/01/06, 20:15
EEYEB-20051031 Apple QuickTime Malformed GIF Heap Overflow
Release Date:
January 10, 2006
Date Reported:
October 31, 2005
Severity:
High (Code Execution)
Patch Development Time (In Days):
71 Days
Severity:
High (Code Execution)
Vendor:
Apple
Systems Affected:
Quicktime on Windows 2000
Quicktime on Windows XP
Quicktime on Mac OS X 10.3.9
Apple iTunes on Windows 2000
Apple iTunes on Windows XP
Apple iTunes on OS X 10.3.9
Overview:
eEye Digital Security has discovered a critical heap overflow in the =
Apple Quicktime player that allows for the execution of arbitrary code =
via a maliciously crafted GIF file.
This flaw has proven to allow for reliable control of data on the heap =
chunk and can be exploited via a web site by using ActiveX controls.
Technical Details:
When Quicktime processes the Netscape Navigator Application Extension =
Block of a gif file, it does not perform proper bounds checking, so it =
will allocate memory without checking the heap size. The heap can be =
overwritten in the Picture Modifier block. =20
The block size calculate code such as:
..text:66A339CC mov ax, [esi+0Ch]
..text:66A339D0 xor ecx, ecx
..text:66A339D2 mov [esp+34h+var_28], ecx
..text:66A339D6 mov [esp+34h+var_24], ecx
..text:66A339DA mov [esp+34h+var_20], ecx
..text:66A339DE mov [esp+34h+var_1C], ecx
..text:66A339E2 mov word ptr [esp+34h+var_10], cx
..text:66A339E7 mov [esp+34h+arg_4], eax
..text:66A339EB movsx eax, ax
..text:66A339EE mov word ptr [esp+34h+var_10+2], cx
..text:66A339F3 mov cx, [esi+8]
..text:66A339F7 movsx edx, cx
..text:66A339FA sub eax, edx
..text:66A339FC movsx edx, word ptr [esi+6]
..text:66A33A00 add eax, 3Eh
..text:66A33A03 push edi
..text:66A33A04 movsx edi, word ptr [esi+0Ah]
..text:66A33A08 sar eax, 3
..text:66A33A0B lea ebx, [esi+6]
..text:66A33A0E and eax, 0FFFFFFFCh
..text:66A33A11 sub edi, edx
..text:66A33A13 movsx edx, ax
..text:66A33A16 mov [esi+4], ax
..text:66A33A1A imul edi, edx
The allocate code is :
..text:66A33A68 push edi
..text:66A33A69 call sub_668B5B30
But when it real process data to this memory, it use real decode data to =
write this memory=20
but didn=A1=AFt check this heap size. This is segment of the write code =
function(sub_66AE0A70):
..text:66AE0B18 movsx edx, word ptr [edi+12h] ; default
..text:66AE0B1C imul edx, [edi+0Ch]
..text:66AE0B20 mov ecx, [edi+4]
..text:66AE0B23 inc word ptr [edi+16h]
..text:66AE0B27 mov eax, [esp+arg_0]
..text:66AE0B2B add edx, ecx
..text:66AE0B2D mov [eax], edx
..text:66AE0B2F mov eax, [ebp+10h]
..text:66AE0B32 test eax, eax
..text:66AE0B34 jz short loc_66AE0B62
..text:66AE0B36 mov ax, [ebp+1Ch]
..text:66AE0B3A mov edx, [ebp+0Ch]
..text:66AE0B3D movzx cx, ah
..text:66AE0B41 mov ch, al
..text:66AE0B43 mov [edx], cx
..text:66AE0B46 movsx eax, word ptr [edi+12h]
..text:66AE0B4A imul eax, [ebp+14h]
..text:66AE0B4E add eax, [ebp+10h]
..text:66AE0B51 mov cx, [ebp+18h]
..text:66AE0B55 mov [ebp+0Ch], eax
..text:66AE0B58 mov [ebp+1Ah], cx
..text:66AE0B5C mov word ptr [ebp+1Ch], 0
Vendor Status:
Apple has released a patch for this vulnerability. The patch is =
available via the Updates section of the affected applications.
This vulnerability has been assigned the CVE identifier CVE-2005-2340.
Credit:
Fang Xing
Greetings:
eEye Research and especially Hugo for all his help
Copyright (c) 1998-2006 eEye Digital Security
Permission is hereby granted for the redistribution of this alert =
electronically. It is not to be edited in any way without express =
consent of eEye. If you wish to reprint the whole or any part of this =
alert in any other medium excluding electronic medium, please email =
alert@eEye.com for permission.
Disclaimer
The information within this paper may change without notice. Use of =
this information constitutes acceptance for use in an AS IS condition. =
There are no warranties, implied or express, with regard to this =
information. In no event shall the author be liable for any direct or =
indirect damages whatsoever arising out of or in connection with the use =
or spread of this information. Any use of this information is at the =
user's own risk.
Release Date:
January 10, 2006
Date Reported:
October 31, 2005
Severity:
High (Code Execution)
Patch Development Time (In Days):
71 Days
Severity:
High (Code Execution)
Vendor:
Apple
Systems Affected:
Quicktime on Windows 2000
Quicktime on Windows XP
Quicktime on Mac OS X 10.3.9
Apple iTunes on Windows 2000
Apple iTunes on Windows XP
Apple iTunes on OS X 10.3.9
Overview:
eEye Digital Security has discovered a critical heap overflow in the =
Apple Quicktime player that allows for the execution of arbitrary code =
via a maliciously crafted GIF file.
This flaw has proven to allow for reliable control of data on the heap =
chunk and can be exploited via a web site by using ActiveX controls.
Technical Details:
When Quicktime processes the Netscape Navigator Application Extension =
Block of a gif file, it does not perform proper bounds checking, so it =
will allocate memory without checking the heap size. The heap can be =
overwritten in the Picture Modifier block. =20
The block size calculate code such as:
..text:66A339CC mov ax, [esi+0Ch]
..text:66A339D0 xor ecx, ecx
..text:66A339D2 mov [esp+34h+var_28], ecx
..text:66A339D6 mov [esp+34h+var_24], ecx
..text:66A339DA mov [esp+34h+var_20], ecx
..text:66A339DE mov [esp+34h+var_1C], ecx
..text:66A339E2 mov word ptr [esp+34h+var_10], cx
..text:66A339E7 mov [esp+34h+arg_4], eax
..text:66A339EB movsx eax, ax
..text:66A339EE mov word ptr [esp+34h+var_10+2], cx
..text:66A339F3 mov cx, [esi+8]
..text:66A339F7 movsx edx, cx
..text:66A339FA sub eax, edx
..text:66A339FC movsx edx, word ptr [esi+6]
..text:66A33A00 add eax, 3Eh
..text:66A33A03 push edi
..text:66A33A04 movsx edi, word ptr [esi+0Ah]
..text:66A33A08 sar eax, 3
..text:66A33A0B lea ebx, [esi+6]
..text:66A33A0E and eax, 0FFFFFFFCh
..text:66A33A11 sub edi, edx
..text:66A33A13 movsx edx, ax
..text:66A33A16 mov [esi+4], ax
..text:66A33A1A imul edi, edx
The allocate code is :
..text:66A33A68 push edi
..text:66A33A69 call sub_668B5B30
But when it real process data to this memory, it use real decode data to =
write this memory=20
but didn=A1=AFt check this heap size. This is segment of the write code =
function(sub_66AE0A70):
..text:66AE0B18 movsx edx, word ptr [edi+12h] ; default
..text:66AE0B1C imul edx, [edi+0Ch]
..text:66AE0B20 mov ecx, [edi+4]
..text:66AE0B23 inc word ptr [edi+16h]
..text:66AE0B27 mov eax, [esp+arg_0]
..text:66AE0B2B add edx, ecx
..text:66AE0B2D mov [eax], edx
..text:66AE0B2F mov eax, [ebp+10h]
..text:66AE0B32 test eax, eax
..text:66AE0B34 jz short loc_66AE0B62
..text:66AE0B36 mov ax, [ebp+1Ch]
..text:66AE0B3A mov edx, [ebp+0Ch]
..text:66AE0B3D movzx cx, ah
..text:66AE0B41 mov ch, al
..text:66AE0B43 mov [edx], cx
..text:66AE0B46 movsx eax, word ptr [edi+12h]
..text:66AE0B4A imul eax, [ebp+14h]
..text:66AE0B4E add eax, [ebp+10h]
..text:66AE0B51 mov cx, [ebp+18h]
..text:66AE0B55 mov [ebp+0Ch], eax
..text:66AE0B58 mov [ebp+1Ah], cx
..text:66AE0B5C mov word ptr [ebp+1Ch], 0
Vendor Status:
Apple has released a patch for this vulnerability. The patch is =
available via the Updates section of the affected applications.
This vulnerability has been assigned the CVE identifier CVE-2005-2340.
Credit:
Fang Xing
Greetings:
eEye Research and especially Hugo for all his help
Copyright (c) 1998-2006 eEye Digital Security
Permission is hereby granted for the redistribution of this alert =
electronically. It is not to be edited in any way without express =
consent of eEye. If you wish to reprint the whole or any part of this =
alert in any other medium excluding electronic medium, please email =
alert@eEye.com for permission.
Disclaimer
The information within this paper may change without notice. Use of =
this information constitutes acceptance for use in an AS IS condition. =
There are no warranties, implied or express, with regard to this =
information. In no event shall the author be liable for any direct or =
indirect damages whatsoever arising out of or in connection with the use =
or spread of this information. Any use of this information is at the =
user's own risk.