Apple QuickTime QTVRStringAtom stringLength Parameter QTVR Movie File Handling

2012-07-16T00:00:00
ID SAINT:3FDBEBE262DB58F4E29A8BF741CE4802
Type saint
Reporter SAINT Corporation
Modified 2012-07-16T00:00:00

Description

Added: 07/16/2012
CVE: CVE-2012-0667
BID: 53583
OSVDB: 81938

Background

QuickTime is a media player for Windows and Mac OS platforms.

Problem

Apple QuickTime 7.7.1 and earlier versions are vulnerable to remote code execution if the user is persuaded to open a specially crafted QTVR movie file. The specific flaw exists within the QuickTimeVR.qtx component which fails to properly check the stringLength parameter when processing a QTVRStringAtom, resulting in an integer signedness buffer overflow. Successful exploitation could result in a remote attacker running arbitrary code in the context of the affected user.

Resolution

Upgrade to QuickTime 7.7.2 or higher.

References

<http://support.apple.com/kb/HT5261>
<http://www.zerodayinitiative.com/advisories/ZDI-12-077/>

Limitations

This exploit was tested against Apple QuickTime 7.7.1 on Windows XP SP3 English (DEP OptIn).

The user must open the HTML exploit file in Internet Explorer 8.

Platforms

Windows