[Reversemode Advisory] Apple Quicktime Color ID remote heap corruption


APPLE QUICKTIME COLOR TABLE ID REMOTE HEAP CORRUPTION Rubйn Santamarta <ruben@reversemode.com> Affected products and/or platforms: Mac OS X v10.3.9 and later Windows Vista Windows XP Windows 2000 Color table ID A 16-bit integer that identifies which color table to use. If this field is set to –1, the default color table should be used for the specified depth. For all depths below 16 bits per pixel, this indicates astandard Macintosh color table for the specified depth. Depths of 16, 24, and 32 have no color table. If the color table ID is set to 0, a color table is contained within the sample description itself. The color table immediately follows the Color table ID field in the sample description. Module: Quicktime.qts Version: 7.1.3 .text:670BA43E cmp word ptr [eax+54h], 0 ;Color table ? .text:670BA443 jnz loc_670BA519 .text:670BA449 push ebx .text:670BA44A mov bx, [eax+5Ch] ;num of entries .text:670BA44E push 0 .text:670BA450 push esi .text:670BA451 call sub_668B57C0 .text:670BA456 add esp, 8 .text:670BA459 cmp eax, 56h ;ERROR CODE .text:670BA45C jnz short loc_670BA46A .text:670BA46A loc_670BA46A: ; CODE XREF: sub_670BA2E0+17C#j .text:670BA46A mov al, [esp+8+arg_4] .text:670BA46E test al, al .text:670BA470 jnz short loc_670BA47A .text:670BA472 movzx cx, bh .text:670BA476 mov ch, bl .text:670BA478 mov ebx, ecx .text:670BA47A {...} .text:670BA4C7 .text:670BA4C7 loc_670BA4C7: ; CODE XREF: sub_670BA2E0+235#j .text:670BA4C7 mov ecx, [esi] ; byte swapping... .text:670BA4C9 lea edi, [ecx+eax*8+5Eh] .text:670BA4CD mov cx, [edi] .text:670BA4D0 movzx bx, ch .text:670BA4D4 mov bh, cl .text:670BA4D6 inc edx .text:670BA4D7 mov [edi], bx .text:670BA4DA mov ecx, [esi] .text:670BA4DC lea edi, [ecx+eax*8+60h] .text:670BA4E0 mov cx, [edi] .text:670BA4E3 movzx bx, ch .text:670BA4E7 mov bh, cl .text:670BA4E9 mov [edi], bx .text:670BA4EC mov ecx, [esi] .text:670BA4EE lea edi, [ecx+eax*8+62h] .text:670BA4F2 mov cx, [edi] .text:670BA4F5 movzx bx, ch .text:670BA4F9 mov bh, cl .text:670BA4FB mov [edi], bx .text:670BA4FE mov ecx, [esi] .text:670BA500 lea eax, [ecx+eax*8+64h] .text:670BA504 mov cx, [eax] .text:670BA507 movzx bx, ch .text:670BA50B mov bh, cl .text:670BA50D mov [eax], bx .text:670BA510 movsx eax, dx .text:670BA513 cmp eax, ebp ;(i < numofentries) .text:670BA515 jl short loc_670BA4C7 “Unless otherwise stated, all data in a QuickTime movie is stored in big-endian (Motorola) byte ordering.” poc.mov _____ _____ 00000640h: 18 00 00 00 00 00 21 66 66 01 66 00 00 00 00 80 ; 00 00 => COLOR TABLE ID (WORD) 01 66 => number of entries (WORD) We can corrupt the adjacent memory of the affected heap chunk. The amount of heap memory that will be corrupted is limited by “number of entries”, as we can see above that value is controlled. Successful exploitation can lead to a remote code execution within the user's logged context. Attack Vectors Quicktime Plugin – IE,Firefox... Quicktime Player Exploits No exploits are released. References: http://docs.info.apple.com/article.html?artnum=305149 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=486 http://www.reversemode.com/index.php?option=com_remository&Itemid=2&func=fileinfo&id=46 (PDF)