Apple Quicktime Invalid URL Atom Size Denial of Service Vulnerability

2015-08-13T00:00:00
ID TALOS-2015-0012
Type talos
Reporter Talos Intelligence
Modified 2015-08-13T00:00:00

Description

Talos Vulnerability Report

TALOS-2015-0012

Apple Quicktime Invalid URL Atom Size Denial of Service Vulnerability

August 13, 2015
CVE Number

CVE-2015-3788

Description

An exploitable denial of service vulnerability exists in Apple Quicktime. An attacker who can control the size of a "url" atom in a mov media file can cause an undersized allocation leading to an out-of-bounds read. Since the allocation only contains data already from the file, the impact is limited to denial of service.

Tested Versions

Apple Quicktime 7.7.5 - Windows 7 32-bit Vulnerable
Apple Quicktime 7.7.6 - Windows 7 32-bit Vulnerable

Product URLs

<https://www.apple.com/quicktime/>

Details

The function Quicktime!0x73aad0 is responsible for calculating the size of the data portion of a "url " atom.

    26  if ( atom_size &gt;= 8 )
    27  {
    (...)
    39    if ( atom_size - 12 &gt;= 0 )
    40    {
    41      *(_DWORD *)v6 = 0;
    42      sub_6718E230(v5, v6, atom_size - 12);
    43    }

The atom size must be at least 8 bytes and the size of the new allocation is computed by subtracting 12 from this size. Because of the way this is calculated, the new allocation may contain 0 bytes of data.

The function QuicktimeStreaming!0x8b2e0 is responsible for processing the url atom data. A null-terminated string is expected, however a pointed to the data is passed directly to strlen() to determine the string length.

      v1 = strlen(atom_data);
      v2 = 0;
      if ( (signed int)(v1 - 1) &lt;= 0 )
      {

The problem occurs when there are either 0 bytes of data in a "url " atom or the data is not null-terminated. In both cases, the call to strlen() will read off the end of the buffer without stopping, resulting in an out-of-bounds read.

Crash Information

    eax=00000001 ebx=0027c8b4 ecx=00000000 edx=00000004 esi=20257000 edi=20257001
    eip=6931b482 esp=0027c74c ebp=20257000 iopl=0         nv up ei pl zr na pe nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210246
    QuickTimeStreaming!QTCacheComponent_ComponentDispatch+0x18172:
    6931b482 8a16            mov     dl,byte ptr [esi]          ds:0023:20257000=??

    STACK_TEXT:
    0013c3ec 68a0b4fb 20fc5000 208a0d6e 689e2c45 QuickTimeStreaming!QTCacheComponent_ComponentDispatch+0x18172
    0013c3f8 689e2c45 20fc5000 208a0d6e 208a0d6e QuickTimeStreaming!QTCacheComponent_ComponentDispatch+0x181eb
    0013c414 698e368a 208a0da2 208a0d6e 0013c4e4 QuickTimeStreaming!InetDHComponentDispatch+0x14a5
    00000000 00000000 00000000 00000000 00000000 QuickTime!CallComponentFunctionWithStorage+0x4a
Credit

Ryan Pentney and Richard Johnson of Cisco Talos


Vulnerability Reports Next Report

TALOS-2015-0013

Previous Report

TALOS-2015-0024