Home | Free Register | Submit Question

Security

NAVIGATION
CATEGORIES
REFERRENCE
LINKS
Home » Development Group »» Security

  • Apple QuickTime H.264 Integer OverflowVulnerability

    0 answers - 2866 bytes - related search similar search Add To My Delicious Add To My Stumble Upon Add To My Google Mark Add To My Facebook Add To My Digg

    Apple QuickTime H.264 Integer Vulnerability
    By Sowhat of Nevis Labs
    Date: 2006.09.12
    http://www.nevisnetworks.com
    CVE:CVE-2006-4381
    Vendor:
    Apple Inc.
    Affected Versions:
    Apple QuickTime versions < 7.1.3
    :
    By carefully crafting a corrupt H.264 movie, an attacker can trigger an
    integer overflow which may lead to an application crash or arbitrary code
    execution with the privileges of the user.
    The vulnerability allows an attacker to execute arbitrary code
    in the context of the user who executes QuickTime.
    Details:
    This vulnerability exists in the way Quicktime process the H.264 content.
    vulnerable code:
    QuickTimeH264.qtx.68169AC3
    text:68169A63 and esp, 0FFFFFFF8h
    text:68169A66 sub esp, 214h
    text:68169A6C mov eax, dword_68323140
    text:68169A71 mov edx, [ebp+arg_8]
    text:68169A74 xor ecx, ecx
    text:68169A76 mov [esp+214h+var_4], eax
    text:68169A7D mov eax, [ebp+arg_0]
    text:68169A80 mov cl, [eax+4]
    text:68169A83 push ebx
    text:68169A84 push esi
    text:68169A85 push edi
    text:68169A86 mov [esp+220h+var_20C], 0
    text:68169A8E and ecx, 3
    text:68169A91 inc ecx
    text:68169A92 mov [edx], ecx
    text:68169A94 mov cl, [eax+5]
    text:68169A97 and cl, 1Fh
    text:68169A9A cmp cl, 1
    text:68169A9D jnz short loc_68169AEF
    text:68169A9F mov cx, [eax+6]
    text:68169AA3 movzx dx, ch
    text:68169AA7 mov dh, cl
    text:68169AA9 mov ecx, edx
    text:68169AAB cmp cx, 100h <-- cx
    = FFFF which is user controllable
    text:68169AB0 jg short loc_68169AEF <--
    should be "ja"
    text:68169AB2 movsx edx, cx
    text:68169AB5 mov ecx, edx
    text:68169AB7 mov ebx, ecx <-- ecx
    = 0xFFFFFFFF
    text:68169AB9 shr ecx, 2
    text:68169ABC lea esi, [eax+8]
    text:68169ABF lea edi, [esp+220h+var_208]
    text:68169AC3 rep movsd <-- do
    memory copy
    text:68169AC5 mov ecx, ebx
    text:68169AC7 and ecx, 3
    text:68169ACA rep movsb
    text:68169ACC mov cl, [edx+eax+8]
    text:68169AD0 lea esi, [edx+8]
    text:68169AD3 inc esi
    text:68169AD4 cmp cl, 1
    text:68169AD7 jnz short loc_68169AEF
    text:68169AD9 mov cx, [esi+eax]
    text:68169ADD movzx bx, ch
    text:68169AE1 mov bh, cl
    text:68169AE3 add esi, 2
    text:68169AE6 mov ecx, ebx
    text:68169AE8 cmp cx, 100h
    text:68169AED jle short loc_68169B07
    This vulnerability can be exploited By persuading a user to open
    a carefully crafted .mov files or visit a website embedding the
    malicious .mov file.
    Vendor Response:
    2006.05.06Vendor notified via product-security (AT) apple (DOT) com
    2006.05.07Vendor responded
    2006.09.07Vendor notified me the patch is available.
    2006.09.12Vendor released QuickTime 7.1.3
    2006.09.12Advisory released
    Reference:
    1.
    2.
    3.
    4. http://secway.org/vuln.htm

Re: Apple QuickTime H.264 Integer OverflowVulnerability


max 4000 letters.
Your nickname that display:
In order to stop the spam: 1 + 0 =
SPONSORED
QUESTION

SPONSORED
EMSDN