Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:14244
HistorySep 13, 2006 - 12:00 a.m.

Apple QuickTime H.264 Integer Overflow Vulnerability

2006-09-1300:00:00
vulners.com
8
JSON

Apple QuickTime H.264 Integer Overflow Vulnerability

By Sowhat of Nevis Labs
Date: 2006.09.12

http://www.nevisnetworks.com
http://secway.org/advisory/AD20060912.txt

CVE: CVE-2006-4381

Vendor:
Apple Inc.

Affected Versions:
Apple QuickTime versions < 7.1.3

Overview:
By carefully crafting a corrupt H.264 movie, an attacker can trigger an
integer overflow which may lead to an application crash or arbitrary code
execution with the privileges of the user.

The vulnerability allows an attacker to execute arbitrary code
in the context of the user who executes QuickTime.

Details:

This vulnerability exists in the way Quicktime process the H.264 content.

vulnerable code:

QuickTimeH264.qtx.68169AC3

.text:68169A63 and esp, 0FFFFFFF8h
.text:68169A66 sub esp, 214h
.text:68169A6C mov eax, dword_68323140
.text:68169A71 mov edx, [ebp+arg_8]
.text:68169A74 xor ecx, ecx
.text:68169A76 mov [esp+214h+var_4], eax
.text:68169A7D mov eax, [ebp+arg_0]
.text:68169A80 mov cl, [eax+4]
.text:68169A83 push ebx
.text:68169A84 push esi
.text:68169A85 push edi
.text:68169A86 mov [esp+220h+var_20C], 0
.text:68169A8E and ecx, 3
.text:68169A91 inc ecx
.text:68169A92 mov [edx], ecx
.text:68169A94 mov cl, [eax+5]
.text:68169A97 and cl, 1Fh
.text:68169A9A cmp cl, 1
.text:68169A9D jnz short loc_68169AEF
.text:68169A9F mov cx, [eax+6]
.text:68169AA3 movzx dx, ch
.text:68169AA7 mov dh, cl
.text:68169AA9 mov ecx, edx
.text:68169AAB cmp cx, 100h <– cx
= FFFF which is user controllable
.text:68169AB0 jg short loc_68169AEF <–
should be "ja"
.text:68169AB2 movsx edx, cx
.text:68169AB5 mov ecx, edx
.text:68169AB7 mov ebx, ecx <– ecx
= 0xFFFFFFFF
.text:68169AB9 shr ecx, 2
.text:68169ABC lea esi, [eax+8]
.text:68169ABF lea edi, [esp+220h+var_208]
.text:68169AC3 rep movsd <– do
memory copy
.text:68169AC5 mov ecx, ebx
.text:68169AC7 and ecx, 3
.text:68169ACA rep movsb
.text:68169ACC mov cl, [edx+eax+8]
.text:68169AD0 lea esi, [edx+8]
.text:68169AD3 inc esi
.text:68169AD4 cmp cl, 1
.text:68169AD7 jnz short loc_68169AEF
.text:68169AD9 mov cx, [esi+eax]
.text:68169ADD movzx bx, ch
.text:68169AE1 mov bh, cl
.text:68169AE3 add esi, 2
.text:68169AE6 mov ecx, ebx
.text:68169AE8 cmp cx, 100h
.text:68169AED jle short loc_68169B07

This vulnerability can be exploited By persuading a user to open
a carefully crafted .mov files or visit a website embedding the
malicious .mov file.

Vendor Response:

2006.05.06 Vendor notified via [email protected]
2006.05.07 Vendor responded
2006.09.07 Vendor notified me the patch is available.
2006.09.12 Vendor released QuickTime 7.1.3
2006.09.12 Advisory released

Reference:

  1. http://developer.apple.com/documentation/QuickTime/QTFF/index.html
  2. http://docs.info.apple.com/article.html?artnum=61798
  3. http://docs.info.apple.com/article.html?artnum=304357
  4. http://secway.org/vuln.htm


Sowhat
http://secway.org
"Life is like a bug, Do you know how to exploit it ?"

Related

cve 2
checkpoint_advisories 1
freebsd 1
nessus 3
openvas 1
cve
cve
CVE-2006-4381
2006-09-12 23:07:00
CVE-2006-4386
2006-09-12 23:07:00
checkpoint_advisories
checkpoint_advisories
Apple QuickTime H.264 Crafted Movie Buffer Overflow (CVE-2006-4381)
2009-10-15 00:00:00
freebsd
freebsd
win32-codecs -- multiple vulnerabilities
2006-09-08 00:00:00
nessus
nessus
Quicktime < 7.1.3 Multiple Vulnerabilities (Mac OS X)
2006-09-13 00:00:00
FreeBSD : win32-codecs -- multiple vulnerabilities (24f6b1eb-43d5-11db-81e1-000e0c2e438a)
2006-10-20 00:00:00
QuickTime < 7.1.3 Multiple Vulnerabilities (Windows)
2006-09-13 00:00:00
openvas
openvas
FreeBSD Ports: win32-codecs
2008-09-04 00:00:00
JSON
Related for SECURITYVULNS:DOC:14244
cve2checkpoint_advisories1freebsd1nessus3openvas1