Talos Vulnerability Report

TALOS-2015-0012

Apple Quicktime Invalid URL Atom Size Denial of Service Vulnerability

Aug 13, 2015

Description

An exploitable denial of service vulnerability exists in Apple Quicktime. An attacker who can control the size of a "url" atom in a mov media file can cause an undersized allocation leading to an out-of-bounds read. Since the allocation only contains data already from the file, the impact is limited to denial of service.

Tested Versions

Apple Quicktime 7.7.5 - Windows 7 32-bit Vulnerable
Apple Quicktime 7.7.6 - Windows 7 32-bit Vulnerable

Product URLs

https://www.apple.com/quicktime/

Details

The function Quicktime!0x73aad0 is responsible for calculating the size of the data portion of a "url " atom.


26  if ( atom_size >= 8 )
27  {
(...)
39    if ( atom_size - 12 >= 0 )
40    {
41      *(_DWORD *)v6 = 0;
42      sub_6718E230(v5, v6, atom_size - 12);
43    }
		

The atom size must be at least 8 bytes and the size of the new allocation is computed by subtracting 12 from this size. Because of the way this is calculated, the new allocation may contain 0 bytes of data.

The function QuicktimeStreaming!0x8b2e0 is responsible for processing the url atom data. A null-terminated string is expected, however a pointed to the data is passed directly to strlen() to determine the string length.


  v1 = strlen(atom_data);
  v2 = 0;
  if ( (signed int)(v1 - 1) <= 0 )
  {
		

The problem occurs when there are either 0 bytes of data in a "url " atom or the data is not null-terminated. In both cases, the call to strlen() will read off the end of the buffer without stopping, resulting in an out-of-bounds read.

Crash Information


eax=00000001 ebx=0027c8b4 ecx=00000000 edx=00000004 esi=20257000 edi=20257001
eip=6931b482 esp=0027c74c ebp=20257000 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210246
QuickTimeStreaming!QTCacheComponent_ComponentDispatch+0x18172:
6931b482 8a16            mov     dl,byte ptr [esi]          ds:0023:20257000=??

STACK_TEXT:
0013c3ec 68a0b4fb 20fc5000 208a0d6e 689e2c45 QuickTimeStreaming!QTCacheComponent_ComponentDispatch+0x18172
0013c3f8 689e2c45 20fc5000 208a0d6e 208a0d6e QuickTimeStreaming!QTCacheComponent_ComponentDispatch+0x181eb
0013c414 698e368a 208a0da2 208a0d6e 0013c4e4 QuickTimeStreaming!InetDHComponentDispatch+0x14a5
00000000 00000000 00000000 00000000 00000000 QuickTime!CallComponentFunctionWithStorage+0x4a
		

Credit

Discovered by Ryan Pentney and Richard Johnson of Cisco Talos