Talos Vulnerability Report

TALOS-2015-0013

Apple Quicktime Invalid 3GPP stsd Sample Description Entry Size Denial of Service Vulnerability

Aug 13, 2015

Description

There is a denial of service vulnerability in Apple Quicktime. An attacker who can control the number of entries and entry size of a sample description table in a .mov file of type 3GPP can cause an undersized allocation which can lead to an out-of-bounds read. Since the allocation only contains data already from the file, the impact is limited to denial of service.

Tested Versions

Apple Quicktime 7.7.5 - Windows 7 32-bit Vulnerable
Apple Quicktime 7.7.6 - Windows 7 32-bit Vulnerable

Product URLs

https://www.apple.com/quicktime/

Details

The function QuickTime3GPP!0xa720 is responsible for parsing a sample descriptor entry in an stsd atom.


12  v2 = object;
13  *(_DWORD *)a2 = 0;
14  v3 = (unsigned __int16)(char)sub_67F21EB0(object, 0);
15  sub_67F21E70(object);
16  v4 = *(_DWORD **)object;
17  LOBYTE(v5) = 0;
18  HIBYTE(v5) = **(_DWORD **)object >> 16;
19  v6 = v5 | *(_BYTE *)(*(_DWORD *)v2 + 3) | ((**(_DWORD **)v2 & 0xFF00 | (**(_DWORD **)v2 << 16)) << 8);
20  LOBYTE(v5) = 0;
21  HIBYTE(v5) = *(_DWORD *)(*(_DWORD *)object + 36) >> 16; //Dereference
22  if ( (*(_BYTE *)(*(_DWORD *)v2 + 39) | v5 | ((*(_DWORD *)(*(_DWORD *)v2 + 36) & 0xFF00 | (*(_DWORD *)(*(_DWORD *)v2 + 36) << 16)) << 8)) != v6 - 36  //first size check
		

On lines 16, 18, and 21, the object passed to the function is dereferenced without ensuring the object is large enough. The dereference on line 21 expects the object to contain at least 40 bytes.

The first size integrity check (verifying the subatom fits in the sample description entry) occurs only after this read is complete.

The object is allocated using the sample description entry size value from the file:


45000000 size of stsd atom
64737473 "stsd"
00000000 Version/Flags
01000000 Number of entries in sample descriptor table
01000000 Sample descriptor entry 1 size
ff01ffff
0001fffe
01ff00ff
		

If there is at least one sample description entry and that entry has a non-zero size, then a buffer is allocated and size bytes of data are copied. This buffer is then passed up to QuickTime3GPP!0xa720 which looks for a second size value at 0x24, assuming there at least 0x28 bytes of data without checking the size of the allocation. This results in an out-of-bounds read.

Crash Information


eax=00c0c0c0 ebx=00000000 ecx=0000c000 edx=15c0eff8 esi=15b06ff8 edi=002ac1d0
eip=6c2aa720 esp=002ac1b0 ebp=00000000 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210206
QuickTime3GPP!EatTx3gComponentDispatch+0x1560:
6c2aa720 8b4a24          mov     ecx,dword ptr [edx+24h] ds:0023:15c0f01c=????????

STACK_TEXT:
00000000 00000000 00000000 00000000 00000000 QuickTime3GPP!EatTx3gComponentDispatch+0x1560
		

Credit

Discovered by Ryan Pentney and Richard Johnson of Cisco Talos