Talos Vulnerability Report
Apple Quicktime Invalid 3GPP stsd Sample Description Entry Size Denial of Service Vulnerability
Aug 13, 2015
There is a denial of service vulnerability in Apple Quicktime. An attacker who can control the number of entries and entry size of a sample description table in a .mov file of type 3GPP can cause an undersized allocation which can lead to an out-of-bounds read. Since the allocation only contains data already from the file, the impact is limited to denial of service.
Apple Quicktime 7.7.5 - Windows 7 32-bit Vulnerable
Apple Quicktime 7.7.6 - Windows 7 32-bit Vulnerable
The function QuickTime3GPP!0xa720 is responsible for parsing a sample descriptor entry in an stsd atom.
12 v2 = object; 13 *(_DWORD *)a2 = 0; 14 v3 = (unsigned __int16)(char)sub_67F21EB0(object, 0); 15 sub_67F21E70(object); 16 v4 = *(_DWORD **)object; 17 LOBYTE(v5) = 0; 18 HIBYTE(v5) = **(_DWORD **)object >> 16; 19 v6 = v5 | *(_BYTE *)(*(_DWORD *)v2 + 3) | ((**(_DWORD **)v2 & 0xFF00 | (**(_DWORD **)v2 << 16)) << 8); 20 LOBYTE(v5) = 0; 21 HIBYTE(v5) = *(_DWORD *)(*(_DWORD *)object + 36) >> 16; //Dereference 22 if ( (*(_BYTE *)(*(_DWORD *)v2 + 39) | v5 | ((*(_DWORD *)(*(_DWORD *)v2 + 36) & 0xFF00 | (*(_DWORD *)(*(_DWORD *)v2 + 36) << 16)) << 8)) != v6 - 36 //first size check
On lines 16, 18, and 21, the object passed to the function is dereferenced without ensuring the object is large enough. The dereference on line 21 expects the object to contain at least 40 bytes.
The first size integrity check (verifying the subatom fits in the sample description entry) occurs only after this read is complete.
The object is allocated using the sample description entry size value from the file:
45000000 size of stsd atom 64737473 "stsd" 00000000 Version/Flags 01000000 Number of entries in sample descriptor table 01000000 Sample descriptor entry 1 size ff01ffff 0001fffe 01ff00ff
If there is at least one sample description entry and that entry has a non-zero size, then a buffer is allocated and size bytes of data are copied. This buffer is then passed up to QuickTime3GPP!0xa720 which looks for a second size value at 0x24, assuming there at least 0x28 bytes of data without checking the size of the allocation. This results in an out-of-bounds read.
eax=00c0c0c0 ebx=00000000 ecx=0000c000 edx=15c0eff8 esi=15b06ff8 edi=002ac1d0 eip=6c2aa720 esp=002ac1b0 ebp=00000000 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210206 QuickTime3GPP!EatTx3gComponentDispatch+0x1560: 6c2aa720 8b4a24 mov ecx,dword ptr [edx+24h] ds:0023:15c0f01c=???????? STACK_TEXT: 00000000 00000000 00000000 00000000 00000000 QuickTime3GPP!EatTx3gComponentDispatch+0x1560
Discovered by Ryan Pentney and Richard Johnson of Cisco Talos