Talos Vulnerability Report

TALOS-2015-0014

Apple Quicktime Invalid mvhd Atom Size Denial of Service Vulnerability

Aug 13, 2015

Description

There is a denial of service vulnerability in Apple Quicktime. An attacker who can control the size of an mvhd atom can cause an undersized allocation which can lead to an out-of-bounds read. Since the allocation only contains data already from the file, the impact is limited to denial of service.

Tested Versions

Apple Quicktime 7.7.5 - Windows 7 32-bit Vulnerable
Apple Quicktime 7.7.6 - Windows 7 32-bit Vulnerable

Product URLs

https://www.apple.com/quicktime/

Details

The function QuickTime!0x111709 is responsible for copying the data from an mvhd atom to a buffer on the stack. The copy expects at least 0x64 bytes of data, however there is no check to ensure the source buffer is at least 0x64 bytes before the copy takes place.


13  if ( v2 )
14  {
15    if ( *(_BYTE *)(a2 + 7) || *(_BYTE *)(a2 + 9) || (v6 = sub_6718B4A0(a1, &v7)) == 0
16      && ((v3 = *(_DWORD *)(a1 + 4), v3 > v7) || (v4 = **(_DWORD **)a2,
17           qmemcpy((void *)(v4 + 4), (const void *)(v3 + **(_DWORD **)a1), 0x64u),
18           sub_671DBE90(v4 + 4), *(_BYTE *)(v4 + 7))
19       && *(_BYTE *)(v4 + 7) != -1
20       || (*(_WORD *)(a1 + 12) = *(_BYTE *)(v4 + 7), *(_WORD *)(a2 + 4) = *(_WORD *)(v4 + 100),
21                                                     *(_DWORD *)(v4 + 16) <= 0)) )
22      v6 = -2002;
23  }
		

The source buffer is allocated using the mvhd size value from the file:


5a000000   <----- size of mvhd
6468766d   <----- "mvhd"
00000000   <----- start of copied data
7ce5b5c0
80e5b5c0
58020000
(...)
		

17           qmemcpy((void *)(v4 + 4), (const void *)(v3 + **(_DWORD **)a1), 0x64u),
		

Minus the size and 4CC, mvhd atoms are expected to have at least 0x64 bytes of data. When a mvhd size value of less than 0x6C is specified in the file (0x64 bytes of data, plus 0x8 bytes for the size and 4CC), the code above attempts to copy 0x64 of data from an undersized source buffer and the copy results in an out-of-bounds read.

Crash Information


eax=00000008 ebx=0f464c6c ecx=00000003 edx=14fbc54e esi=103f6000 edi=0f464cc4
eip=68811525 esp=0019c3ac ebp=0f464c68 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210202
QuickTime!LIST_ComponentDispatch+0x570c5:
68811525 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]


STACK_TEXT:
0019c3c4 68811c41 0019c800 0019c530 0019c440 QuickTime!LIST_ComponentDispatch+0x570c5
0019c3ec 68784186 0019c800 0000000e 0019c46c QuickTime!LIST_ComponentDispatch+0x577e1
0019c440 688133ef 0019c800 0000000e 0019c46c QuickTime!CallComponentFunctionWithStorage+0xc76
0019c464 68784191 7072666c 2d900001 c5306881 QuickTime!LIST_ComponentDispatch+0x58f8f
00000000 00000000 00000000 00000000 00000000 QuickTime!CallComponentFunctionWithStorage+0xc81
		

Credit

Discovered by Ryan Pentney and Richard Johnson of Cisco Talos