Talos Vulnerability Report

TALOS-2015-0015

Apple Quicktime esds Atom Descriptor Type Length Mismatch Denial of Service Vulnerability

Aug 13, 2015

Description

There is a denial of service vulnerability in Apple Quicktime. An attacker who can control the elementary video header start codes section or type descriptor length in an "esds" atom in a .mov file can cause additional structures to be expected which can lead to an out-of-bounds read. Since the allocation only contains data already from the file, the impact is limited to denial of service.

Tested Versions

Apple Quicktime 7.7.5 - Windows 7 32-bit Vulnerable
Apple Quicktime 7.7.6 - Windows 7 32-bit Vulnerable

Product URLs

https://www.apple.com/quicktime/

Details

The function QuickTimeMPEG4!0x9990 is responsible for parsing out the ES header start codes section of the esds atom in a loop.

On each iteration, the algorithm pulls the next start code from the buffer and, based on the code, it calls the designated parsing function for the data that follows. A data structure is used to track the algorithm's location within the buffer, as well as the boundaries, total size, and last 4 bytes pulled from that data block:


ex:
002fc124 14b2afd8 <---- start of buffer
002fc128 00000022 <---- size of data
002fc12c 14b2afdc <---- current location
002fc130 14b2affa <---- end of buffer
002fc134 f3000001
...
		

Before, and after each start code and structure, a function is called at QuickTimeMPEG4!0x91F0 to check to see if the value of "current location (obj+8)" is less than "end of buffer (obj+0x0c)":


1 BOOL __usercall sub_6A8891F0@<eax>(int a1@<eax>)
2 {
3   return *(_DWORD *)(a1 + 8) < *(_DWORD *)(a1 + 12);
4 }
        

The designated parsing functions for the data that follows each start code contain many optional elements that are parsed as needed based on whether bit flags within the data itself are set. This makes these data sections variable sized, however no check is made within these functions to ensure the read location does not exceed the end of the read buffer.

This bug is therefore triggered by a mismatch between the descriptor length (0x22) and the total size of all start codes, required elements, and optional elements within the Elementary Video Header. By flipping bit flags in the data, an attacker can cause additional structures to be parsed resulting in an out-of-bounds read off the end of the data buffer.

Functions vulnerable to this:

QuickTimeMPEG4!0x93d0
QuickTimeMPEG4!0x9590

Crash Information


eax=15a3c000 ebx=0000000a ecx=00000016 edx=0014c1b4 esi=c0c0d0d0 edi=000003ff
eip=676b910e esp=0014c150 ebp=00000003 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210206
QuickTimeMPEG4!MPEG4_DComponentDispatch+0x760e:
676b910e 8b00            mov     eax,dword ptr [eax]  ds:0023:15a3c000=????????

STACK_TEXT:
0014c160 676b9726 00000003 00000000 00000000 QuickTimeMPEG4!MPEG4_DComponentDispatch+0x760e
0014c190 676b9af4 0014c1b4 008c00ce 0014c250 QuickTimeMPEG4!MPEG4_DComponentDispatch+0x7c26
00000000 00000000 00000000 00000000 00000000 QuickTimeMPEG4!MPEG4_DComponentDispatch+0x7ff4
		

Credit

Discovered by Ryan Pentney and Richard Johnson of Cisco Talos