Talos Vulnerability Report

TALOS-2015-0016

Apple Quicktime tkhd Atom Matrix Corruption Denial of Service Vulnerability

Aug 20, 2015

Description

An exploitable denial of service vulnerability exists in Apple Quicktime. An attacker who can control the values in the matrix structure of a tkhd atom in a .mov media file can cause an integer overflow in an idiv operation. The impact is limited to denial of service.

Tested Versions

Apple Quicktime 7.7.5 - Windows 7 32-bit Vulnerable
Apple Quicktime 7.7.6 - Windows 7 32-bit Vulnerable

Product URLs

https://www.apple.com/quicktime/

Details

The function Quicktime!0x83e4c0 returns the result of a signed idiv.


1  int __cdecl sub_6794E4C0(int a1, signed int a2)
2  {
3    signed __int64 v2; // rt0@1
4
5    LODWORD(v2) = 0;
6    HIDWORD(v2) = a1;
7    return (v2 >> 8) / a2;
8  }
		

An integer overflow can occur during this division. If the result of the operation is larger than the max signed value capable of being stored in a 32-bit register, an integer overflow condition is raised and goes unhandled.

The calling function, QuickTime!0x849b10, passes the hardcoded value 0x1000000, which is part of the dividend, and a 4-byte divisor.


44  v1 = object;
45  if ( *(_DWORD *)(object + 68) > 0 )
46  {
47    v2 = *(_DWORD *)(object + 4);
48    v3 = *(_DWORD *)(object + 8);
49    objecta = *(_DWORD *)(object + 64);
50    v33 = v2;
51    v32 = v3;
52    v4 = sub_6794E4C0(0x1000000, *(_DWORD *)(v1 + 92));
		

If the divisor is <= 0x20000, an integer overflow will occur in the signed division leading to a denial of service.

The value in question is calculated at Quicktime!0x83e460 from the matrix structure in a tkhd atom.


00 00 00 5C  - atom size
74 6B 68 64  - "tkhd"
00           - version
00 00 0F     - flags
B1 F5 EC 84  - creation time
B1 F5 EC 86  - modification time
00 00 00 02  - track id
00 00 00 00  - reserved
00 00 1F 54  - duration
00 00 00 00 00 00 00 00  - reserved
00 00        - layer
00 00        - alternate group
00 00        - volume
00 00        - reserved
00 C8 0D 38  -|    <--
81 53 DA 7E   |    <-- Corrupt values
5C 00 00 00   |    <--
00 00 00 00   |
00 01 00 00   |
00 00 00 00   |-- Matrix structure
00 00 00 00   |
00 00 00 00   |
40 00 00 00   |
00 A0 00 00   |
00 78 00 00  -|
		

The data from this structure is passed to the function QuickTime!0x83efc0, which operates on these values in a loop.


48    do
49    {
50      v12 += 8;
51      --v6;
52      v13 += 12;
53      if ( v12 >= (unsigned int)v9 )
54      {
55        v12 = a2;
56        v13 = bad_value_place;
57      }
58      if ( ComputationFunction(v5, v4, a4, v12, v13) )
59      {
60        a4 += 48;
61        ++v16;
62      }
63      v4 = v12;
64      v5 = v13;
65    }
66    while ( v6 );
		

Corrupt matrix values cause calculations to result in unaccounted for values used by the idiv operation, leading to the overflow condition above. However, due to the complexity the calculations involved, the exact relationship between the corrupt matrix values and the resultant divisor has not been determined.

Crash Information


eax=00000000 ebx=0023dde4 ecx=09df0000 edx=00010000 esi=0023ddf0 edi=0023defc
eip=6992df3d esp=0023dd20 ebp=00000215 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210206
QuickTime!RAW_CDComponentDispatch+0x490bd:
6992df3d f77c2408        idiv    eax,dword ptr [esp+8] ss:0023:0023dd28=d6e80100


STACK_TEXT:
0023dd1c 69939588 01000000 0001e8d6 0023defc QuickTime!RAW_CDComponentDispatch+0x490bd
00000000 00000000 00000000 00000000 00000000 QuickTime!RAW_CDComponentDispatch+0x54708
		

Credit

Discovered by Ryan Pentney and Richard Johnson of Cisco Talos