Talos Vulnerability Report

TALOS-2016-0020

Apple Quicktime mdat Corruption Denial of Service Vulnerability

January 8, 2016

Description

There is a denial of service vulnerability in Apple Quicktime. An attacker who can control the content of the mdat section of a .mov file can cause an out-of-bounds read. The impact is limited to denial of service.

Tested Versions

Apple Quicktime 7.7.5 - Windows 7 32-bit
Apple Quicktime 7.7.6 - Windows 7 32-bit

Product URLs

https://www.apple.com/quicktime/

Details

The function QuickTime!0x8b0050 parses data generated from the mdat section of the file, making reads on an array of byte values of size 0x5c4 (0x7dc - 0x218 initial offset) in a loop.

The index used to calculate where in this byte array to make a read comes from a second byte array. This second array is operated on 0x10 bytes at a time in a loop. There is a counter value that is hardcoded at 8 by the function, meaning a total of 0x80 bytes from this data structure are used in these calculations.

679C0623 add     [esp+20h+ptr_to_stuff], 10h
(....)
679C063A sub     [esp+20h+counter_8], 1
679C063F jnz     loop_start

The function responsible for populating the index table from which the out-of-bounds offset is pulled starts at Quicktime!0x8bc010. There is a loop at the very end of the function (QuickTime!0x8bc271) that does several complex calculations and copies the resulting word values (indices) to the 0x80-byte buffer of indices used above.

.text:679CC42F mov     edi, [esp+130h+var_114]
.text:679CC433 add     edx, 200h
.text:679CC439 add     edi, edx
.text:679CC43B sub     edx, [esp+130h+var_114]
.text:679CC43F sar     edi, 0Ah
.text:679CC442 mov     [eax+10h], di <---- 0x711 is copied to table

17677f70 00000000
17677f74 00000000
17677f78 01510313
17677f7c fd14fed5
17677f80 fed5fd14
17677f84 03130151
17677f88 00000711  <--- new index
17677f8c 0000fd2e
17677f90 0000f915

If an index calculated by the function Quicktime!0x8bc010 exceeds 0x5c4, then, in QuickTime!0x8b3400, when this index is used to calculate the address at which to read a byte from a matrix object, an out-of-bounds read will occur.

Crash Information

eax=1fab4a38 ebx=17b46390 ecx=17b5a6d4 edx=00000711 esi=17b5a603 edi=000000d0
eip=6a1100f8 esp=0021db50 ebp=1fab4a38 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210202
QuickTime!RGBToYUV_DComponentDispatch+0xda08:
6a1100f8 0fb60402        movzx   eax,byte ptr [edx+eax]     ds:0023:1fab5149=??

STACK_TEXT:
0021db6c 6a1134fb 14410f88 ffffff34 17b462c0 QuickTime!RGBToYUV_DComponentDispatch+0xda08
0021dbd4 6a1087ea 0000001f 6a10881d 00000007 QuickTime!RGBToYUV_DComponentDispatch+0x10e0b
0021dbdc 6a10881d 00000007 1442dfe0 17b52fe0 QuickTime!RGBToYUV_DComponentDispatch+0x60fa
0021dc64 6a10a574 143b0ae8 14429f88 143fafd0 QuickTime!RGBToYUV_DComponentDispatch+0x612d
0021dcbc 698e4251 13d64f90 1f8c8c40 0021dde0 QuickTime!RGBToYUV_DComponentDispatch+0x7e84
0021dd24 698e3491 000003f0 1435cf58 0021dd98 QuickTime!CallComponentFunctionWithStorage+0xd41
0021dd9c 69ff1841 008900ce 1f8d2f04 00000000 QuickTime!CallComponent+0x51
0021ddbc 69fefff9 1f8d0e90 1f8d2ee0 0021e1b4 QuickTime!Base_CDComponentDispatch+0x2391
0021de10 69ff033a 1f8d0e01 69ff0dcb 00000000 QuickTime!Base_CDComponentDispatch+0xb49
0021de18 69ff0dcb 00000000 1f8d0ee8 0021dfc0 QuickTime!Base_CDComponentDispatch+0xe8a
0021de54 698e3545 1f8d0e90 0021e1b4 69fef4ed QuickTime!Base_CDComponentDispatch+0x191b
00000000 00000000 00000000 00000000 00000000 QuickTime!CallComponentFunctionWithStorage+0x35

Credit

Discovered by Ryan Pentney and Richard Johnson of Cisco Talos