Talos Vulnerability Report

TALOS-2016-0021

Apple Quicktime mdat Corruption Denial of Service Vulnerability

January 8, 2016

Description

There is a denial of service vulnerability in Apple Quicktime. An attacker who can control the content of the mdat section of a .mov file can cause an out-of-bounds read. Since the function would fail a bounds check immediately after the read occurs, the impact is limited to denial of service.

Tested Versions

Apple Quicktime 7.7.5 - Windows 7 32-bit
Apple Quicktime 7.7.6 - Windows 7 32-bit

Product URLs

https://www.apple.com/quicktime/

Details

The function Quicktime!0x8a6b00 parses data from the mdat section of the file in a loop.

At the end of each iteration, the value in v54 is used as an index into an array and a value is read. This index is advanced by at least 1 byte on each iteration, but sometimes more. There is a test block towards the end of the loop to validate this value:

409    v54 = v24 + index_counter;
410    v55 = *(_DWORD *)(array_base + 4 * (v24 + index_counter) + 0x5D0);
(...)
413    if ( *(_DWORD *)(array_base + 4 * v54 + 0x6D0) > var_2 )
414      var_2 = *(_DWORD *)(array_base + 4 * v54 + 0x6D0);
415    if ( v54 > 0x3F )
416      return 9;

The function should return with an error code if v54 > 0x3f, however, this condition is only tested after the value in v54 is used as an index into the array. If 0x3f is the last legitimate index value, then the highest offset the crash instruction should be attempting to access would be 0x6d0 + 0x3f*4 = 0x7cc

There are several places within each iteration of the loop before the access that add an additional value to the index counter influenced by bytes read from the mov file.

If an attacker crafts a sequence of bytes in the mdat data section such that the calculated array index is larger than 0x3f before hitting the above block of code, then an out-of-bounds read will occur. However, once the out-of-bounds read occurs, the index fails the max size check and the function returns, limiting this vulnerability to a denial of service.

Crash Information

eax=00000046 ebx=0001a96e ecx=00000003 edx=1561e828 esi=16b58f58 edi=00000000
eip=6a9e6bf9 esp=002bdd14 ebp=16b1dec0 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210246
QuickTime!RGBToYUV_DComponentDispatch+0x4509:
6a9e6bf9 8b8c82d0060000  mov     ecx,dword ptr [edx+eax*4+6D0h] ds:0023:1561f010=????????

STACK_TEXT:
002bdd6c 6a9e87ea 00000029 16b4af88 16b1bfd0 QuickTime!RGBToYUV_DComponentDispatch+0x4509
002bddfc 6a9ea574 16ad1ae8 16b4af88 16b1bfd0 QuickTime!RGBToYUV_DComponentDispatch+0x60fa
002bde54 6a1c4251 11f45f90 146b3c40 002bdf78 QuickTime!RGBToYUV_DComponentDispatch+0x7e84
002bdebc 6a1c3491 000003f0 16a7df58 002bdf30 QuickTime!CallComponentFunctionWithStorage+0xd41
002bdf34 6a8d1841 008d00ce 146bdf04 00000000 QuickTime!CallComponent+0x51
002bdf54 6a8cfff9 146bbe90 146bdee0 002be34c QuickTime!Base_CDComponentDispatch+0x2391
002bdfa8 6a8d033a 146bbe01 6a8d0dcb 00000000 QuickTime!Base_CDComponentDispatch+0xb49
002bdfb0 6a8d0dcb 00000000 146bbee8 002be158 QuickTime!Base_CDComponentDispatch+0xe8a
002bdfec 6a1c3545 146bbe90 002be34c 6a8cf4ed QuickTime!Base_CDComponentDispatch+0x191b
00000000 00000000 00000000 00000000 00000000 QuickTime!CallComponentFunctionWithStorage+0x35

Credit

Discovered by Ryan Pentney and Richard Johnson of Cisco Talos.