Talos Vulnerability Report

TALOS-2016-0022

Apple Quicktime Invalid alis Atom Size Denial of Service Vulnerability

January 8, 2016

Description

There is a denial of service vulnerability in Apple Quicktime. An attacker who can control the size of an alis atom in a .mov file can cause an undersized allocation which can lead to an out-of-bounds read. Since the allocation only contains data already from the file, the impact is limited to denial of service.

Tested Versions

Apple Quicktime 7.7.5 - Windows 7 32-bit Vulnerable
Apple Quicktime 7.7.6 - Windows 7 32-bit Vulnerable

Product URLs

https://www.apple.com/quicktime/

Details

The function QuickTime!0x73aad0 is responsible for calculating the size of the alis data and passing it up to an allocation function.

26
27  if ( object_size >= 8 )
28  {
(...)
40    if ( object_size - 12 >= 0 )
41    {
42      *(_DWORD *)v6 = 0;
43      sub_6718E230(v5, v6, object_size - 12);
44    }

If the alis atom is at least 12 bytes, the alis data is size-12 bytes and a new buffer of that size is allocated.

The function QuickTime!0xb429d later uses this new allocation and attempts to make a read of 2 bytes at offset 4 without first checking the allocation is large enough.

18  if ( big_obj )
19  {
20    v2 = *(_DWORD *)big_obj;
21    v3 = __ROL2__(*(_WORD *)(*(_DWORD *)big_obj + 4), 8); // Read of 2, expects at least 6 bytes
22    if ( v3 >= 0x9Cu
23      && (v4 = __ROL2__(*(_WORD *)(v2 + 6), 8), v4 >= 2u) // Read at offset 6
24      && (v5 = __ROL2__(*(_WORD *)(v2 + 8), 8), v5 <= 1u) // Read at offset 8
25      && (v6 = *(_BYTE *)(v2 + 10)) != 0 // Read at offset 10
26      && v6 <= 0x1Bu
27      && *(_BYTE *)(v2 + 50) <= 0x3Fu ) // Read at offset 50
28    {

If an alis atom size is not at least 18 bytes, an out-of-bounds read occurs. There are no checks to ensure there are at least 6 bytes of data to read in the newly allocated object.

If the atom does contain at least 18 bytes, the 2-byte value read from offset 6 is another size value. If this value is at least 0x9c in size, the function will continue to read values from various offsets in the allocation.

If the alis atom is at least 18 bytes and the value at offset 6 is at least 0x9c, then if the alis size is less than 0x9c, the allocation will not be large enough to accomodate further reads, resulting in an out-of-bounds read.

Crash Information

eax=00000400 ebx=0012b91c ecx=159eca7c edx=0012b91c esi=159f8000 edi=159eca7c
eip=6a1f4150 esp=0012b698 ebp=0012b90f iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210202
QuickTime!theQTMLDispatcher+0x2fbe0:
6a1f4150 668b4604        mov     ax,word ptr [esi+4]      ds:0023:159f8004=????

STACK_TEXT:
0012b90f 12c40000 12bbf200 41a40a00 00003a77 QuickTime!theQTMLDispatcher+0x2fbe0
0012b913 12bbf200 41a40a00 00003a77 3a004300 0x12c40000
0012b917 41a40a00 00003a77 3a004300 55005c00 0x12bbf200
0012b91b 00000000 3a004300 55005c00 65007300 0x41a40a00

Credit

Discovered by Ryan Pentney and Richard Johnson of Cisco Talos