HackDig : Dig high-quality web security articles for hacker

FortiGuard Labs Discloses Apple Quicktime Heap Overflow Vulnerability

2015-07-02 09:20

FortiGuard researchers discovered a heap overflow vulnerability in Apple QuickTime that could lead to arbitrary code execution and severe system crashes on both Windows and OS X versions of the popular multimedia software. This vulnerability (CVE-2015-3668 isolated and identified by FortiGuard Labs) follows on the heels of CVE-2015-3667, (disclosed yesterday by Cisco and simultaneously discovered by FortiGuard Labs), leaves unpatched versions of Quicktime open to multiple exploits.

Quicktime relies on special containers for movie data called atoms. A fragmented MP4 file contains a number of these containers, three of which are the ‘moov’, ‘moof’ and ‘mdat’ atoms:

●‘moov’ (movie metadata atom) contains a virtual movie timeline with display characteristics, duration and timescale elements, as well as “sub atoms” providing information for each movie track.

●‘mdat’ (media data atom) contains media data, raw audio and video information and timed-text elements that are decoded based on a movie atom’s information.

●‘moof’ (movie fragment box) contains short audio, video or text portions of an elementary stream. Movie fragments typically house a closed GOP (Group of Pictures) or AVC Coded Video Sequence.

In particular, CVE-2015-3668 is caused due to insufficient validation on the value of the size field in in the track fragment (sub atom 'traf') within 'moof' atoms resulting in a heap overflow vulnerability. The chart below shows the structure of the affected atoms:

We used 010 Editor to parse an mp4 file (FG-VD-15-033_PoC.mp4) as shown below: 

The value of the size field in TrackFragment (atom ‘traf’) should be 0x00000400 (1024). When we modified it to a very large value (e.g. 0xDB000400), we were able to trigger the vulnerability.

When the value of the size field in TrackFragment (atom 'traf') is too large, the parsing of atom 'traf' does not finish. Instead, it continues to read data from heap buffer to parse. 

The heap buffer layout is shown below:

It reads four bytes as the length of the next atom from address 0x087BF2D8. The value is 0x0df0adba. Then the atom length is written in the following memory:

The four bytes from address 0x001CC9AC+0x04 are 0x087BF2E0, and the four-byte offset value from address 0x001CC9AC+0x08 is 0x0DF0ADB2(0x0df0adba-0x08). Then 0x087BF2E0 + 0x0DF0ADB2 is equal to 0x166CA092, which points to the start address of next atom. Obviously, it is an invalid heap memory address.

Apple patched both vulnerabilities in the OS X version of Quicktime on June 29th. A patch for Windows is also available. All users should update Quicktime as soon as possible to avoid potential system crashes and remote code execution. More information about the specific vulnerabilities can be found at

https://support.apple.com/en-us/HT204947

https://support.apple.com/en-us/HT204942

Special thanks to Kai Lu of Fortinet’s FortiGuard Labs for discovering CVE-2015-3668, and for co-discovering CVE-2015-3667. Kai Lu is a security researcher in FortiGuard Labs, focusing mainly on vulnerability discovery and analysis of vulnerability and exploit. He developed a grammar-based fuzzer which had been used to discover two vulnerabilities in Apple Safari, and two PCRE lib vulnerabilities that affect MongoDB, PHP, MariaDB.

This year, Kai already discovered and reported about 20 vulnerabilities in popular products like Adode Flash Player, Apple QuickTime Player, Foxit Reader, MongoDB, etc.


Source: ytilibarenluv-wolfrevo-paeh-emitkciuq-elppa-sesolcsid-sbal-draugitrof/tsop/moc.tenitrof.golb

Read:959 | Comments:0 | Tags: Vulnerability

“FortiGuard Labs Discloses Apple Quicktime Heap Overflow Vulnerability”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Announce

Share high-quality web security related articles with you:)

Tools

Tag Cloud