Quicktime - Arbitrary Code Execution (remote)

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1052628 漏洞类型
发布时间 2008-07-18 更新时间 2008-07-18
漏洞平台 N/A CVSS评分 N/A
n.runs AG
http://www.nruns.com/                              security(at)nruns.com
n.runs-SA-2008.003                                           16-Jul-2008
Vendor:	           Apple Inc., http://www.apple.com
Affected Products:     QuickTime versions previous to 7.5
Affected Platforms:    Mac OS X v10.3.9, Mac OS X v10.4.9 - v10.4.11, 
                       Mac OS X v10.5 or later, Windows Vista, XP SP2
Vulnerability:         Arbitrary Code Execution (remote) 
Risk:                  CRITICAL
Vendor communication:

2008/03/07      initial notification to Apple Inc. that n.runs AG has 
                found a considerable amount of vulnerabilities in Apple
                mound up-to-date default systems and default installed 
                products both on Mac OS 10.5 (Leopard) and iPhone 1.1.4 
                and that n.runs AG intends to send them in phases 
                to Apple Inc.
2008/03/08      Apple Inc. replies to n.runs AG including their public 
                pgp key and intends to use Apple Inc. RFC instead of 
                n.runs RFC
2008/03/08      n.runs AG replies that vulnerability reporting will only
                happen under n.runs AG RFP
2008/03/11      Apple Inc. communicates to n.runs AG that n.runs AG RFP 
                is aligned to their RFP so we may continue with further 
                communication and bug reporting
2008/03/11      n.runs sends PoCs for various issues to Apple Inc.
2008/03/11      Apple Inc. validates the PoCs and informs that it has 
                some issues reproducing some of them.
2008/03/12      n.runs AG sends more reliable PoCs and the steps to 
                follow in order to reproduce the issues
2008/03/24      Apple Inc. sends a status report regarding the 
                vulnerabilities reported by n.runs AG
2008/03/30      n.runs AG thanks Apple Inc. for the status update and 
                asks for apologies for not being more responsive during 
                CanSecWest time frame.
2008/03/31      Apple Inc. sends a second status update and informs 
                about the link where the credits will appear 
2008/04/01      n.runs AG thanks for the update and sends a second pack 
                of vulnerabilities PoCs based on the good and fluent 
                communications that n.runs AG is having up to the moment
                with Apple Inc.
2008/04/01      Apple Inc. thanks n.runs AG for the new PoC, validates 
                them and includes a status report where they describe 
                that some of the issues reported were known to them 
                and/or discovered internally prior to n.runs AG 
                reporting, they also inform that they added Sergio's 
                name and company into their system for tracking credit 
                information for each of the security issues. Provides 
                the Radar numbers assigned to each of them. Informs some
                reproduction issues. 
2008/04/01      n.runs AG thanks for the quick response and also 
                clarifies that n.runs AG expects, as described in the 
                RFP, to be credited for all the vulnerabilities reported
                to Apple Inc. that affect the most up-to-date products 
                available to the public, regardless if they are 
                internally known to Apple Inc.
2008/04/03      Apple Inc. replies: "Yes, that's our policy: all 
                reporters of security bugs that were not publicly known 
                get credit."
2008/05/23      n.runs AG reports another vulnerability and requests a 
                status update for the previously reported 
2008/05/29      Apple Inc. sends a status report and asks how n.runs AG 
                would like to be credited if there is some specific 
2008/05/29      n.runs AG thanks and sends the requested information 
                to Apple Inc.
2008/05/31      Apple Inc. sends the status report for the last issue 
                reported to them and the Radar number assigned to it.
2008/07/10      n.runs AG requests a status update for the issues 
                reported to Apple Inc.
2008/07/11      Apple Inc. sends the status report and "informs to 
                n.runs AG that some of the vulnerabilities had already 
                been fixed and that the update was released some time 
                ago and that one of them was found through internal 
                security testing and was not correlated to n.runs AG's 
                report, that they would fix that, and requests the 
                format for the credits that n.runs AG would like 
                to have."
2008/07/13      n.runs AG replies the following: "As I said and you 
                agreed in my first mails, before sending any of my 
                findings, whether you found internally or if somebody 
                else reported the same bugs that I'm reporting, you 
                (Apple) have to credit me for my findings for the simple
                reason that I'm reporting them to you instead of 
                releasing them to the public while the bugs are not 
                fixed. That said, I've checked all the credits given 
                in "iPhone 2.0 and iPod touch 2.0" 
                http://support.apple.com/kb/HT2351) and the ones given 
                in "QuickTime 7.5" http://support.apple.com/kb/HT1991, 
                and I haven't been credited in any of them. This is a 
                clear violation of our RFP. If by Monday 14.July.2008 
                the proper credits are not given to me, I'll release all
                the vulnerabilities and bugs that I've reported to you 
                and also the ones I didn't report yet by 
                Tuesday 15.July.2008."
2008/07/15      Apple Inc. asks n.runs AG to not make public our 
                findings and also makes available the credits for one of
                the issues reported.
2008/07/16      n.runs AG releases this advisory

QuickTime is a multimedia framework developed by Apple Inc., capable of 
handling various formats of digital video, media clips, sound, text, 
animation, music and several types of interactive panoramic images. 
Available for Classic Mac OS, Mac OS X and Microsoft Windows operating 
systems it provides essential support for software packages including 
iTunes, QuickTime Player (which can also serve as a helper application 
for web browsers to play media files that might otherwise fail to open) 
and Safari.


A remotely exploitable vulnerability has been found in the files' 
parsing engine.

In detail, the following flaw was determined:

- A sign extension issue in QuickTime's handling of PICT images that 
  leads to a heap buffer overflow. 


This problem can lead to remote arbitrary code execution if an attacker 
carefully crafts a file that exploits the aforementioned vulnerability. 
The vulnerability is present in Apple QuickTime software mentioned 
bove, in all platforms supported by the affected products and all the 
products that use the APIs exposed by its library prior to Apple 
QuickTime version 7.5. 

The vulnerability was reported on 01.Apr.2008 and Apple QuickTime 
Version 7.5 has been issued to solve this vulnerability. For detailed 
information about the fixes follow the link in References [1] section 
of this document.
Bugs found by Sergio Alvarez of n.runs AG. 
http://support.apple.com/kb/HT1991 [1]

This Advisory and Upcoming Advisories:
_________________________About n.runs:

n.runs AG is a vendor-independent consulting company specialising in the
areas of: IT Infrastructure, IT Security and IT Business Consulting. In 
2007, n.runs expanded its core business area, which until then had  been
project based consulting, to include the development of high-end 
security solutions.
Application Protection System - Anti Virus (aps-AV) is the first 
high-end security solution that n.runs is bringing to the market.

Copyright Notice:

Unaltered electronic reproduction of this advisory is permitted. For all
other reproduction or publication, in printing or otherwise, contact 
security_at_nruns.com for permission. Use of the advisory constitutes 
acceptance for use in an "as is" condition. All warranties are excluded.
In no event shall n.runs be liable for any damages whatsoever including 
direct, indirect, incidental, consequential, loss of business profits or
special damages, even if n.runs has been advised of the possibility of 
such damages. 

Copyright 2008 n.runs AG. All rights reserved. Terms of use apply.