Apple QuickTime多个缓冲区溢出及处理异常漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1193556 漏洞类型 缓冲区溢出
发布时间 2006-09-12 更新时间 2006-09-15
CVE编号 CVE-2006-4381 CNNVD-ID CNNVD-200609-160
漏洞平台 N/A CVSS评分 5.1
|漏洞来源
https://cxsecurity.com/issue/WLB-2006090079
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200609-160
|漏洞详情
AppleQuickTime是一款流行的多媒体播放器,支持多种媒体格式。AppleQuickTime中存在多个缓冲区溢出和处理异常漏洞,具体如下:如果用户受骗浏览了特制的H.264电影的话,就可能触发整数溢出或缓冲区溢出漏洞,导致播放器崩溃或执行任意代码。
|漏洞EXP
Apple QuickTime H.264 Integer Overflow Vulnerability

By Sowhat of Nevis Labs
Date: 2006.09.12

http://www.nevisnetworks.com
http://secway.org/advisory/AD20060912.txt

CVE:	CVE-2006-4381

Vendor:
Apple Inc.

Affected Versions:
Apple QuickTime versions < 7.1.3

Overview:
By carefully crafting a corrupt H.264 movie, an attacker can trigger an
integer overflow which may lead to an application crash or arbitrary code
execution with the privileges of the user.

The vulnerability allows an attacker to  execute arbitrary code
in the context of the user who executes QuickTime.

Details:

This vulnerability exists in the way Quicktime process the H.264 content.

vulnerable code:

QuickTimeH264.qtx.68169AC3

.text:68169A63                 and     esp, 0FFFFFFF8h
.text:68169A66                 sub     esp, 214h
.text:68169A6C                 mov     eax, dword_68323140
.text:68169A71                 mov     edx, [ebp+arg_8]
.text:68169A74                 xor     ecx, ecx
.text:68169A76                 mov     [esp+214h+var_4], eax
.text:68169A7D                 mov     eax, [ebp+arg_0]
.text:68169A80                 mov     cl, [eax+4]
.text:68169A83                 push    ebx
.text:68169A84                 push    esi
.text:68169A85                 push    edi
.text:68169A86                 mov     [esp+220h+var_20C], 0
.text:68169A8E                 and     ecx, 3
.text:68169A91                 inc     ecx
.text:68169A92                 mov     [edx], ecx
.text:68169A94                 mov     cl, [eax+5]
.text:68169A97                 and     cl, 1Fh
.text:68169A9A                 cmp     cl, 1
.text:68169A9D                 jnz     short loc_68169AEF
.text:68169A9F                 mov     cx, [eax+6]
.text:68169AA3                 movzx   dx, ch
.text:68169AA7                 mov     dh, cl
.text:68169AA9                 mov     ecx, edx
.text:68169AAB                 cmp     cx, 100h                <-- cx
= FFFF which is user controllable
.text:68169AB0                 jg      short loc_68169AEF      <--
should be "ja"
.text:68169AB2                 movsx   edx, cx
.text:68169AB5                 mov     ecx, edx
.text:68169AB7                 mov     ebx, ecx                <-- ecx
= 0xFFFFFFFF
.text:68169AB9                 shr     ecx, 2
.text:68169ABC                 lea     esi, [eax+8]
.text:68169ABF                 lea     edi, [esp+220h+var_208]
.text:68169AC3                 rep movsd                       <-- do
memory copy
.text:68169AC5                 mov     ecx, ebx
.text:68169AC7                 and     ecx, 3
.text:68169ACA                 rep movsb
.text:68169ACC                 mov     cl, [edx+eax+8]
.text:68169AD0                 lea     esi, [edx+8]
.text:68169AD3                 inc     esi
.text:68169AD4                 cmp     cl, 1
.text:68169AD7                 jnz     short loc_68169AEF
.text:68169AD9                 mov     cx, [esi+eax]
.text:68169ADD                 movzx   bx, ch
.text:68169AE1                 mov     bh, cl
.text:68169AE3                 add     esi, 2
.text:68169AE6                 mov     ecx, ebx
.text:68169AE8                 cmp     cx, 100h
.text:68169AED                 jle     short loc_68169B07

This vulnerability can be exploited By persuading a user to open
a carefully crafted .mov files or visit a website embedding the
malicious .mov file.

Vendor Response:

2006.05.06	Vendor notified via product-security (at) apple (dot) com [email concealed]
2006.05.07	Vendor responded
2006.09.07	Vendor notified me the patch is available.
2006.09.12	Vendor released QuickTime 7.1.3
2006.09.12	Advisory released

Reference:
1. http://developer.apple.com/documentation/QuickTime/QTFF/index.html
2. http://docs.info.apple.com/article.html?artnum=61798
3. http://docs.info.apple.com/article.html?artnum=304357
4. http://secway.org/vuln.htm

-- 
Sowhat
http://secway.org
"Life is like a bug, Do you know how to exploit it ?"
|参考资料

来源:BID
名称:19976
链接:http://www.securityfocus.com/bid/19976
来源:BUGTRAQ
名称:20060912AppleQuickTimeH.264IntegerOverflowVulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/445830/100/0/threaded
来源:MISC
链接:http://secway.org/advisory/AD20060912.txt
来源:APPLE
名称:APPLE-SA-2006-09-12
链接:http://lists.apple.com/archives/Security-announce/2006/Sep/msg00000.html
来源:VUPEN
名称:ADV-2006-3577
链接:http://www.frsirt.com/english/advisories/2006/3577
来源:SECUNIA
名称:21893
链接:http://secunia.com/advisories/21893
来源:XF
名称:quicktime-h264-integer-overflow(28928)
链接:http://xforce.iss.net/xforce/xfdb/28928
来源:OSVDB
名称:28774
链接:http://www.osvdb.org/28774
来源:SECTRACK
名称:1016830
链接:http://securitytracker.com/id?1016830
来源:SREASON
名称:1551
链接:http://securityreason.com/securityalert/1551
来源:docs.info.apple.com
链接:http://docs.info.apple.com/article.html?artnum=304357