Skip navigation
Currently Being Moderated

Memory corruption when Apple Quicktime parses .pct file  (CVE-2012-0671)

Created by Robert Dell'Immagine on May 7, 2012 5:15 PM - Last modified by qualys on May 15, 2012 2:15 PM

Below is Qualys Director of Vulnerability and Malware Research Rodrigo Branco's advisory for Apple.

 

INTRODUCTION

Apple Quicktime does not properly parse .pct media files, which causes a corruption in module DllMain by opening a malformed file with an invalid value located in PoC repro01.pct at offset 0x20E.

 

This problem was confirmed in the following versions of Quicktime and Windows, other versions may be also affected.

 

Quicktime Player version 7.7.1 (1680.42) on Windows XP SP 3 - PT_BR.

 

Apple addressed the vulnerability in the April's Quicktime Patchset

(http://support.apple.com/kb/HT1222)

 

CVSS Scoring System

 

The CVSS score is: 8.6

    Base Score: 10

    Temporal Score: 8.6

We used the following values to calculate the scores:

    Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:C

    Temporal score is: E:POC/RL:U/RC:UR

 

TRIGGERING THE PROBLEM

To trigger the problem a PoC file (repro01.pct) is available to interested parties.

 

DETAILS

Disassembly:

 

Crash:

 

(f28.c24): Access violation - code c0000005 (first chance)

First chance exceptions are reported before any exception handling.

This exception may be expected and handled.

eax=02a70000 ebx=04402c68 ecx=98b1cc15 edx=00000004 esi=00000000 edi=088a5000

eip=6682ead8 esp=0012bfa8 ebp=00000001 iopl=0         nv up ei pl nz ac pe nc

cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210216

*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Arquivos de programas\QuickTime\QTSystem\QuickTime.qts -

QuickTime!DllMain+0x2d068:

6682ead8 668907          mov     word ptr [edi],ax        ds:0023:088a5000=????

0:000> !exploitable

Exploitability Classification: EXPLOITABLE

Recommended Bug Title: Exploitable - User Mode Write AV starting at QuickTime!DllMain+0x000000000002d068 (Hash=0x0e483076.0x0e507376)

User mode write access violations that are not near NULL are exploitable.

 

CREDITS

This vulnerability was discovered by Rodrigo Rubira Branco (https://twitter.com/bsdaemon) from the Qualys Vulnerability & Malware Research Labs (VMRL).

 

http://www.qualys.com

http://www.dissect.pe

Comments (0)