Apple QuickTime 7.0.3 & iTunes 6.0.1 Heap Overflow Release Date: December 20, 2005 Severity: High (think about how many ipods sold this year alone) Vendor: Apple Versions Affected: Apple Quicktime 7.0.3 on OS X 10.4.3 Apple iTunes 6.0.1 (3) on OSX 10.4.3 Apple Quicktime 7.0.3 on Win32 Apple iTunes 6.0.1 (3) on Win32 Overview: A heap overflow vulnerability exists within Apple iTunes 6.0.1 and Quicktime 7.0.3. The vulnerability allows for an attacker to cause the program to crash, and or to execute arbitrary code in the context of the user who execute the player. These flaws exists within all current versions, and prior versions of Apple iTunes and Quicktime for Mac OS X and Win32. Technical Details: The vulnerability is triggered when playing a specially crafted .mov file will cause the heap overflow. The crash always seem to land on the freed () object. The crashlog /Library/Logs/CrashReporter/Quicktime Player.crash.log OS Version: 10.4.3 (Build 8F46) Report Version: 3 Command: QuickTime Player Path: /Applications/QuickTime Player.app/Contents/MacOS/QuickTime Player Parent: WindowServer [56] Version: 7.0.3 (7.0.3) Build Version: 2 Project Name: QuickTime Source Version: 3871400 PID: 294 Thread: 0 Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_INVALID_ADDRESS (0x0001) at 0x41820010 Thread 0 crashed with PPC Thread State 64: srr0: 0x00000000fffeff20 srr1: 0x000000000200f030 vrsave: 0x0000000000000000 cr: 0x44222288 xer: 0x0000000000000007 lr: 0x00000000907568a8 ctr: 0x00000000fffeff00 r0: 0x00000000907568a8 r1: 0x00000000bfffc7c0 r2: 0x0000000041820010 r3: 0x000000000556e450 r4: 0x00000000909d854c r5: 0x00000000bfffc8c0 r6: 0x00000000bfffc854 r7: 0x0000000005563b70 r8: 0x000000005e4e3e2c r9: 0x000000000000000c r10: 0x000000009073e114 r11: 0x000000006f63854c r12: 0x000000000001078c r13: 0x0000000000000002 r14: 0x0000000000000000 r15: 0x00000000a3172d58 r16: 0x000000000551e3f0 r17: 0x00000000bfffd280 r18: 0x0000000077696e64 r19: 0x0000000000000018 r20: 0x0000000000329200 r21: 0x00000000ffffd96e r22: 0x0000000000000000 r23: 0x0000000000000000 r24: 0x00000000bfffc8c0 r25: 0x0000000000000005 r26: 0x0000000000000000 r27: 0x0000000005584940 r28: 0x000000000556e450 r29: 0x0000000000000007 r30: 0x00000000bfffc8c0 r31: 0x0000000090756724 The crashlog /Library/Logs/CrashReporter/iTunes.crash.log OS Version: 10.4.3 (Build 8F46) Report Version: 3 Command: iTunes Path: /Applications/iTunes.app/Contents/MacOS/iTunes Parent: WindowServer [56] Version: 6.0.1 (6.0.1) Build Version: 2 Project Name: iTunes Source Version: 6010300 PID: 350 Thread: 0 Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_INVALID_ADDRESS (0x0001) at 0x40220004 Thread 0 crashed with PPC Thread State 64: srr0: 0x00000000931aece8 srr1: 0x000000000200f030 vrsave: 0x0000000000000000 cr: 0x24044244 xer: 0x0000000000000006 lr: 0x00000000931aec88 ctr: 0x0000000000000002 r0: 0x0000000000000000 r1: 0x00000000bfffe600 r2: 0x0000000040220000 r3: 0x00000000036da4f0 r4: 0x0000000000000000 r5: 0x0000000001800000 r6: 0x00000000ffffffff r7: 0x00000000036fd940 r8: 0x00000000036c5421 r9: 0x0000000000000010 r10: 0x0000000000000001 r11: 0x00000000000018a8 r12: 0x0000000090006700 r13: 0x0000000000000002 r14: 0x0000000000000000 r15: 0x00000000a3172d58 r16: 0x000000000134fbc0 r17: 0x00000000bffff350 r18: 0x0000000077696e64 r19: 0x00000000000003f5 r20: 0x00000000bfffe8b0 r21: 0x0000000000000000 r22: 0x00000000036c2090 r23: 0x00000000bfffe9a0 r24: 0x0000000000000000 r25: 0x0000000003682b00 r26: 0x00000000bfffe8d0 r27: 0x00000000bfffe8d0 r28: 0x0000000000000000 r29: 0x0000000000000000 r30: 0x00000000036bf684 r31: 0x000000009319fd3c Below are links two testcases for this flaw: http://www.security-protocols.com/poc/sp-x21-1.mov <(=-- this one crashes QuickTime http://www.security-protocols.com/poc/sp-x21-2.mov <(=-- this one will crash iTunes and QuickTime Vendor Status: Apple was notified. Discovered by: Tom Ferris Related Links: http://www.security-protocols.com/advisory/sp-x21-advisory.txt http://www.laundromata.com http://www.apple.com Copyright (c) 2005 Security-Protocols.com