Apple QuickTime 7.0.3 & iTunes 6.0.1 Heap Overflow
Release Date:
December 20, 2005
Severity:
High (think about how many ipods sold this year alone)
Vendor:
Apple
Versions Affected:
Apple Quicktime 7.0.3 on OS X 10.4.3
Apple iTunes 6.0.1 (3) on OSX 10.4.3
Apple Quicktime 7.0.3 on Win32
Apple iTunes 6.0.1 (3) on Win32
Overview:
A heap overflow vulnerability exists within Apple iTunes 6.0.1 and Quicktime 7.0.3. The vulnerability allows for an attacker to cause the program to crash, and or to execute arbitrary code in the context of the user who execute the player. These flaws exists within all current versions, and prior versions of Apple iTunes and Quicktime for Mac OS X and Win32.
Technical Details:
The vulnerability is triggered when playing a specially crafted .mov file will cause the heap overflow. The crash always seem to land on the freed () object.
The crashlog /Library/Logs/CrashReporter/Quicktime Player.crash.log
OS Version: 10.4.3 (Build 8F46)
Report Version: 3
Command: QuickTime Player
Path: /Applications/QuickTime Player.app/Contents/MacOS/QuickTime Player
Parent: WindowServer [56]
Version: 7.0.3 (7.0.3)
Build Version: 2
Project Name: QuickTime
Source Version: 3871400
PID: 294
Thread: 0
Exception: EXC_BAD_ACCESS (0x0001)
Codes: KERN_INVALID_ADDRESS (0x0001) at 0x41820010
Thread 0 crashed with PPC Thread State 64:
srr0: 0x00000000fffeff20 srr1: 0x000000000200f030 vrsave: 0x0000000000000000
cr: 0x44222288 xer: 0x0000000000000007 lr: 0x00000000907568a8 ctr: 0x00000000fffeff00
r0: 0x00000000907568a8 r1: 0x00000000bfffc7c0 r2: 0x0000000041820010 r3: 0x000000000556e450
r4: 0x00000000909d854c r5: 0x00000000bfffc8c0 r6: 0x00000000bfffc854 r7: 0x0000000005563b70
r8: 0x000000005e4e3e2c r9: 0x000000000000000c r10: 0x000000009073e114 r11: 0x000000006f63854c
r12: 0x000000000001078c r13: 0x0000000000000002 r14: 0x0000000000000000 r15: 0x00000000a3172d58
r16: 0x000000000551e3f0 r17: 0x00000000bfffd280 r18: 0x0000000077696e64 r19: 0x0000000000000018
r20: 0x0000000000329200 r21: 0x00000000ffffd96e r22: 0x0000000000000000 r23: 0x0000000000000000
r24: 0x00000000bfffc8c0 r25: 0x0000000000000005 r26: 0x0000000000000000 r27: 0x0000000005584940
r28: 0x000000000556e450 r29: 0x0000000000000007 r30: 0x00000000bfffc8c0 r31: 0x0000000090756724
The crashlog /Library/Logs/CrashReporter/iTunes.crash.log
OS Version: 10.4.3 (Build 8F46)
Report Version: 3
Command: iTunes
Path: /Applications/iTunes.app/Contents/MacOS/iTunes
Parent: WindowServer [56]
Version: 6.0.1 (6.0.1)
Build Version: 2
Project Name: iTunes
Source Version: 6010300
PID: 350
Thread: 0
Exception: EXC_BAD_ACCESS (0x0001)
Codes: KERN_INVALID_ADDRESS (0x0001) at 0x40220004
Thread 0 crashed with PPC Thread State 64:
srr0: 0x00000000931aece8 srr1: 0x000000000200f030 vrsave: 0x0000000000000000
cr: 0x24044244 xer: 0x0000000000000006 lr: 0x00000000931aec88 ctr: 0x0000000000000002
r0: 0x0000000000000000 r1: 0x00000000bfffe600 r2: 0x0000000040220000 r3: 0x00000000036da4f0
r4: 0x0000000000000000 r5: 0x0000000001800000 r6: 0x00000000ffffffff r7: 0x00000000036fd940
r8: 0x00000000036c5421 r9: 0x0000000000000010 r10: 0x0000000000000001 r11: 0x00000000000018a8
r12: 0x0000000090006700 r13: 0x0000000000000002 r14: 0x0000000000000000 r15: 0x00000000a3172d58
r16: 0x000000000134fbc0 r17: 0x00000000bffff350 r18: 0x0000000077696e64 r19: 0x00000000000003f5
r20: 0x00000000bfffe8b0 r21: 0x0000000000000000 r22: 0x00000000036c2090 r23: 0x00000000bfffe9a0
r24: 0x0000000000000000 r25: 0x0000000003682b00 r26: 0x00000000bfffe8d0 r27: 0x00000000bfffe8d0
r28: 0x0000000000000000 r29: 0x0000000000000000 r30: 0x00000000036bf684 r31: 0x000000009319fd3c
Below are links two testcases for this flaw:
http://www.security-protocols.com/poc/sp-x21-1.mov <(=-- this one crashes QuickTime
http://www.security-protocols.com/poc/sp-x21-2.mov <(=-- this one will crash iTunes and QuickTime
Vendor Status:
Apple was notified.
Discovered by:
Tom Ferris
Related Links:
http://www.apple.com
Copyright (c) 2005 Security-Protocols, LLC
Spread the word:
