Apple OS X QuickDraw "_GetSrcBits32ARGB ()" Memory Corruption

Release Date:
January 24th, 2007

Severity:
Medium

Vendor:
Apple

Versions Affected:
Apple OS X 10.4.8
Safari 2.0.4 (419.3)
QuickTime 7.1.3

Overview:
Description of QuickDraw from Apple: "QuickDraw, a collection of system software routines that your application can use to perform most image-manipulation operations on Macintosh computers. This chapter also introduces you to the Printing Manager, which your application can use to print the images you create with QuickDraw."

Technical Details:
A memory corruption, denial service vulnerabilitiy exists within QuickDraw when parsing a specially crafted .PCT image file with a malformed ARGB record can abuse this issue when passed to the _GetSrcBits32ARGB function.

Proof Of Concept:
The provided proof of concept PICT image file will only trigger this issue. This vulnerability can be triggered via Safari, Preview and or QuickTime.

Below is the crash triggered on OSX 10.4.8

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x16f87000
0x9178ac44 in _GetSrcBits32ARGB ()
(gdb) bt
#0 0x9178ac44 in _GetSrcBits32ARGB ()
#1 0x917473f5 in BBFastDoubleSrcCopy ()
#2 0x91720650 in Stretch ()
#3 0x9171f88b in OneSrcOneDst ()
#4 0x9171f35d in CommonBits ()
#5 0x9172cd9b in StdBits ()
#6 0x9173ba0a in PicItemVerb ()
#7 0x91739ecb in DrawPicture ()
#8 0x943fbf75 in qtDoDrawPictureFile ()
#9 0x98ebf81a in ImportPictDraw ()
#10 0x90ccbd57 in CallComponentFunctionCommon ()
#11 0x98ec090d in ImportPictComponentDispatch ()
#12 0x90ccba3c in CallComponentDispatch ()
#13 0x943a3b81 in GraphicsImportDraw ()
#14 0x91912129 in getBandProcQT ()
#15 0x918f1f0a in CGImagePlusUpdateCache ()
#16 0x918f1c26 in CGImagePlusCreateImage ()

== snip ==

(gdb) i r
eax 0x16f87000 385380352
ecx 0x0 0
edx 0xbfffb834 -1073760204
ebx 0x9171f8b7 -1854801737
esp 0xbfffb728 0xbfffb728
ebp 0xbfffb728 0xbfffb728
esi 0x15 21
edi 0x16f50140 385155392
eip 0x9178ac44 0x9178ac44
eflags 0x10216 66070
cs 0x17 23
ss 0x1f 31
ds 0x1f 31
es 0x1f 31
fs 0x0 0
gs 0x37 55
(gdb)

Solution:
Dont open untrusted PICT files, and or disable any file and MIME type associations releated to PICT image files.

Discovered by:
Tom Ferris

Related Links:
http://security-protocols.com/poc/sp-x42.pct
http://security-protocols.com/sp-x42-advisory.php
http://projects.info-pull.com/moab/MOAB-23-01-2007.html

2007 Security-Protocols, LLC

• Search

  
  
  

• Categories

  • Advisories
  • Affiliate Marketing
  • Apple
  • Books
  • Encryption
  • Flaws
  • Fuzzers
  • Gadgets
  • Humor
  • iPhone
  • Link Development
  • Microsoft
  • Misc
  • News
  • Off Topic
  • Photos
  • Reversing
  • Search Engines
  • Search Marketing
  • Security
  • SEO
  • Speedlinking
  • Tools
• 
  
  

  Archives

  • August 2008
  • July 2008
  • June 2008
  • May 2008
  • April 2008
  • March 2008
  • January 2008
  • December 2007
  • November 2007
  • October 2007
  • September 2007
  • August 2007
  • July 2007
  • June 2007
  • May 2007
  • April 2007
  • March 2007
  • February 2007
  • January 2007
  • December 2006
  • November 2006

• Meta

  • Log in
  • RSS 2.0
  
  
• 
  

  Blogroll

  
  Ladera Ranch Photography
  Invenio Security
  
  
  

Security-Protocols, LLC 2000 - 2008