Apple OS X QuickDraw "InternalUnpackBits" Memory Corruption

Release Date:
January 24th, 2007

Severity:
Medium

Vendor:
Apple

Versions Affected:
Apple OS X 10.4.8
Safari 2.0.4 (419.3)
QuickTime 7.1.3

Overview:
QuickDraw has been integrated into Mac OS since System 6.0.4. QuickDraw is used by QuickTime and any other application which needs to handle PICT image files.

Technical Details:
A memory corruption/denial service vulnerabilitiy exists when parsing a malformed PICT image file with a malformed ARGB record can abuse this issue when passed to the _GetSrcBits32ARGB function.

Proof Of Concept:
The provided proof of concept PICT image file will only trigger this issue. This vulnerability can be triggered via Safari, Preview and or QuickTime.

Below is the crash triggered on OSX 10.4.8 agaisnt QuickTime 7.1.3:

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x15a86000
0x9173c838 in InternalUnpackBits ()
(gdb) bt
#0 0x9173c838 in InternalUnpackBits ()
#1 0x9173c49f in InternalGetPixMapData ()
#2 0x9173b968 in PicItemVerb ()
#3 0x91739ecb in DrawPicture ()
#4 0x943fbf75 in qtDoDrawPictureFile ()
#5 0x98ebfd3f in extractCompressedData ()
#6 0x98ec074a in ImportPictGetImageDescription ()
#7 0x90ccbd57 in CallComponentFunctionCommon ()
#8 0x98ec090d in ImportPictComponentDispatch ()
#9 0x90ccba3c in CallComponentDispatch ()
#10 0x9943332e in GraphicsImportGetImageDescription ()
#11 0x98e172f0 in EatGraphicFile ()
#12 0x90ccbf6e in CallComponentFunctionCommon ()
#13 0x98e18df8 in EatGraphicComponentDispatch ()
#14 0x90ccba3c in CallComponentDispatch ()
#15 0x943bc656 in MovieImportFile ()
#16 0x943bc49c in newMovieFromFileFromComponent ()
#17 0x9430b8df in getNewMovieFromFileUsingImporters ()
#18 0x9430b131 in NewMovieFromFilePriv ()
#19 0x94307778 in NewMovieFromDataRefPriv_priv ()
#20 0x9430645e in NewMovieFromProperties_priv ()
#21 0x95a08980 in -[QTMovie initWithAttributes:error:] ()
#22 0x95a06f91 in +[QTMovie movieWithAttributes:error:] ()
#23 0x0000ad3b in -[QTPMovieDocument readFromFile:ofType:] ()
#24 0x0000ac08 in -[QTPMovieDocument initWithContentsOfFile:ofType:isHotPicks:] ()
#25 0x00013153 in -[QTPMovieDocument initWithContentsOfFile:ofType:] ()
#26 0x934fe82b in -[NSDocumentController(NSDeprecated) makeDocumentWithContentsOfFile:ofType:] ()
#27 0x93542c31 in -[NSDocumentController(NSDeprecated) _openDocumentFileAt:display:] ()
#28 0x00012ee9 in -[QTPApplicationDelegate openFiles:openInNewPlayer:] ()
#29 0x00012daf in -[QTPApplicationDelegate application:openFiles:] ()
#30 0x9337837c in -[NSApplication _doOpenFiles:] ()
#31 0x933782d8 in -[NSApplication(NSAppleEventHandling) _handleAEOpenDocuments:] ()
#32 0x93271701 in -[NSApplication(NSAppleEventHandling) _handleCoreEvent:withReplyEvent:] ()
#33 0x925f2ef1 in -[NSAppleEventManager dispatchRawAppleEvent:withRawReply:handlerRefCon:] ()
#34 0x925f2d1b in _NSAppleEventManagerGenericHandler ()
#35 0x91515fb5 in aeDispatchAppleEvent ()
#36 0x91515ee6 in dispatchEventAndSendReply ()
#37 0x91515db2 in aeProcessAppleEvent ()
#38 0x92dd02cc in AEProcessAppleEvent ()
#39 0x9326f63d in _DPSNextEvent ()
#40 0x9326f056 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] ()
#41 0x93268ddb in -[NSApplication run] ()
#42 0x9325cd2f in NSApplicationMain ()
#43 0x0004040a in _start ()
#44 0x00040325 in start ()
(gdb) i r
eax 0x15a86000 363356160
ecx 0x15acc808 363644936
edx 0x15a85fff 363356159
ebx 0x9173c366 -1854684314
esp 0xbfffd568 0xbfffd568
ebp 0xbfffd578 0xbfffd578
esi 0x0 0
edi 0x2354 9044
eip 0x9173c838 0x9173c838
eflags 0x10246 66118
cs 0x17 23
ss 0x1f 31
ds 0x1f 31
es 0x1f 31
fs 0x0 0
gs 0x37 55
(gdb)

Solution:
Dont open untrusted PICT files, and or disable any file and MIME type associations releated to PICT image files.

Discovered by:
Tom Ferris
tommy[at]security-protocols[dot]com

Related Links:
http://security-protocols.com/poc/sp-x43.pct
http://security-protocols.com/sp-x43-advisory.php

Security-Protocols.com :: 1999-2008