Apple QuickTime .mp4 "FlipFileTypeAtom_BtoN" Integer Overflow

Release Date:
April 24th, 2007

Severity:
High

Vendor:
Apple

Versions Affected:
QuickTime 7.1.5

Overview:

An integer overflow vulnerability exists within Apple Quicktime 7.1.5 and all prior versions when processing a malformed .MP4 file.

Technical Details:
When processing a malformed .MP4 file, the FlipFileTypeAtom_BtoN () function incorrectly parses the malformed data and causes the application to segmentation fault. This may allow for an attacker to cause the application to stop responding, and or to execute arbitrary code within the context of the logged in user.

Debug info:

Reason: KERN_PROTECTION_FAILURE at address: 0x00458000
0x9431cc63 in FlipFileTypeAtom_BtoN ()
(gdb) bt
#0 0x9431cc63 in FlipFileTypeAtom_BtoN ()
#1 0x9431c208 in PrivateNewMovieFromDataFork_priv ()
#2 0x9431b04a in NewMovieFromFilePriv ()
#3 0x943177d5 in NewMovieFromDataRefPriv_priv ()
#4 0x943164b2 in NewMovieFromProperties_priv ()
#5 0x95a24920 in -[QTMovie initWithAttributes:error:] ()
#6 0x95a22f31 in +[QTMovie movieWithAttributes:error:] ()
#7 0x0000adb7 in -[QTPMovieDocument readFromFile:ofType:] ()

=== snip ===

Vendor Status:
Reported on 11/17/2006

Solution:
MPlayer

Discovered by:
Tom Ferris
tommy[at]security-protocols[dot]com

Related Links:
http://security-protocols.com/poc/sp-x46.mp4
http://security-protocols.com/sp-x46-advisory.php
http://mplayerhq.hu


Security-Protocols.com :: 1999-2008