Apple Quicktime Memory Corruption - CVE-2010-3801 Dec 17 2010 05:36PM
Rodrigo Branco (rbranco checkpoint com)
Dear List,

I'm writing on behalf of the Check Point Vulnerability Discovery Team to publish the following vulnerability.

Check Point Software Technologies - Vulnerability Discovery Team (VDT)

Apple Quicktime Memory Corruption when parsing FPX files


Apple Quicktime is a "powerful media technology that works on Mac and PC with just about
every popular video or audio format you come across. So you can play the digital media
you want to play".

Apple Quicktime is available as plugin to different browsers, and thus the vulnerability
can be remotely triggered.

QuickTime player does not properly parse .fpx media files, which causes a memory corruption by
opening a malformed file with an invalid value located in PoC repro.fpx at offset 0x49.

This problem was confirmed in the following versions of Apple Quicktime and browsers, other
versions may be also affected.

QuickTime Player version 7.6.8 (1675) in all Operating Systems
QuickTime Player version 7.6.6 (1671) in all Operating Systems

CVSS Scoring System

The CVSS score is: 9
Base Score: 10
Temporal Score: 9
We used the following values to calculate the scores:
Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal score is: E:POC/RL:U/RC:C


The problem is triggered by PoC repro.fpx which causes invalid memory access in all the
refered versions and is available to interested parties only.



668E2387 F7C7 03000000 TEST EDI,3
668E238D 75 15 JNZ SHORT QuickT_1.668E23A4
668E238F C1E9 02 SHR ECX,2
668E2392 83E2 03 AND EDX,3
668E2395 83F9 08 CMP ECX,8
668E2398 72 2A JB SHORT QuickT_1.668E23C4
668E239A F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] <----- Crash Here

EDI = 0x089A0020
ESI = 0x61626364

(3e8.e3c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.

eax=61626560 ebx=00000000 ecx=0000007f edx=00000000 esi=61626364 edi=06d80020
eip=668e239a esp=0012dfbc ebp=0012dfc4 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206

668e239a f3a5 rep movs dword ptr es:[edi],dword ptr [esi]

0:000> !exploitable
Exploitability Classification: PROBABLY_EXPLOITABLE
Recommended Bug Title: Probably Exploitable - Read Access Violation on Block Data Move starting at QuickTime!CallComponentFunctionWithStorage+0x000000000003f20a (Hash=0x4b1e3917.0x4f031b17)
This is a read access violation in a block data move, and is therefore classified as probably exploitable.


This vulnerability was discovered and researched by Rodrigo Rubira Branco from Check Point Vulnerability Discovery Team (VDT).

Rodrigo Rubira Branco
Senior Security Researcher
Vulnerability Discovery Team (VDT)
Check Point Software Technologies

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus