|
|
|
|
| |
Credit:
The information has been provided by eEye.
The original article can be found at: http://www.eeye.com/html/research/advisories/AD20060111c.html
|
| |
Vulnerable Systems:
* Quicktime on Windows 2000
* Quicktime on Windows XP
* Quicktime on Mac OS X 10.3.9
When Quicktime processes the data field of a qtif format file, it will copy it to the stack by a byte to a byte , but there is no proper checking, so it will cause a stack overflow in memory. And in this stack, there is a function pointer which will be used immediately when it pre byte copies, so we can use it to bypass any stack overflow protection, such in Windows XP SP2 and 2003 SP1.
The origin function point value is 0x44332211. We only need to overflow it to : 0x08332211, ensuring it didn't cause a crash before the 0x44 has been overflowed to 0x08. When it overflows to 0x08332211, we can execute code to 0x08332211, and can first use JavaScript to get this memory and set my code in it.
call [esp+138h+arg_4] <- call a function point in the stack, but this point can be overflowed
References:
QuickTime: QuickTime File Format
http://developer.apple.com/documentation/QuickTime/QTFF/index.html
Vendor Status:
Apple has released a patch for this vulnerability. The patch is available via the Updates section of the affected applications.
CVE Information:
CVE-2005-3713
|
|
|
|
|
