Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
SecuriTeam™  Beyond Security®  SecuriTeam™ Home  Ask the Team  Mailing Lists  Advertising Info  Blogs SecuriTeam™ in Your Inbox   E-mail this CVE-2006-4381 to a friend New vulnerability? New tool? Tell us	CVE-2006-4381 Apple QuickTime H.264 Integer Overflow     Credit: The information has been provided by Sowhat. The original article can be found at: http://secway.org/advisory/AD20060912.txt Website Security Scan Code Vulnerability Test Network Assessment Tool Detect hidden vulnerabilities Exhaustive automated testing Real-time, continuous security Get guidance from professionals of internal or 3rd party code. scanning for your entire network    CVE-2006-4381 Details Check for CVE-2006-4381 Vulnerability Assessment and Management. Automated Pen Testing for 50 to 50,000 nodes beyondsecurity.com/vulnerability-scanner Vulnerable Systems:  * Apple QuickTime version 7.1.2 and prior Immune Systems:  * Apple QuickTime version 7.1.3 CVE Information: CVE-2006-4381 This vulnerability exists in the way QuickTime process the H.264 content. Vulnerable code: QuickTimeH264.qtx.68169AC3 .text:68169A63 and esp, 0FFFFFFF8h .text:68169A66 sub esp, 214h .text:68169A6C mov eax, dword_68323140 .text:68169A71 mov edx, [ebp+arg_8] .text:68169A74 xor ecx, ecx .text:68169A76 mov [esp+214h+var_4], eax .text:68169A7D mov eax, [ebp+arg_0] .text:68169A80 mov cl, [eax+4] .text:68169A83 push ebx .text:68169A84 push esi .text:68169A85 push edi .text:68169A86 mov [esp+220h+var_20C], 0 .text:68169A8E and ecx, 3 .text:68169A91 inc ecx .text:68169A92 mov [edx], ecx .text:68169A94 mov cl, [eax+5] .text:68169A97 and cl, 1Fh .text:68169A9A cmp cl, 1 .text:68169A9D jnz short loc_68169AEF .text:68169A9F mov cx, [eax+6] .text:68169AA3 movzx dx, ch .text:68169AA7 mov dh, cl .text:68169AA9 mov ecx, edx .text:68169AAB cmp cx, 100h <-- cx = FFFF which is user controllable .text:68169AB0 jg short loc_68169AEF <-- should be "ja" .text:68169AB2 movsx edx, cx .text:68169AB5 mov ecx, edx .text:68169AB7 mov ebx, ecx <-- ecx = 0xFFFFFFFF .text:68169AB9 shr ecx, 2 .text:68169ABC lea esi, [eax+8] .text:68169ABF lea edi, [esp+220h+var_208] .text:68169AC3 rep movsd <-- do memory copy .text:68169AC5 mov ecx, ebx .text:68169AC7 and ecx, 3 .text:68169ACA rep movsb .text:68169ACC mov cl, [edx+eax+8] .text:68169AD0 lea esi, [edx+8] .text:68169AD3 inc esi .text:68169AD4 cmp cl, 1 .text:68169AD7 jnz short loc_68169AEF .text:68169AD9 mov cx, [esi+eax] .text:68169ADD movzx bx, ch .text:68169AE1 mov bh, cl .text:68169AE3 add esi, 2 .text:68169AE6 mov ecx, ebx .text:68169AE8 cmp cx, 100h .text:68169AED jle short loc_68169B07 This vulnerability can be exploited By persuading a user to open a carefully crafted .mov files or visit a website embedding the malicious .mov file. Vendor Response: 2006.05.06 - Vendor notified via product-security@apple.com 2006.05.07 - Vendor responded 2006.09.07 - Vendor notified me the patch is available. 2006.09.12 - Vendor released QuickTime 7.1.3 2006.09.12 - Advisory released  Comments on CVE-2006-4381:  Add new comment:  Subject:  Name/Nick/Email:          Chars Left:	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Copyright © 1998-2010 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®