Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
SecuriTeam™  Beyond Security®  SecuriTeam™ Home  Ask the Team  Mailing Lists  Advertising Info  Blogs SecuriTeam™ in Your Inbox   E-mail this CVE-2009-0955 to a friend New vulnerability? New tool? Tell us	CVE-2009-0955 Apple QuickTime Image Description Memory Corruption     Credit: The information has been provided by CVE-2009-0955 . Website Security Scan Code Vulnerability Test Network Assessment Tool Detect hidden vulnerabilities Exhaustive automated testing Real-time, continuous security Get guidance from professionals of internal or 3rd party code. scanning for your entire network    CVE-2009-0955 Details Check for CVE-2009-0955 Vulnerability Assessment and Management. Automated Pen Testing for 50 to 50,000 nodes beyondsecurity.com/vulnerability-scanner Vulnerable Systems:  * Apple QuickTime version 7.6 and before Immune Systems:  * Apple QuickTime version 7.6.2 and later According to QuickTime's specification, The sample description atom (STSD) stores information that allows QuickTime to decode samples in the media. It has the following structure: 0 DWORD Size 4 DWORD Type 8 BYTE Version 9 BYTE[3] FLAGS 12 DWORD Number of entries 16 DWORD Sample description table The structure of each entry in the sample description table varies by the media type, however the first four fields are the same for all media types: 0 DWORD Sample description size 4 DWORD Data format 6 BYTE[6] Reserved 12 WORD Data reference index These four fields may be followed by additional data specific to the media type and data format. For video media, the general sample description format is extended by the following structure: 14 WORD Version 16 WORD Revision level 18 DWORD Vendor 22 DWORD Temporal quality 26 DWORD Spatial quality 30 WORD Width 32 WORD Height 34 DWORD Horizontal resolution 38 DWORD Vertical resolution 42 DWORD Data size 46 WORD Frame count 48 BYTE[32] Compressor name 80 WORD Depth 82 WORD Color table ID VULNERABILITY DETAILS -=================== When the data format field (offset 4 of the sample description table extension) is 'RVZA' (Apple Video), it is possible to trigger a sign extension vulnerability which leads to a buffer underflow. The following is the faulty sign extended MOV: MOVSX ECX,WORD PTR SS:[ESP+4C] [ESP+4C] contains a user controlled input, which is equal to "((width+(4-width%4))*4 & 0xFFFF" where 'width' is taken from the RVZA sample description entry (offset 30). If width >= 0x5FFD, then [ESP+4C] >= 0x8000. Sign-extending such values results in very large unsigned values, as their most significant word becomes 0xFFFF (so 0x8000 is sign-extended to 0xFFFF8000). Deeper in the code, the user controllable sign-extended value is treated as the size of a structure. A vector of this structure is walked over: [1] At each iteration the base pointer is incremented by the user's controlled sign-extended value. This means that it is possible to force the pointer to reference memory regions below the vector's VA: ADD EAX,EDX ; EAX = vector, EDX = sign extended value [2] At each iteration values are written to an element in the vector (a single structure) which is referenced by the incremented pointer. This means that it is possible to write to memory regions below the buffer's VA. MOV DWORD PTR DS:[EAX],EBX MOV DWORD PTR DS:[EAX+4],EBX MOV DWORD PTR DS:[EAX+4],EBX MOV DWORD PTR DS:[EAX],EBX CVE Information: CVE-2009-0955  Comments on CVE-2009-0955:  Add new comment:  Subject:  Name/Nick/Email:          Chars Left:
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Copyright © 1998-2017 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®