SecuriTeam - Apple QuickTime FLIC File Heap Overflow

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Ask the Team
Mailing Lists
Advertising Info
Advisories
About SecuriTeam
Blogs

Brought to you by:

Suppliers of:

SecuriTeam in Your Inbox

New vulnerability?
New tool?
Tell us
(Our PGP key).

Quicktime is Apple's media player product used to render video and other media.

Remote exploitation of a heap-based buffer overflow in Apple Computer's QuickTime Player could allow attackers to execute code under the privileges of the affected application.

Credit:
The information has been provided by iDefense.
The original article can be found at:
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=413

Website Security Scan	Code Vulnerability Test	Network Assessment Tool
Detect hidden vulnerabilities	Exhaustive automated testing	Real-time, continuous security
Get guidance from professionals	of internal or 3rd party code.	scanning for your entire network

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

A FLIC file is an animation file consisting of a number of frames, each of which is made up of an image and may contain other information such as a palette or a label.

The vulnerability specifically exists in the handling of the COLOR_64 chunk in FLIC format files. QuickTime does not validate that the data size allocated to store the palette is large enough, allowing a malformed file to cause controllable heap corruption.

Exploitation could allow attackers to execute arbitrary code in the context of the currently logged in user. In order to exploit this vulnerability, attackers must social engineer victims into visiting a website under their control.

The QuickTime plugin can be forced to load in Firefox and Internet Explorer. Furthermore, testing shows that either browser can be used as an attack vector. It is also possible to open this type of file directly from within QuickTime or from a playlist that QuickTime has opened.

The data being used to overwrite the heap is in the form 0x00XXYYZZ, where XX, YY and ZZ are controllable. This limits the range of values that can be overwritten, but does not prevent it.

Patch Availability:
QuickTime 7.1.3 may be obtained from the Software Update pane in System Preferences, or from the Download tab in the QuickTime site

For Mac OS X v10.3.9 or later
The download file is named: "QuickTimeInstallerX.dmg"
Its SHA-1 digest is: 55cfeb0d92d8e0a0694267df58d2b53526d24d3d

QuickTime 7.1.3 for Windows 2000/XP
The download file is named: "QuickTimeInstaller.exe"
Its SHA-1 digest is: 047a9f2d88c8a865b4ad5f24c9904b8727ba71e7

QuickTime 7.1.3 with iTunes for Windows 2000/XP
The download file is named: "iTunesSetup.exe"
Its SHA-1 digest is: 5cdc86b2edb1411b9a022f05b1bfbe858fbcf901

Information will also be posted to the Apple Product Security
web site: http://docs.info.apple.com/article.html?artnum=61798

CVE Information:
CAN-2006-4384

	Real Networks RealPlayer Compressed GIF Handling Integer Overflow
	RealNetworks RealPlayer CMediumBlockAllocator Integer Overflow Vulnerability
	SugarCRM Online Document Cross-Site Scripting (XSS) Vulnerability
	Skype URI Processing Arbitrary XML File Deletion Vulnerability
	Skype Protocol Handler Datapath Argument Injection Credential Disclosure Vulnerability
	LedgerSMB Multiple Vulnerabilities
	Kaspersky Lab Multiple Products Local Privilege Escalation Vulnerability
	Piwik Cookie Unserialize Vulnerability
	Invision Power Board SQL PHP File Inclusion and SQL Injection
	U.S. Defense Information Systems Agency (DISA) Unix Security Readiness Review (SRR) Vulnerability
	DevIL DICOM Buffer Overflow Vulnerability
	Marvell Driver Multiple Information Element Overflows
	HP Data Protector Express and Single Server Edition (SSE) DoS and Code Execution
	HP Color LaserJet Printers Unauthorized Access to Data and DoS
	KDE KDELibs Remote Array Overrun with Arbitrary Code Execution