Public Vulnerability Reports

Apple QuickTime FLIC File Heap Overflow Vulnerability

09.12.06

BACKGROUND

Quicktime is Apple's media player product used to render video and other
media. For more information visit http://www.apple.com/quicktime/

DESCRIPTION

Remote exploitation of a heap-based buffer overflow in Apple Computer's
QuickTime Player could allow attackers to execute code under the
privileges of the affected application.

A FLIC file is an animation file consisting of a number of frames, each
of which is made up of an image and may contain other information such
as a palette or a label.

The vulnerability specifically exists in the handling of the COLOR_64
chunk in FLIC format files. QuickTime does not validate that the data
size allocated to store the palette is large enough, allowing a
malformed file to cause controllable heap corruption.

ANALYSIS

Exploitation could allow attackers to execute arbitrary code in the
context of the currently logged in user. In order to exploit this
vulnerability, attackers must social engineer victims into visiting a
website under their control.

The QuickTime plugin can be forced to load in Firefox and Internet
Explorer. Furthermore, testing shows that either browser can be used as
an attack vector. It is also possible to open this type of file directly
from within QuickTime or from a playlist that QuickTime has opened.

The data being used to overwrite the heap is in the form 0x00XXYYZZ,
where XX, YY and ZZ are controllable. This limits the range of values
that can be overwritten, but does not prevent it.

DETECTION

iDefense Labs confirmed that version 7.1 of the QuickTime player is
vulnerable. It is suspected that all previous versions are also
affected.

WORKAROUND

iDefense is currently unaware of any effective workarounds for this
vulnerability.

VENDOR RESPONSE

"
QuickTime 7.1.3 may be obtained from the Software Update pane in
System Preferences, or from the Download tab in the QuickTime site
http://www.apple.com/quicktime/

For Mac OS X v10.3.9 or later
The download file is named: "QuickTimeInstallerX.dmg"
Its SHA-1 digest is: 55cfeb0d92d8e0a0694267df58d2b53526d24d3d

QuickTime 7.1.3 for Windows 2000/XP
The download file is named: "QuickTimeInstaller.exe"
Its SHA-1 digest is: 047a9f2d88c8a865b4ad5f24c9904b8727ba71e7

QuickTime 7.1.3 with iTunes for Windows 2000/XP
The download file is named: "iTunesSetup.exe"
Its SHA-1 digest is: 5cdc86b2edb1411b9a022f05b1bfbe858fbcf901

Information will also be posted to the Apple Product Security
web site: http://docs.info.apple.com/article.html?artnum=61798
"

CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2006-4384 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

DISCLOSURE TIMELINE

08/16/2006 Initial vendor notification
08/16/2006 Initial vendor response
09/12/2006 Coordinated public disclosure

CREDIT

This vulnerability was reported to iDefense by Rubén Santamarta of
reversemode.com.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

Free tools, research and upcoming events
http://labs.idefense.com

LEGAL NOTICES

Copyright © 2006 Verisign, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.