Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] Apple QuickTime H.264 Integer Overflow

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] Apple QuickTime H.264 Integer Overflow
Date: 13 Sep 2006 10:33:14 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Apple QuickTime H.264 Integer Overflow
------------------------------------------------------------------------


SUMMARY

By carefully crafting a corrupt H.264 movie, an attacker can trigger an 
integer overflow which may lead to an application crash or arbitrary code 
execution with the privileges of the user. The vulnerability allows an 
attacker to  execute arbitrary code in the context of the user who 
executes QuickTime.

DETAILS

Vulnerable Systems:
 * Apple QuickTime version 7.1.2 and prior

Immune Systems:
 * Apple QuickTime version 7.1.3

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4381> 
CVE-2006-4381

This vulnerability exists in the way QuickTime process the H.264 content.

Vulnerable code:
QuickTimeH264.qtx.68169AC3

text:68169A63 and esp, 0FFFFFFF8h
text:68169A66 sub esp, 214h
text:68169A6C mov eax, dword_68323140
text:68169A71 mov edx, [ebp+arg_8]
text:68169A74 xor ecx, ecx
text:68169A76 mov [esp+214h+var_4], eax
text:68169A7D mov eax, [ebp+arg_0]
text:68169A80 mov cl, [eax+4]
text:68169A83 push ebx
text:68169A84 push esi
text:68169A85 push edi
text:68169A86 mov [esp+220h+var_20C], 0
text:68169A8E and ecx, 3
text:68169A91 inc ecx
text:68169A92 mov [edx], ecx
text:68169A94 mov cl, [eax+5]
text:68169A97 and cl, 1Fh
text:68169A9A cmp cl, 1
text:68169A9D jnz short loc_68169AEF
text:68169A9F mov cx, [eax+6]
text:68169AA3 movzx dx, ch
text:68169AA7 mov dh, cl
text:68169AA9 mov ecx, edx
text:68169AAB cmp cx, 100h <-- cx = FFFF which is user controllable
text:68169AB0 jg short loc_68169AEF <-- should be "ja"
text:68169AB2 movsx edx, cx
text:68169AB5 mov ecx, edx
text:68169AB7 mov ebx, ecx <-- ecx = 0xFFFFFFFF
text:68169AB9 shr ecx, 2
text:68169ABC lea esi, [eax+8]
text:68169ABF lea edi, [esp+220h+var_208]
text:68169AC3 rep movsd <-- do memory copy
text:68169AC5 mov ecx, ebx
text:68169AC7 and ecx, 3
text:68169ACA rep movsb
text:68169ACC mov cl, [edx+eax+8]
text:68169AD0 lea esi, [edx+8]
text:68169AD3 inc esi
text:68169AD4 cmp cl, 1
text:68169AD7 jnz short loc_68169AEF
text:68169AD9 mov cx, [esi+eax]
text:68169ADD movzx bx, ch
text:68169AE1 mov bh, cl
text:68169AE3 add esi, 2
text:68169AE6 mov ecx, ebx
text:68169AE8 cmp cx, 100h
text:68169AED jle short loc_68169B07

This vulnerability can be exploited By persuading a user to open a 
carefully crafted .mov files or visit a website embedding the malicious 
mov file.

Vendor Response:
2006.05.06 - Vendor notified via product-security@apple.com
2006.05.07 - Vendor responded
2006.09.07 - Vendor notified me the patch is available.
2006.09.12 - Vendor released QuickTime 7.1.3
2006.09.12 - Advisory released


ADDITIONAL INFORMATION

The information has been provided by  <mailto:smaillist@gmail.com> Sowhat.
The original article can be found at:  
<http://secway.org/advisory/AD20060912.txt> 
http://secway.org/advisory/AD20060912.txt



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] Apple QuickTime H.264 Integer Overflow, SecuriTeam <=
Previous by Date:  [NT] Microsoft Publisher Font Parsing Vulnerability, SecuriTeam
Next by Date:  [UNIX] Multiple Vendor X Server CID-keyed Fonts 'scan_cidfont()' Integer Overflow, SecuriTeam
Previous by Thread:  [NT] Microsoft Publisher Font Parsing Vulnerability, SecuriTeam
Next by Thread:  [UNIX] Multiple Vendor X Server CID-keyed Fonts 'scan_cidfont()' Integer Overflow, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]