Talos Vulnerability Report

TALOS-2015-0012

Apple Quicktime Invalid URL Atom Size Denial of Service Vulnerability

August 13, 2015

CVE Number

CVE-2015-3788

Description

An exploitable denial of service vulnerability exists in Apple Quicktime. An attacker who can control the size of a “url” atom in a mov media file can cause an undersized allocation leading to an out-of-bounds read. Since the allocation only contains data already from the file, the impact is limited to denial of service.

Tested Versions

Apple Quicktime 7.7.5 - Windows 7 32-bit Vulnerable
Apple Quicktime 7.7.6 - Windows 7 32-bit Vulnerable

Product URLs

https://www.apple.com/quicktime/

Details

The function Quicktime!0x73aad0 is responsible for calculating the size of the data portion of a “url “ atom.

	26  if ( atom_size >= 8 )
	27  {
	(...)
	39    if ( atom_size - 12 >= 0 )
	40    {
	41      *(_DWORD *)v6 = 0;
	42      sub_6718E230(v5, v6, atom_size - 12);
	43    }

The atom size must be at least 8 bytes and the size of the new allocation is computed by subtracting 12 from this size. Because of the way this is calculated, the new allocation may contain 0 bytes of data.

The function QuicktimeStreaming!0x8b2e0 is responsible for processing the url atom data. A null-terminated string is expected, however a pointed to the data is passed directly to strlen() to determine the string length.

	  v1 = strlen(atom_data);
	  v2 = 0;
	  if ( (signed int)(v1 - 1) <= 0 )
	  {

The problem occurs when there are either 0 bytes of data in a “url “ atom or the data is not null-terminated. In both cases, the call to strlen() will read off the end of the buffer without stopping, resulting in an out-of-bounds read.

Crash Information

	eax=00000001 ebx=0027c8b4 ecx=00000000 edx=00000004 esi=20257000 edi=20257001
	eip=6931b482 esp=0027c74c ebp=20257000 iopl=0         nv up ei pl zr na pe nc
	cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210246
	QuickTimeStreaming!QTCacheComponent_ComponentDispatch+0x18172:
	6931b482 8a16            mov     dl,byte ptr [esi]          ds:0023:20257000=??

	STACK_TEXT:
	0013c3ec 68a0b4fb 20fc5000 208a0d6e 689e2c45 QuickTimeStreaming!QTCacheComponent_ComponentDispatch+0x18172
	0013c3f8 689e2c45 20fc5000 208a0d6e 208a0d6e QuickTimeStreaming!QTCacheComponent_ComponentDispatch+0x181eb
	0013c414 698e368a 208a0da2 208a0d6e 0013c4e4 QuickTimeStreaming!InetDHComponentDispatch+0x14a5
	00000000 00000000 00000000 00000000 00000000 QuickTime!CallComponentFunctionWithStorage+0x4a

Credit

Ryan Pentney and Richard Johnson of Cisco Talos

TALOS-2015-0013

TALOS-2015-0024

Intelligence Center

Vulnerability Research

Security Resources

Media

Company