Apple QuickTime FLIC File Heap Overflow Vulnerability iDefense Security Advisory 09.12.06 http://www.idefense.com/intelligence/vulnerabilities/ Sep 12, 2006 I. BACKGROUND Quicktime is Apple's media player product used to render video and other media. For more information visit http://www.apple.com/quicktime/ II. DESCRIPTION Remote exploitation of a heap-based buffer overflow in Apple Computer's QuickTime Player could allow attackers to execute code under the privileges of the affected application. A FLIC file is an animation file consisting of a number of frames, each of which is made up of an image and may contain other information such as a palette or a label. The vulnerability specifically exists in the handling of the COLOR_64 chunk in FLIC format files. QuickTime does not validate that the data size allocated to store the palette is large enough, allowing a malformed file to cause controllable heap corruption. III. ANALYSIS Exploitation could allow attackers to execute arbitrary code in the context of the currently logged in user. In order to exploit this vulnerability, attackers must social engineer victims into visiting a website under their control. The QuickTime plugin can be forced to load in Firefox and Internet Explorer. Furthermore, testing shows that either browser can be used as an attack vector. It is also possible to open this type of file directly from within QuickTime or from a playlist that QuickTime has opened. The data being used to overwrite the heap is in the form 0x00XXYYZZ, where XX, YY and ZZ are controllable. This limits the range of values that can be overwritten, but does not prevent it. IV. DETECTION iDefense Labs confirmed that version 7.1 of the QuickTime player is vulnerable. It is suspected that all previous versions are also affected. V. WORKAROUND iDefense is currently unaware of any effective workarounds for this vulnerability. VI. VENDOR RESPONSE " QuickTime 7.1.3 may be obtained from the Software Update pane in System Preferences, or from the Download tab in the QuickTime site http://www.apple.com/quicktime/ For Mac OS X v10.3.9 or later The download file is named: "QuickTimeInstallerX.dmg" Its SHA-1 digest is: 55cfeb0d92d8e0a0694267df58d2b53526d24d3d QuickTime 7.1.3 for Windows 2000/XP The download file is named: "QuickTimeInstaller.exe" Its SHA-1 digest is: 047a9f2d88c8a865b4ad5f24c9904b8727ba71e7 QuickTime 7.1.3 with iTunes for Windows 2000/XP The download file is named: "iTunesSetup.exe" Its SHA-1 digest is: 5cdc86b2edb1411b9a022f05b1bfbe858fbcf901 Information will also be posted to the Apple Product Security web site: http://docs.info.apple.com/article.html?artnum=61798 " VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2006-4384 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 08/16/2006 Initial vendor notification 08/16/2006 Initial vendor response 09/12/2006 Coordinated public disclosure IX. CREDIT This vulnerability was reported to iDefense by Rubén Santamarta of reversemode.com. Get paid for vulnerability research http://www.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.iDefense.com/ X. LEGAL NOTICES Copyright © 2006 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email customerservice@iDefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.