Attacker Value
Unknown
(1 user assessed)
Exploitability
Unknown
(1 user assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
0

CVE-2012-0663 Apple Quicktime Buffer Overflow

Disclosure Date: May 16, 2012
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Multiple stack-based buffer overflows in Apple QuickTime before 7.7.2 on Windows allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted TeXML file.

Add Assessment

1
Technical Analysis

-
Down p sub_67EED2E0+193 call dangerous_copy_sub_67EED1E0 <— Interesting (0x67EED473)
Down p sub_67EED2E0+1E7 call dangerous_copy_sub_67EED1E0
Down p sub_67EED2E0+23C call dangerous_copy_sub_67EED1E0
Down p sub_67EED2E0+28D call dangerous_copy_sub_67EED1E0
Down p manage_transform_sub_67EED810+B6 call dangerous_copy_sub_67EED1E0 (*) this is the one we have reviewed


We noticed that sub_67EED2E0+193 can also trigger the crash, with even longer data without
triggering the warning.  In this particular case, the parser is handling arguments ending with
a "%", which can be reached as a 'color' argument, for example:

{ color: AAAAAAAAAAAAAA% }


Where "AAAAAAAAAAAAAA" will be copied on the stack. Also see poc3.xml for example.

As a result, we get to overwrite the stack with more data (like I said), and we end up overwriting
the SEH:

(c54.da8): Access violation – code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\QuickTime\QTSystem\QuickTime3GPP.qtx -
eax=00000030 ebx=0013cc25 ecx=0e0a7288 edx=0000355f esi=00140000 edi=0013cba0
eip=67eed1f3 esp=0013cb74 ebp=00000004 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
QuickTime3GPP!EatTx3gComponentDispatch+0x4033:
67eed1f3 8806 mov byte ptr [esi],al ds:0023:00140000=41
0:000> !exchain
0013ce24: 30303030
Invalid exception stack at 30303030
0:000> g
(c54.da8): Access violation – code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=30303030 edx=7c9032bc esi=00000000 edi=00000000
eip=30303030 esp=0013c7a4 ebp=0013c7c4 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
30303030 ?? ???
”`

quicktime.qts does not have Safe SEH protected.

The final version of the exploit can be found here:
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/fileformat/apple_quicktime_texml.rb

CVSS V3 Severity and Metrics
Base Score:
None
Impact Score:
Unknown
Exploitability Score:
Unknown
Vector:
Unknown
Attack Vector (AV):
Unknown
Attack Complexity (AC):
Unknown
Privileges Required (PR):
Unknown
User Interaction (UI):
Unknown
Scope (S):
Unknown
Confidentiality (C):
Unknown
Integrity (I):
Unknown
Availability (A):
Unknown

General Information

Vendors

  • apple

Products

  • quicktime,
  • quicktime 3.0,
  • quicktime 4.1.2,
  • quicktime 5.0,
  • quicktime 5.0.1,
  • quicktime 5.0.2,
  • quicktime 6.0,
  • quicktime 6.0.0,
  • quicktime 6.0.1,
  • quicktime 6.0.2,
  • quicktime 6.1,
  • quicktime 6.1.0,
  • quicktime 6.1.1,
  • quicktime 6.2.0,
  • quicktime 6.3.0,
  • quicktime 6.4.0,
  • quicktime 6.5,
  • quicktime 6.5.0,
  • quicktime 6.5.1,
  • quicktime 6.5.2,
  • quicktime 7.0,
  • quicktime 7.0.0,
  • quicktime 7.0.1,
  • quicktime 7.0.2,
  • quicktime 7.0.3,
  • quicktime 7.0.4,
  • quicktime 7.1,
  • quicktime 7.1.0,
  • quicktime 7.1.1,
  • quicktime 7.1.2,
  • quicktime 7.1.3,
  • quicktime 7.1.4,
  • quicktime 7.1.5,
  • quicktime 7.1.6,
  • quicktime 7.2,
  • quicktime 7.2.0,
  • quicktime 7.2.1,
  • quicktime 7.3,
  • quicktime 7.3.0,
  • quicktime 7.3.1,
  • quicktime 7.3.1.70,
  • quicktime 7.4,
  • quicktime 7.4.0,
  • quicktime 7.4.1,
  • quicktime 7.4.5,
  • quicktime 7.5.0,
  • quicktime 7.5.5,
  • quicktime 7.6.0,
  • quicktime 7.6.1,
  • quicktime 7.6.2,
  • quicktime 7.6.5,
  • quicktime 7.6.6,
  • quicktime 7.6.7,
  • quicktime 7.6.8,
  • quicktime 7.6.9,
  • quicktime 7.60.92.0,
  • quicktime 7.62.14.0,
  • quicktime 7.64.17.73,
  • quicktime 7.65.17.80,
  • quicktime 7.66.71.0,
  • quicktime 7.67.75.0,
  • quicktime 7.68.75.0,
  • quicktime 7.69.80.9,
  • quicktime 7.7.0

Additional Info

Technical Analysis