ID

VAR-201012-0213

CVE

CVE-2010-3801

TITLE

Apple QuickTime Vulnerable to arbitrary code execution

DESCRIPTION

Apple QuickTime before 7.6.9 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted FlashPix file. User interaction is required in that a user must be coerced into opening up a malicious document or visiting a malicious website.The specific flaw exists within the way the application parses a particular property out of a flashpix file. The application will explicitly trust a field in the property as a length for a loop over an array of data structures. If this field's value is larger than the number of objects, the application will utilize objects outside of this array. Successful exploitation can lead to code execution under the context of the application. Versions prior to QuickTime 7.6.9 on both Mac OS X and Windows platforms are vulnerable. Apple QuickTime is a multimedia playback software developed by Apple (Apple). The software is capable of handling multiple sources such as digital video, media segments, and more. ZDI-10-259: Apple QuickTime FPX Subimage Count Out-of-bounds Counter Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-259 December 7, 2010 -- CVE ID: CVE-2010-3801 -- CVSS: 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C) -- Affected Vendors: Apple -- Affected Products: Apple Quicktime -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 10654. -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://support.apple.com/kb/HT4447 -- Disclosure Timeline: 2010-06-01 - Vulnerability reported to vendor 2010-12-07 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Damian Put -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi . Check Point Software Technologies - Vulnerability Discovery Team (VDT) http://www.checkpoint.com/defense/ Apple Quicktime Memory Corruption when parsing FPX files CVE-2010-3801 INTRODUCTION Apple Quicktime is a "powerful media technology that works on Mac and PC with just about every popular video or audio format you come across. So you can play the digital media you want to play". QuickTime player does not properly parse .fpx media files, which causes a memory corruption by opening a malformed file with an invalid value located in PoC repro.fpx at offset 0x49. This problem was confirmed in the following versions of Apple Quicktime and browsers, other versions may be also affected. QuickTime Player version 7.6.8 (1675) in all Operating Systems QuickTime Player version 7.6.6 (1671) in all Operating Systems CVSS Scoring System The CVSS score is: 9 Base Score: 10 Temporal Score: 9 We used the following values to calculate the scores: Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:C Temporal score is: E:POC/RL:U/RC:C TRIGGERING THE PROBLEM The problem is triggered by PoC repro.fpx which causes invalid memory access in all the refered versions and is available to interested parties only. DETAILS Disassembly: 668E2387 F7C7 03000000 TEST EDI,3 668E238D 75 15 JNZ SHORT QuickT_1.668E23A4 668E238F C1E9 02 SHR ECX,2 668E2392 83E2 03 AND EDX,3 668E2395 83F9 08 CMP ECX,8 668E2398 72 2A JB SHORT QuickT_1.668E23C4 668E239A F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] <----- Crash Here EDI = 0x089A0020 ESI = 0x61626364 (3e8.e3c): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=61626560 ebx=00000000 ecx=0000007f edx=00000000 esi=61626364 edi=06d80020 eip=668e239a esp=0012dfbc ebp=0012dfc4 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206 668e239a f3a5 rep movs dword ptr es:[edi],dword ptr [esi] 0:000> !exploitable Exploitability Classification: PROBABLY_EXPLOITABLE Recommended Bug Title: Probably Exploitable - Read Access Violation on Block Data Move starting at QuickTime!CallComponentFunctionWithStorage+0x000000000003f20a (Hash=0x4b1e3917.0x4f031b17) This is a read access violation in a block data move, and is therefore classified as probably exploitable. CREDITS This vulnerability was discovered and researched by Rodrigo Rubira Branco from Check Point Vulnerability Discovery Team (VDT). Rodrigo Rubira Branco Senior Security Researcher Vulnerability Discovery Team (VDT) Check Point Software Technologies http://www.checkpoint.com/defense

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

buffer overflow

CONFIGURATIONS

EXPLOIT AVAILABILITY

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Damian Put

SOURCES

LAST UPDATE DATE

2025-04-11T23:05:55.777000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE