Saltar a la navegación Saltar al contenido principal Ir al pie de página

Apple QuickTime Player m4a Processing Buffer Overflow

~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
Vulnerability Summary
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
Title Apple QuickTime Player m4a Processing Buffer Overflow
Release Date 23 October 2014
Reference NGS00677
Discoverer Karl Smith
Vendor Apple
Vendor Reference 16247108
Systems Affected Windows 7, XP
CVE Reference CVE-2014-4351
Risk High
Status Fixed
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
Resolution Timeline
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
Discovered 3 March 2014
Reported 6 March 2014
Released 6 March 2014
Fixed 16 October 2014
Published 23 October 2014
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
Vulnerability Description
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
QuickTime player on OS X and Windows has been found to suffer from a buffer overflow that could lead to arbitrary code execution. This condition is caused by the processing of maliciously craft m4a files.
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
Technical Details
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
The debug output resulting from the crash is shown below:
Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
Copyright (c) Microsoft Corporation. All rights reserved.
CommandLine: C:Program FilesQuickTimeQuickTimePlayer.exe
C:peach-3.0.206-win-x86-releasefuzzed.m4a
Symbol search path is: SRV*http://msdl.microsoft.com/download/symbols
Executable search path is:
ModLoad: 00400000 0052c000 QuickTimePlayerLauncher.exe
ModLoad: 7c900000 7c9b2000 ntdll.dll
ModLoad: 7c800000 7c8f6000 C:WINDOWSsystem32kernel32.dll
ModLoad: 7e410000 7e4a1000 C:WINDOWSsystem32USER32.dll
ModLoad: 77f10000 77f59000 C:WINDOWSsystem32GDI32.dll
ModLoad: 77dd0000 77e6b000 C:WINDOWSsystem32ADVAPI32.dll
ModLoad: 77e70000 77f03000 C:WINDOWSsystem32RPCRT4.dll
ModLoad: 77fe0000 77ff1000 C:WINDOWSsystem32Secur32.dll
ModLoad: 78130000 781cb000
C:WINDOWSWinSxSx86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86MSVCR80.dll
ModLoad: 77c10000 77c68000 C:WINDOWSsystem32msvcrt.dll
ModLoad: 5cb70000 5cb96000 C:WINDOWSsystem32ShimEng.dll
ModLoad: 76390000 763ad000 C:WINDOWSsystem32IMM32.DLL
ModLoad: 10000000 1010a000 C:Program FilesCommon FilesAppleApple
Application SupportCoreFoundation.dll
ModLoad: 7c9c0000 7d1d7000 C:WINDOWSsystem32SHELL32.dll
ModLoad: 77f60000 77fd6000 C:WINDOWSsystem32SHLWAPI.dll
ModLoad: 71ab0000 71ac7000 C:WINDOWSsystem32WS2_32.dll
ModLoad: 71aa0000 71aa8000 C:WINDOWSsystem32WS2HELP.dll
ModLoad: 77c00000 77c08000 C:WINDOWSsystem32VERSION.dll
ModLoad: 017b0000 017c0000 C:Program FilesCommon FilesAppleApple
Application SupportpthreadVC2.dll
ModLoad: 71ad0000 71ad9000 C:WINDOWSsystem32WSOCK32.dll
ModLoad: 01ee0000 01efd000 C:Program FilesCommon FilesAppleApple
Application Supportobjc.dll
ModLoad: 7c420000 7c4a7000
C:WINDOWSWinSxSx86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86MSVCP80.dll
ModLoad: 01f10000 01f1e000 C:Program FilesCommon FilesAppleApple
Application Supportlibdispatch.dll
ModLoad: 76b40000 76b6d000 C:WINDOWSsystem32WINMM.dll
ModLoad: 01f30000 0206a000 C:Program FilesCommon FilesAppleApple
Application Supportlibicuin.dll
ModLoad: 02080000 02163000 C:Program FilesCommon FilesAppleApple
Application Supportlibicuuc.dll
ModLoad: 4ad00000 4bc8b000 C:Program FilesCommon FilesAppleApple
Application Supporticudt46.dll
ModLoad: 02180000 02191000 C:Program FilesCommon FilesAppleApple
Application SupportASL.dll
ModLoad: 773d0000 774d3000
C:WINDOWSWinSxSx86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202comctl32.dll
ModLoad: 5d090000 5d12a000 C:WINDOWSsystem32comctl32.dll
ModLoad: 029e0000 032c0000 C:Program FilesQuickTimeQuickTimePlayer.dll
ModLoad: 76bf0000 76bfb000 C:WINDOWSsystem32PSAPI.DLL
ModLoad: 3d930000 3da17000 C:WINDOWSsystem32WININET.dll
ModLoad: 02370000 02379000 C:WINDOWSsystem32Normaliz.dll
ModLoad: 02800000 02934000 C:WINDOWSsystem32urlmon.dll
ModLoad: 774e0000 7761e000 C:WINDOWSsystem32ole32.dll
ModLoad: 77120000 771ab000 C:WINDOWSsystem32OLEAUT32.dll
ModLoad: 3dfd0000 3e1bc000 C:WINDOWSsystem32iertutil.dll
ModLoad: 4ec50000 4edfb000
C:WINDOWSWinSxSx86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.6002.22791_x-ww_c8dff154gdiplus.dll
ModLoad: 02940000 02947000 C:Program FilesCommon FilesAppleApple
Application SupportAppleVersions.dll
ModLoad: 763b0000 763f9000 C:WINDOWSsystem32comdlg32.dll
ModLoad: 66800000 67436000 C:Program
FilesQuickTimeQTSystemQuickTime.qts
ModLoad: 686e0000 6870d000 C:Program FilesQuickTimeQTSystemQTCF.dll
ModLoad: 73f10000 73f6c000 C:WINDOWSsystem32DSOUND.dll
ModLoad: 03ae0000 03d40000 C:Program FilesCommon FilesAppleApple
Application SupportCFNetwork.DLL
ModLoad: 77a80000 77b15000 C:WINDOWSsystem32CRYPT32.dll
ModLoad: 77b20000 77b32000 C:WINDOWSsystem32MSASN1.dll
ModLoad: 76d60000 76d79000 C:WINDOWSsystem32iphlpapi.dll
ModLoad: 03d50000 03dbf000 C:Program FilesCommon FilesAppleApple
Application SupportSQLite3.dll
ModLoad: 5a4c0000 5a4d4000 C:Program FilesCommon FilesAppleApple
Application Supportzlib1.dll
ModLoad: 03de0000 03f13000 C:Program FilesCommon FilesAppleApple
Application Supportlibxml2.dll
ModLoad: 5ad70000 5ada8000 C:WINDOWSsystem32uxtheme.dll
ModLoad: 74720000 7476c000 C:WINDOWSsystem32MSCTF.dll
ModLoad: 755c0000 755ee000 C:WINDOWSsystem32msctfime.ime
ModLoad: 77920000 77a13000 C:WINDOWSsystem32setupapi.dll
ModLoad: 76c30000 76c5e000 C:WINDOWSsystem32WINTRUST.dll
ModLoad: 76c90000 76cb8000 C:WINDOWSsystem32IMAGEHLP.dll
ModLoad: 73760000 737ab000 C:WINDOWSsystem32ddraw.dll
ModLoad: 73bc0000 73bc6000 C:WINDOWSsystem32DCIMAN32.dll
ModLoad: 684a0000 684d8000 C:Program
FilesQuickTimeQTSystemCoreVideo.qtx
ModLoad: 077f0000 0792f000 C:Program FilesCommon FilesAppleApple
Application SupportCoreVideo.dll
ModLoad: 07a40000 07df5000 C:Program FilesCommon FilesAppleApple
Application SupportCoreGraphics.dll
ModLoad: 67ee0000 67f17000 C:Program
FilesQuickTimeQTSystemQuickTime3GPP.qtx
ModLoad: 67f20000 67f7e000 C:Program
FilesQuickTimeQTSystemQuickTime3GPPAuthoring.qtx
ModLoad: 68480000 684a0000 C:Program
FilesQuickTimeQTSystemQuickTimeAudioSupport.qtx
ModLoad: 08380000 08865000 C:Program FilesCommon FilesAppleApple
Application SupportCoreAudioToolbox.dll
ModLoad: 67820000 67a4f000 C:Program
FilesQuickTimeQTSystemQuickTimeAuthoring.qtx
ModLoad: 67a50000 67aa3000 C:Program
FilesQuickTimeQTSystemQuickTimeCapture.qtx
ModLoad: 67ab0000 67b41000 C:Program
FilesQuickTimeQTSystemQuickTimeEffects.qtx
ModLoad: 67d70000 67dd6000 C:Program
FilesQuickTimeQTSystemQuickTimeEssentials.qtx
ModLoad: 68140000 68477000 C:Program
FilesQuickTimeQTSystemQuickTimeH264.qtx
ModLoad: 67b60000 67c55000 C:Program
FilesQuickTimeQTSystemQuickTimeImage.qtx
ModLoad: 67740000 67812000 C:Program
FilesQuickTimeQTSystemQuickTimeInternetExtras.qtx
ModLoad: 67cf0000 67d6a000 C:Program
FilesQuickTimeQTSystemQuickTimeMPEG.qtx
ModLoad: 67de0000 67e3a000 C:Program
FilesQuickTimeQTSystemQuickTimeMPEG4.qtx
ModLoad: 67e40000 67ed2000 C:Program
FilesQuickTimeQTSystemQuickTimeMPEG4Authoring.qtx
ModLoad: 67c60000 67ce2000 C:Program
FilesQuickTimeQTSystemQuickTimeMusic.qtx
ModLoad: 67440000 6751d000 C:Program
FilesQuickTimeQTSystemQuickTimeStreaming.qtx
ModLoad: 680b0000 6810b000 C:Program
FilesQuickTimeQTSystemQuickTimeStreamingAuthoring.qtx
ModLoad: 68110000 6813d000 C:Program
FilesQuickTimeQTSystemQuickTimeStreamingExtras.qtx
ModLoad: 67570000 6764b000 C:Program
FilesQuickTimeQTSystemQuickTimeVR.qtx
ModLoad: 76fd0000 7704f000 C:WINDOWSsystem32CLBCATQ.DLL
ModLoad: 77050000 77115000 C:WINDOWSsystem32COMRes.dll
ModLoad: 0a2f0000 0a5b5000 C:WINDOWSsystem32xpsp2res.dll
ModLoad: 77920000 77a13000 C:WINDOWSsystem32SETUPAPI.dll
ModLoad: 685b0000 68679000 C:Program FilesQuickTimeQTOLibrary.dll
ModLoad: 0b700000 0b7c8000 C:Program FilesQuickTimeQTPlugin.ocx
ModLoad: 76f50000 76f58000 C:WINDOWSsystem32wtsapi32.dll
ModLoad: 76360000 76370000 C:WINDOWSsystem32WINSTA.dll
ModLoad: 5b860000 5b8b5000 C:WINDOWSsystem32NETAPI32.dll
ModLoad: 73b30000 73b45000 C:WINDOWSsystem32mscms.dll
ModLoad: 73000000 73026000 C:WINDOWSsystem32WINSPOOL.DRV
ModLoad: 0b830000 0b871000 C:WINDOWSsystem32icm32.dll
ModLoad: 0c780000 0c85b000 C:Program FilesQuickTimeQTOControl.dll
ModLoad: 76f50000 76f58000 C:WINDOWSsystem32wtsapi32.dll
ModLoad: 76360000 76370000 C:WINDOWSsystem32WINSTA.dll
ModLoad: 5b860000 5b8b5000 C:WINDOWSsystem32NETAPI32.dll
ModLoad: 7e720000 7e7d0000 C:WINDOWSsystem32SXS.DLL
ModLoad: 686d0000 686e0000 C:Program
FilesQuickTimeQTSystemExportControllerPS.dll
ModLoad: 75cf0000 75d81000 C:WINDOWSsystem32mlang.dll
ModLoad: 4fdd0000 4ff76000 C:WINDOWSsystem32d3d9.dll
ModLoad: 6d990000 6d996000 C:WINDOWSsystem32d3d8thk.dll
ModLoad: 4fdd0000 4ff76000 C:WINDOWSsystem32d3d9.dll
ModLoad: 6d990000 6d996000 C:WINDOWSsystem32d3d8thk.dll
(d50.1fc): C++ EH exception – code e06d7363 (first chance)
QTAudioDeviceContextCreate: AudioContextInitialize failed
(d50.1fc): Access violation – code c0000005 (first chance)
r
eax=0013ca1c ebx=00000000 ecx=cf78afbc edx=cf78afc4 esi=0eb7eefc
edi=0eb7eefc
eip=7c96ae2a esp=0013c9b4 ebp=0013c9e8 iopl=0 nv up ei ng nz na po
cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00210283
ntdll!RtlpDphIsNormalHeapBlock+0x81:
7c96ae2a 8039a0 cmp byte ptr [ecx],0A0h
ds:0023:cf78afbc=??
rF
fpcw=027F: rn 53 puozdi fpsw=4020: top=0 cc=1000 –p—– fptw=FFFF
fopcode=0345 fpip=4010:1c0e4775 fpdp=0000:000c7900
st0=-1.#QNAN0000000000000000e+0000 st1=-1.#SNAN0000000000000000e+0000
st2= 0.000000000000000000000e+0000 st3= 5.208333022892475128170e-0003
st4= 5.208333022892475128170e-0003 st5= 5.960464477539062500000e-0004
st6= 1.000000000000000000000e+0000 st7= 0.000000000000000000000e+0000
ntdll!RtlpDphIsNormalHeapBlock+0x81:
7c96ae2a 8039a0 cmp byte ptr [ecx],0A0h
ds:0023:cf78afbc=??
rX
xmm0=0 0 0 0
xmm1=1.92625e+031 1.92524e+031 -1.#QNAN 1.8811e+028
xmm2=-1.#QNAN 1.35633e-019 7.8858e+034 -1.#QNAN
xmm3=1.93611e+031 -1.#QNAN 1.35632e-019 1.35823e-019
xmm4=4.95148e+033 4.95279e+033 -1.#QNAN 1.93417e+031
xmm5=-1.#QNAN 1.35633e-019 7.26064e+022 -1.#QNAN
xmm6=7.64428e+028 -1.#QNAN 7.61725e+028 7.6195e+028
xmm7=4.68698e+024 4.68459e+024 -1.#QNAN 7.6482e+028
ntdll!RtlpDphIsNormalHeapBlock+0x81:
7c96ae2a 8039a0 cmp byte ptr [ecx],0A0h
ds:0023:cf78afbc=??
kb
ChildEBP RetAddr Args to Child
0013c9e8 7c96d137 00161000 0eb7eefc 0013ca1c
ntdll!RtlpDphIsNormalHeapBlock+0x81
0013ca0c 7c96d34a 00161000 01000002 00000007
ntdll!RtlpDphNormalHeapFree+0x1e
0013ca5c 7c9703eb 00160000 01000002 0eb7eefc
ntdll!RtlpDebugPageHeapFree+0x79
0013cad0 7c94bafc 00160000 01000002 0eb7eefc ntdll!RtlDebugFreeHeap+0x2c
0013cbb8 7c91a1ba 00160000 01000002 0eb7eefc ntdll!RtlFreeHeapSlowly+0x37
0013cc88 774fcfd4 00160000 00000000 0eb7eefc ntdll!RtlFreeHeap+0xf9
0013cc9c 77124af8 77607034 0eb7eefc 0a212f18 ole32!CRetailMalloc_Free+0x1c
0013ccbc 77124abb 0eb7eefc c0c0c0d0 0013ccf0
OLEAUT32!APP_DATA::FreeCachedMem+0xa0
*** ERROR: Symbol file could not be found. Defaulted to export symbols for
C:Program FilesQuickTimeQuickTimePlayer.dll –
0013ccd8 029e3431 0eb7ef00 2a10aa64 0b656f94 OLEAUT32!SysFreeString+0x6b
WARNING: Stack unwind information not available. Following frames may be
wrong.
0013ccfc 029e3348 00000001 02a1f3d2 2a10ab9c QuickTimePlayer+0x3431
0013cd04 02a1f3d2 2a10ab9c 000186a0 0c742dc0 QuickTimePlayer+0x3348
*** ERROR: Symbol file could not be found. Defaulted to export symbols for
C:Program FilesQuickTimeQTOControl.dll –
0013cd1c 0c785ae9 0e81cfc8 0b656f94 00000000
QuickTimePlayer!QuickTimePlayerWinMain+0x2d6b2
00000000 00000000 00000000 00000000 00000000 QTOControl+0x5ae9
.load C:peach-3.0.206-win-x86-releaseDebuggersDebugEnginemsec86.dll
!exploitable -m
IDENTITY:HostMachineHostUser
PROCESSOR:X86
CLASS:USER
QUALIFIER:USER_PROCESS
EVENT:DEBUG_EVENT_EXCEPTION
EXCEPTION_FAULTING_ADDRESS:0xffffffffcf78afbc
EXCEPTION_CODE:0xC0000005
EXCEPTION_LEVEL:FIRST_CHANCE
EXCEPTION_TYPE:STATUS_ACCESS_VIOLATION
EXCEPTION_SUBTYPE:READ
FAULTING_INSTRUCTION:7c96ae2a cmp byte ptr [ecx],0a0h
BASIC_BLOCK_INSTRUCTION_COUNT:2
BASIC_BLOCK_INSTRUCTION:7c96ae2a cmp byte ptr [ecx],0a0h
BASIC_BLOCK_INSTRUCTION_TAINTED_INPUT_OPERAND:ecx
BASIC_BLOCK_INSTRUCTION:7c96ae2d je ntdll!rtlpdphisnormalheapblock+0x93
(7c96ae3c)
BASIC_BLOCK_INSTRUCTION_TAINTED_INPUT_OPERAND:ZeroFlag
MAJOR_HASH:0x023f661d
MINOR_HASH:0x43475901
STACK_DEPTH:13
STACK_FRAME:ntdll!RtlpDphIsNormalHeapBlock+0x81
STACK_FRAME:ntdll!RtlpDphNormalHeapFree+0x1e
STACK_FRAME:ntdll!RtlpDebugPageHeapFree+0x79
STACK_FRAME:ntdll!RtlDebugFreeHeap+0x2c
STACK_FRAME:ntdll!RtlFreeHeapSlowly+0x37
STACK_FRAME:ntdll!RtlFreeHeap+0xf9
STACK_FRAME:ole32!CRetailMalloc_Free+0x1c
STACK_FRAME:OLEAUT32!APP_DATA::FreeCachedMem+0xa0
STACK_FRAME:OLEAUT32!SysFreeString+0x6b
STACK_FRAME:QuickTimePlayer+0x3431
STACK_FRAME:QuickTimePlayer+0x3348
STACK_FRAME:QuickTimePlayer!QuickTimePlayerWinMain+0x2d6b2
STACK_FRAME:QTOControl+0x5ae9
INSTRUCTION_ADDRESS:0x000000007c96ae2a
INVOKING_STACK_FRAME:6
DESCRIPTION:Data from Faulting Address controls Branch Selection
SHORT_DESCRIPTION:TaintedDataControlsBranchSelection
CLASSIFICATION:UNKNOWN
BUG_TITLE:Data from Faulting Address controls Branch Selection starting at
ntdll!RtlpDphIsNormalHeapBlock+0x0000000000000081 called from
ole32!CRetailMalloc_Free+0x000000000000001c (Hash=0x023f661d.0x43475901)
EXPLANATION:The data from the faulting address is later used to determine
whether or not a branch is taken.
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
Fix Information
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
A patch can be downloaded from the following location:
http://support.apple.com/kb/HT6535
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
NCC Group
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
Research https://www.nccgroup.trust/uk/our-researh
Twitter https://www.twitter.com/NCCGroupInfoSec / @NCCGroupInfoSec
Open Source https://github.com/nccgroup
Blog https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/
SlideShare http://www.slideshare.net/NCC_Group/