ID

VAR-200511-0172

CVE

CVE-2005-2753

TITLE

Apple QuickTime Embedded Pascal Style Remote Integer Overflow Vulnerability

DESCRIPTION

Integer overflow in Apple QuickTime before 7.0.3 allows user-assisted attackers to execute arbitrary code via a crafted MOV file that causes a sign extension of the length element in a Pascal style string. This issue is due to a failure of the application to properly validate integer signed-ness prior to using it to carry out critical operations. An attacker may leverage this issue to cause the affected QuickTime client to crash, denying service to legitimate users. It has been speculated that this issue may also facilitate code execution; any code execution would occur with the privileges of the user that activated the affected software. This issue affects both Microsoft Windows, and Apple versions of QuickTime. CVE-ID: CVE-2005-2753 Original location: http://pb.specialised.info/all/adv/quicktime-mov-io1-adv.txt Severity: Critical - remote code execution. Software affected: QuickTime package 7.0.1 for Mac OS X 10.3 QuickTime package 7.0.1 for Mac OS X 10.4 QuickTime package 6.5.2 for Mac OS X 10.3 QuickTime package 6.5.2 for Mac OS X 10.2 QuickTime package 7* for Windows Older versions may be also vulnerable. Note: Following versions are not vulnerable, due to the fact I have reported the vulnerabilities before their releases: QuickTime package 7.0.2 for Mac OS X 10.3 QuickTime package 7.0.2 for Mac OS X 10.4 0. DISCLAIMER Author takes no responsibility for any actions with provided informations or codes. The copyright for any material created by the author is reserved. Any duplication of codes or texts provided here in electronic or printed publications is not permitted without the author's agreement. I. BACKGROUND Apple QuickTime Player is one of the Apple QuickTime components used by hundreds of millions of users. II. A sign extension of an embedded "Pascal" style string could result in a very large memory copy, which lead to potencial memory overwrite. The vulnerability may lead to remote code execution when specially crafted video file (MOV file) is being loaded. III. POC CODE Due to severity of this bug i will not release any proof of concept codes for this issue. IV. VENDOR RESPONSE Vendor (Apple) has been noticed and released all necessary patches. best regards, Piotr Bania -- -------------------------------------------------------------------- Piotr Bania - <bania.piotr@gmail.com> - 0xCD, 0x19 Fingerprint: 413E 51C7 912E 3D4E A62A BFA4 1FF6 689F BE43 AC33 http://pb.specialised.info - Key ID: 0xBE43AC33 -------------------------------------------------------------------- " Dinanzi a me non fuor cose create se non etterne, e io etterno duro. Lasciate ogne speranza, voi ch'intrate " - Dante, Inferno Canto III _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . TITLE: Apple QuickTime Multiple Vulnerabilities SECUNIA ADVISORY ID: SA17428 VERIFY ADVISORY: http://secunia.com/advisories/17428/ CRITICAL: Highly critical IMPACT: DoS, System access WHERE: >From remote SOFTWARE: Apple QuickTime 7.x http://secunia.com/product/5090/ Apple Quicktime 6.x http://secunia.com/product/810/ DESCRIPTION: Piotr Bania has reported some vulnerabilities in Apple QuickTime, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. 2) An integer overflow error exists in the handling of certain movie attributes when loading a ".mov" video file. 3) A NULL pointer dereferencing error exists when handling certain missing movie attributes from a video file. 4) A boundary error exists in the QuickTime PictureViewer when decompressing PICT data. Prior versions may also be affected. SOLUTION: Update to version 7.0.3. http://www.apple.com/support/downloads/quicktime703.html PROVIDED AND/OR DISCOVERED BY: Piotr Bania ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=302772 Piotr Bania: http://pb.specialised.info/all/adv/quicktime-mov-io1-adv.txt http://pb.specialised.info/all/adv/quicktime-mov-io2-adv.txt http://pb.specialised.info/all/adv/quicktime-mov-dos-adv.txt http://pb.specialised.info/all/adv/quicktime-pict-adv.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

digital error

EXPLOIT AVAILABILITY

EXTERNAL IDS

REFERENCES

CREDITS

Piotr Bania

SOURCES

LAST UPDATE DATE

2024-08-14T14:00:32.992000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE