ID

VAR-200609-0313

CVE

CVE-2006-4386

TITLE

Apple QuickTime fails to properly handle SGI images

DESCRIPTION

Integer overflow in Apple QuickTime before 7.1.3 allows user-assisted remote attackers to execute arbitrary code via a crafted H.264 movie, a different issue than CVE-2006-4381. Apple QuickTime fails to properly handle SGI images. Apple From, as a countermeasure version Quicktime 7.1.3 Has been released.Arbitrary code or commands can be executed by a remote third party, DoS You can be attacked. Successful exploits may facilitate a remote compromise of affected computers. CVE: CVE-2006-4386 Orginal URL: http://piotrbania.com/all/adv/quicktime-integer-overflow-h264-adv-7.1.txt Software affected: Tested on QucikTime 7.1 (Windows version), with all newest add-ons. 0. DISCLAIMER Author takes no responsibility for any actions with provided informations or codes. The copyright for any material created by the author is reserved. Any duplication of codes or texts provided here in electronic or printed publications is not permitted without the author's agreement. I. II. The overflow occurs in the H.264 codec. Vulnerable code: 6825a28f 668b4806 mov cx,[eax+0x6] ; cx = controled by attacker 6825a293 660fb6d5 movzx dx,ch ; dx = 0x00XX (XX - controled by attacker) 6825a297 8af1 mov dh,cl ; dx = 0xXXXX (-//-) 6825a299 8bca mov ecx,edx ; ecx = edx 6825a29b 6681f90001 cmp cx,0x100 ; compare cx with 0x100 6825a2a0 7f3d jg QuickTimeH264!JVTCompComponentDispatch+0x917c (6825a2df) ; (*1*) 6825a2a2 0fbfd1 movsx edx,cx ; (*2*) 6825a2a5 8bca mov ecx,edx 6825a2a7 8bd9 mov ebx,ecx 6825a2a9 c1e902 shr ecx,0x2 6825a2ac 8d7008 lea esi,[eax+0x8] 6825a2af 8d7c2418 lea edi,[esp+0x18] 6825a2b3 f3a5 rep movsd ds:00fb8000=???????? *1 - JG jumps, takes care of the sign so in this case we have an security check for upper bounds, but when cx is a negative number this check is bypassed. No lower bounds checks were applied - bad. *2 - Due to the bypass of the point *1 EDX is now CX extended by sign (in this case its negative), EDX now looks like 0xFFFFXXXX, the integer is overflowed and rep movsd causes an memory corruption (obvious fact is that ECX is related to EDX). Debugger output: eax=00fb2028 ebx=ffffc9c9 ecx=3fffda7e edx=ffffc9c9 esi=00fb8000 edi=00141688 eip=6825a2b3 esp=0013b6a0 ebp=0013b8c4 iopl=0 nv up ei pl nz ac po nc cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00010216 *** ERROR: Symbol file could not be found. Defaulted to export symbols for E:\Quicktime\QTSystem\QuickTimeH264.qtx - QuickTimeH264!JVTCompComponentDispatch+0x9150: 6825a2b3 f3a5 rep movsd ds:00fb8000=???????? es:00141688=00000000 The vulnerability may lead to remote code execution when specially crafted video file (MOV file) is being loaded. III. POC CODE Due to severity of this bug i will not release any proof of concept codes for this issue. IV. VENDOR RESPONSE Check: http://docs.info.apple.com/article.html?artnum=61798 . McAfee, Inc. QuickTime is used by the Mac OS X operating system and by the QuickTime media player for Microsoft Windows. Seven code execution vulnerabilities are present in QuickTime support for various multimedia formats including: MOV, H.264, FLC, FPX and SGI. Exploitation could lead to execution of arbitrary code. User interaction is required for an attack to succeed. The risk rating for these issues is medium. _________________________________________________ * Vulnerable Systems QuickTime 7.1.2 and below for Mac OS X QuickTime for Windows 7.1.2 and below _________________________________________________ * Vulnerability Information CVE-2006-4382 Two buffer overflow vulnerabilities are present in QuickTime MOV format support. CVE-2006-4384 On heap overflow vulnerability is present in QuickTime FLC format support. CVE-2006-4385 One buffer overflow vulnerability is present in QuickTime SGI format support. CVE-2006-4386 One buffer overflow vulnerability is present in QuickTime MOV H.264 format support. CVE-2006-4388 One buffer overflow vulnerability is present in QuickTime FlashPix (FPX) format support. CVE-2006-4389 One uninitialized memory access vulnerability is present in QuickTime FlashPix (FPX) format support. _________________________________________________ * Resolution Apple has included fixes for the QuickTime issues in QuickTime version 7.1.3 for Mac OS X and for Microsoft Windows. Further information is available at: http://docs.info.apple.com/article.html?artnum=304357 _________________________________________________ * Credits These vulnerabilities were discovered by Mike Price of McAfee Avert Labs. _________________________________________________ * Legal Notice Copyright (C) 2006 McAfee, Inc. The information contained within this advisory is provided for the convenience of McAfee's customers, and may be redistributed provided that no fee is charged for distribution and that the advisory is not modified in any way. McAfee makes no representations or warranties regarding the accuracy of the information referenced in this document, or the suitability of that information for your purposes. McAfee, Inc. and McAfee Avert Labs are registered Trademarks of McAfee, Inc. and/or its affiliated companies in the United States and/or other Countries. All other registered and unregistered trademarks in this document are the sole property of their respective owners. Best regards, Dave Marcus, B.A., CCNA, MCSE Security Research and Communications Manager McAfee(r) Avert(r) Labs . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200803-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Win32 binary codecs: Multiple vulnerabilities Date: March 04, 2008 Bugs: #150288 ID: 200803-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities in the Win32 codecs for Linux may result in the remote execution of arbitrary code. Background ========== Win32 binary codecs provide support for video and audio playback. Workaround ========== There is no known workaround at this time. Resolution ========== All Win32 binary codecs users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=media-libs/win32codecs-20071007-r2" Note: Since no updated binary versions have been released, the Quicktime libraries have been removed from the package. Please use the free alternative Quicktime implementations within VLC, MPlayer or Xine for playback. References ========== [ 1 ] CVE-2006-4382 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4382 [ 2 ] CVE-2006-4384 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4384 [ 3 ] CVE-2006-4385 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4385 [ 4 ] CVE-2006-4386 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4386 [ 5 ] CVE-2006-4388 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4388 [ 6 ] CVE-2006-4389 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4389 [ 7 ] CVE-2007-4674 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4674 [ 8 ] CVE-2007-6166 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6166 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200803-08.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHzc+AuhJ+ozIKI5gRAkBQAJ45BLSUrSDb21Ro/ZHEimwyzBpqqQCcD15e VpxOGmsa3V34PILWdYXqoXE= =70De -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

buffer overflow

CONFIGURATIONS

EXPLOIT AVAILABILITY

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Sowhat smaillist@gmail.com Mike PricePiotr Bania bania.piotr@gmail.com Ruben Santamarta ruben@reversemode.com

SOURCES

LAST UPDATE DATE

2024-09-19T21:18:28.066000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE