Apple QuickTime udta ATOM Heap Overflow
By Sowhat of Nevis Labs
Apple QuickTime versions < 7.1
We have discovered a critical vulnerability in Quicktime Player.
The vulnerability allows an attacker to execute arbitrary code
in the context of the user who executes QuickTime.
This vulnerability can be exploited By persuading a user to open
a carefully crafted .mov files or visit a website embedding the
malicious .mov file.
This vulnerability exists in the way Quicktime process the "udta" Atom of
the .mov files.
The layout of a udta(user data atom) atom:
| User data atom |
| Atom size | 4
| Type = 'udta' | 4
| User data list |
| Atom size | 4
| Type = user data types| 4
By setting the value of the Atom size to a large value such as 0xFFFFFFFF,
an insufficiently-sized heap block will be allocated, and resulting in a
classic complete heap memory overwrite during the RtlAllocateHeap() function.
2006.05.06=09Vendor notified via email@example.com
2006.05.09=09Vendor ask for more information
2006.05.11=09Vendor released QuickTime 7.1
Vendor was contacted in 05/06/2006, and they said:
"This message is being sent to you by a security analyst who has reviewed
your note. The issue is being investigated, and we appreciate the time
you have taken to report it to us. "
This vulnerability no longer exists in their new release(7.1),
However the vendor didnt formally inform me about the patch.
Greetings to Ajit, Chi, Xin, Linlin and all guys in India & US Nevis Labs
"Life is like a bug, Do you know how to exploit it ?"