Apple QuickTime Movie Vulnerabilities (June 4, 2009)

Apple QuickTime is a media player application developed by Apple. It is capable of playing back numerous multimedia file formats from local file system or remote servers. QuickTime movie file is one format of media files that can be played by QuickTime.

A QuickTime movie file consists of Metadata and Atoms. The Metadata stores the description of the media content while atoms are the data units of media content. Each atom contains size and type fields that precede any other data. The common structure of an atom is as below:

 Type      Description --------- ------------------- UINT32    Atom size (n) UINT32    Atom identifier BYTE[n-8] Atom data 

There are a lot of buffer overflow and integer overflow vulnerabilities found in Apple QuickTime product. Most of the vulnerabilities are due to the improper validations of the atoms fields. These atoms include moov, trak, minf, stsd, avcC, rpza, sdtp and so on. For example, there is one memory corruption vulnerability found recently in QuickTime media player, which is due to improper input validation on specially crafted QuickTime movies containing an ‘stsd’ atom with malicious ‘rpza’ video data. The Apple Video compression format (rpza) has the following structure:

 Type      Description --------- -------------------------- UINT16    version UINT16    revision level, set to 0 BYTE[4]   vendor UINT32    temporal quality, 0 ~ 1023 UINT32    spatial quality, 0 ~ 1024 UINT16 width UINT16    height UINT32    horizontal resolution UINT32    vertical resolution UINT32    data size, set to 0 UINT16    frame count, usually 1 

The vulnerable code doesn’t validate the ‘width’ value from the above ‘rpza’ structure and rounds up the ‘width’ value to a multiple of 4-byte and then multiplies it by 4, which may cause an integer overflow. Remote attackers could exploit this vulnerability to inject and execute arbitrary code in the target system.

SonicWALL UTM team has analyzed each of the vulnerabilities, and created multiple IPS/GAV signatures for them. For the vulnerabilities that can not be covered by generic signatures, SonicWALL UTM team monitored the published exploits and released signatures for each of them. The following released signatures are related with Apple QuickTime media player and QuickTime movie file format:

• 1691 Apple QuickTime ctab Atom Heap Corruption PoC
• 1806 Apple QuickTime stsd Atom Heap BO Attempt
• 2107 Apple QuickTime H.264 Crafted Movie BO PoC
• 2293 Apple QuickTime udta Atom Parsing BO Attempt 1
• 2372 Apple QuickTime udta Atom Parsing BO Attempt 2
• 2373 Apple QuickTime udta Atom Parsing BO Generic Detection 3
• 4958 Apple QuickTime crgn Atom Parsing Memory Corruption PoC
• 5031 Apple QuickTime hdlr Atom Integer Overflow PoC
• 5412 GStreamer QuickTime File Parsing Heap Overflow PoC 1
• 5414 GStreamer QuickTime File Parsing Heap Overflow PoC 3

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.