Apple QuickTime FlashPix Buffer Overflow (Sep 18, 2009)


The QuickTime multimedia player supports a wide range of media formats. It is capable of parsing and displaying images as well as audio and video files. One of the image file formats supported by QuickTime is FlashPix.

The FlashPix format stores image data in multiple resolutions which makes for a larger file size but speeds up serving different resolutions of the image on demand. This comes particularly in handy when the image is requested by a web browser. Serving lower resolution of an image when needed decreases download time.

Space within a FlashPix file is divided into sectors of a default size of 512 bytes. There are numerous types of sectors all of which serve its own purpose such as Directory, DIF, and Storage types. The header of this FlashPIx file is also a separate type of sector which is always 512 bytes in size.
The structure of the FlashPix header is shown:

 Offset	Size	Description ------	-----	------------------------------------------------------------ 0x0000	8	0xd0cf11e0a1b11ae1 OR 0x0e11fc0dd0cf11e0 0x0008	16	class ID 0x0018	2	minor version 0x001a	2	major version 0x001c	2	byte order 0x001e	2	size of sectors in ^2 0x0020	2	size of mini-sectors in ^2 0x0022	2	reserved 0x0024	4	reserved 0x0028	4	reserved 0x002c	4	number of SECTs in the FAT chain 0x0030	4	first SECT in the FAT Directory chain

A buffer overflow vulnerability exists in the Apple QuickTime media player. The vulnerability is due to an integer overflow during the processing of malformed FlashPix files. The vulnerable code in QuickTimeImage.qtx does not properly validate the result of a multiplication operation involving two fields taken directly from the header of the FlashPix file. The product of these field values is then used without validation to allocate a heap memory buffer. In cases where the multiplication operation results in zero or a very small value, the buffer allocated is too small to hold the data copied into it during subsequent processing.

The data copied into the said buffer is sourced from the image file which is entirely under the attacker’s control. Exploitation of this flaw can result in injection of malicious code into the QuickTime application process and its eventual execution. Attackers can exploit this vulnerability by persuading a target user to open a malicious FlashPix image file using the vulnerable products.
SonicWALL has released an IPS signature that detects and blocks a specific attack attempt targeting this vulnerability. The following signature addresses this issue:

  • 4418 – Apple QuickTime FlashPix File BO Attempt

This vulnerability has been assigned CVE-2009-2798 by Mitre.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.