Apple QuickTime MOV文件JVTCompEncodeFrame函数堆溢出漏洞

漏洞信息详情

Apple QuickTime MOV文件JVTCompEncodeFrame函数堆溢出漏洞

• CNNVD编号：CNNVD-200704-524
• 危害等级： 超危
  
  
• CVE编号：
  CVE-2007-2295
  
• 漏洞类型：
  
  
  缓冲区溢出
  
• 发布时间：
  
  2007-04-26
  
• 威胁类型：
  
  
  远程
  
• 更新时间：
  
  2007-04-27
  
• 厂        商：
  
  apple
• 漏洞来源：
  Tom Ferris tommy@…

Apple QuickTime是一款流行的多媒体播放器，支持多种媒体格式。

QuickTime在处理畸形格式的MOV文件时存在缓冲区溢出漏洞，远程攻击者可能利用此漏洞控制用户机器。

如果使用QuickTime加载了畸形的.mov文件的话，JVTCompEncodeFrame()函数可能无法正确地解析畸形数据，触发堆溢出，播放器会由于分段错误而停止响应，或以登录用户的权限执行任意指令。

调试信息如下：

Program received signal EXC_BAD_ACCESS, Could not access memory.

Reason： KERN_PROTECTION_FAILURE at address： 0x00041656

0x90003646 in szone_malloc ()

(gdb) bt

＃0 0x90003646 in szone_malloc ()

＃1 0x90003527 in malloc_zone_malloc ()

＃2 0x90325591 in mem_heap_malloc ()

＃3 0x90325511 in shape_alloc_bounds () ＃4 0x9170d8ec in RectRgn ()

＃5 0x91726437 in SetRectRgn ()

＃6 0x9436d3b4 in ICMDeviceLoop ()

＃7 0x9437728a in DecompressSequenceFrameWhen ()

＃8 0x94376c3a in ICMDecompressionSessionDecodeFrame ()

＃9 0x98b0c58c in v2m_rDecompressSequenceFrameWhen ()

＃10 0x98b1333b in v2m_decompressVideoFrame ()

＃11 0x98b13cd7 in QueueAFrame ()

＃12 0x98b14d49 in v2m_doWhatTheMentorTellsUs ()

＃13 0x98b166ac in Video2MoviesTask ()

＃14 0x90cceccf in CallComponentFunctionCommon ()

＃15 0x98b056c0 in Video2ComponentDispatch ()

＃16 0x90cce7f8 in CallComponentDispatch ()

＃17 0x94369f27 in MediaMoviesTask ()

＃18 0x94368c04 in TaskMovie_priv ()

＃19 0x98bb9b42 in doIdleMovie ()

＃20 0x98bc8691 in internalDoAction ()

＃21 0x98bb9a1a in _MCIdle ()

＃22 0x90cceb13 in CallComponentFunctionCommon ()

＃23 0x98bb4f19 in _MCComponentDispatch ()

＃24 0x90cce7f8 in CallComponentDispatch ()

＃25 0x943679fc in MCIdle ()

＃26 0x9436664d in QTOMovieObject：：SendCommand ()

＃27 0x9433b1e2 in DispatchQTMsg ()

＃28 0x9433af0f in QTObjectTokenPriv：：SendMessageToObject ()

＃29 0x9433a338 in QTObjectTokenPriv：：DispatchMessage ()

＃30 0x9436646a in QTSendToObject ()

＃31 0x95a21142 in QTObjectTokenExecuteCommand ()

＃32 0x95a32f85 in -[QTMovie idle] ()

＃33 0x9082a6eb in CFSetApplyFunction ()

＃34 0x95a2feab in +[QTMovie idleAllMovies：] ()

＃35 0x9282c2de in __NSFireTimer ()

＃36 0x9082c7e2 in CFRunLoopRunSpecific ()

＃37 0x9082bace in CFRunLoopRunInMode ()

＃38 0x92dd78d8 in RunCurrentEventLoopInMode ()

＃39 0x92dd6fe2 in ReceiveNextEventCommon ()

＃40 0x92dd6e39 in BlockUntilNextEventMatchingListInMode ()

＃41 0x9327d465 in _DPSNextEvent ()

＃42 0x9327d056 in -[NSApplication nextEventMatchingMask：untilDate：inMode：dequeue：] ()

＃43 0x93276ddb in -[NSApplication run] ()

＃44 0x9326ad2f in NSApplicationMain ()

＃45 0x00040632 in _start ()

＃46 0x0004054d in start ()

(gdb)

目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：

http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=14402&cat=59&platform=osx&method=sa

http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=14401&cat=59&platform=osx&method=sa

来源: TA07-193A

名称: TA07-193A

链接:http://www.us-cert.gov/cas/techalerts/TA07-193A.html

来源: XF

名称: quicktime-h264-code-execution(35356)

链接:http://xforce.iss.net/xforce/xfdb/35356

来源: XF

名称: quicktime-jvtcompencodeframe-bo(34070)

链接:http://xforce.iss.net/xforce/xfdb/34070

来源: SECTRACK

名称: 1018373

链接:http://www.securitytracker.com/id?1018373

来源: SECTRACK

名称: 1017965

链接:http://www.securitytracker.com/id?1017965

来源: BID

名称: 23650

链接:http://www.securityfocus.com/bid/23650

来源: OSVDB

名称: 35577

链接:http://www.osvdb.org/35577

来源: VUPEN

名称: ADV-2007-2510

链接:http://www.frsirt.com/english/advisories/2007/2510

来源: MISC

链接:http://security-protocols.com/sp-x45-advisory.php

来源: SECUNIA

名称: 26034

链接:http://secunia.com/advisories/26034

来源: APPLE

名称: APPLE-SA-2007-07-11

链接:http://lists.apple.com/archives/Security-announce/2007/Jul/msg00001.html

来源: docs.info.apple.com

链接:http://docs.info.apple.com/article.html?artnum=305947