Saturday, 27 January 2007

Telestream Flip4Mac WMV Parsing Memory Corruption Vulnerability

Vendor:: Apple
Application:: Mac OS X - Windows
  • QuickTime™ Player 7.1.3
  • Windows Media ® Components for Quicktime 2.1.0.33
Disclosed:: 27-01-07
Description:: Flip4Mac fails to properly handle WMV files with a crafted ASF_File_Properties_Object size field, leading to an exploitable memory corruption condition, which can be abused remotely for arbitrary code execution.
Exploit:: Flip4Mac™ WMV is a collection of QuickTime components that allow you to play, import, and export Windows Media video and audio files on your Mac using your favorite QuickTime-based applications.
WMV files use the Advanced Systems Format (ASF) container format, originally supported for Macintosh systems via Microsoft's "Windows Media Player for Mac". Since Microsoft decided to stop development of it's Mac-port of WM Player, Flip4Mac became the 'endorsed', somehow official solution.
It fails to properly handle WMV files with a crafted ASF_File_Properties_Object size field, leading to an exploitable memory corruption condition, which can be abused remotely for arbitrary code execution.
ASF_File_Properties_Object:
8CABDCA1-A947-11CF-8EE4-00C00C205365 71494647607722088 112 --| GUID
0x70: A1 DC AB 8C 47 A9 CF 11 8E E4 00 C0 0C 20 53 65 ----/
0x80: 68 00 00 FF 00 00 00 00 63 79 0C 20 28 50 D5 11 [size at 0x80]
Given that we can overwrite saved eip (and thus subvert the execution flow) and provide any payload of our choice by appending it to the WMV file, exploitation for arbitrary code execution is clearly possible. Although, the conditions for PowerPC and x86 are slightly different, and thus the same file won't work for both architectures (this has nothing to do with payload limitations, as we can use one that will work for both ppc and x86, like nemo's multi-arch shellcode).
A working exploit for this issue might be developed later today and released as soon as it's been tested and known to be reliable.
The sample proof of concept provided shows saved eip being overwritten with a bogus address (it's known to not work on PowerPC, as the conditions are slightly different).
MORE...
Prevention::Disable Flip4Mac and/or automated opening of WMV files, and wait for a patch to be released by the vendor (Telestream).
Links::
PoC:: MOAB-27-01-2007.wmv
MOAB-27-01-2007

No comments: