ExploitFixes
libquicktime 1.2.4 - Denial of Service 2017-06-09 21:05:03

libquicktime multiple vulnerabilities


================
Author : qflb.wu
===============


Introduction:
=============
The libquicktime package contains the libquicktime library, various plugins and codecs, along with graphical and command line utilities used for encoding and decoding QuickTime files. This is useful for reading and writing files in the QuickTime format. The goal of the project is to enhance, while providing compatibility with the Quicktime 4 Linux library.


Affected version:
=====
1.2.4


Vulnerability Description:
==========================
##################################
1.
the quicktime_read_moov function in moov.c in libquicktime 1.2.4 can cause a denial of service(infinite loop and CPU consumption) via a crafted mp4 file.


./lqtplay libquicktime_1.2.4_quicktime_read_moov_infinite_loop.mp4


POC:
libquicktime_1.2.4_quicktime_read_moov_infinite_loop.mp4
CVE:
CVE-2017-9122


###################################
2.
the lqt_frame_duration function in lqt_quicktime.c in libquicktime 1.2.4 can cause a denial of service(invalid memory read and application crash) via a crafted mp4 file.


./lqtplay libquicktime_1.2.4_lqt_frame_duration_invalid_memory_read.mp4


ASAN:SIGSEGV
=================================================================
==14254==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000004 (pc 0x7f31e6ae7185 sp 0x7ffed033a270 bp 0x0000006bdb50 T0)
==14254==WARNING: Trying to symbolize code, but external symbolizer is not initialized!
#0 0x7f31e6ae7184 (/usr/local/lib/libquicktime.so.0+0x6c184)
#1 0x49b1c6 (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x49b1c6)
#2 0x47fbaa (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47fbaa)
#3 0x7f31e43b2ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
#4 0x47f3dc (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47f3dc)


AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 ??
==14254==ABORTING


debug info:
Program received signal SIGSEGV, Segmentation fault.
...
Stopped reason: SIGSEGV
0x00007ffff7829185 in lqt_frame_duration (file=<optimized out>, track=<optimized out>,
constant=<optimized out>) at lqt_quicktime.c:1242
1242 return


POC:
libquicktime_1.2.4_lqt_frame_duration_invalid_memory_read.mp4
CVE:
CVE-2017-9123


###################################
3.
the quicktime_match_32 in util.c in libquicktime 1.2.4 can cause a denial of service(NULL pointer dereference and application crash) via a crafted mp4 file.


./lqtplay libquicktime_1.2.4_quicktime_match_32_NULL_pointer_dereference.mp4


ASAN:SIGSEGV
=================================================================
==14359==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fe8af6b85d8 sp 0x7fff490cd4e0 bp 0x7fff490cd5b0 T0)
==14359==WARNING: Trying to symbolize code, but external symbolizer is not initialized!
#0 0x7fe8af6b85d7 (/usr/local/lib/libquicktime.so.0+0x3605d7)
#1 0x7fe8af68b566 (/usr/local/lib/libquicktime.so.0+0x333566)
#2 0x7fe8af63c71a (/usr/local/lib/libquicktime.so.0+0x2e471a)
#3 0x7fe8af3d1658 (/usr/local/lib/libquicktime.so.0+0x79658)
#4 0x7fe8af3d84a8 (/usr/local/lib/libquicktime.so.0+0x804a8)
#5 0x7fe8af3a95da (/usr/local/lib/libquicktime.so.0+0x515da)
#6 0x47fad2 (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47fad2)
#7 0x7fe8acc8fec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
#8 0x47f3dc (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47f3dc)


AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 ??
==14359==ABORTING


debug info:
Program received signal SIGSEGV, Segmentation fault.
Stopped reason: SIGSEGV
0x00007ffff7b1d5d8 in quicktime_match_32 (_input=<optimized out>,
_output=<optimized out>) at util.c:874
874if(input[0] == output[0] &&


POC:
libquicktime_1.2.4_quicktime_match_32_NULL_pointer_dereference.mp4
CVE:
CVE-2017-9124


###################################
4.
the lqt_frame_duration function in lqt_quicktime.c in libquicktime 1.2.4 can cause a denial of service(heap-buffer-overflow) via a crafted mp4 file.


./lqtplay libquicktime_1.2.4_lqt_frame_duration_heap-buffer-overflow.mp4


=================================================================
==40038==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000009cd4 at pc 0x7f28959fc45f bp 0x7ffefd561530 sp 0x7ffefd561528
READ of size 4 at 0x602000009cd4 thread T0
#0 0x7f28959fc45e in lqt_frame_duration /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:1242
#1 0x49b1c6 in quicktime_print_info /home/a/Downloads/libquicktime-1.2.4/utils/common.c:138
#2 0x47fbaa in qt_init /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:996
#3 0x47fbaa in main /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:1852
#4 0x7f28932c7ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
#5 0x47f3dc in _start (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47f3dc)


0x602000009cd4 is located 3 bytes to the right of 1-byte region [0x602000009cd0,0x602000009cd1)
allocated by thread T0 here:
#0 0x4692f9 in malloc (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x4692f9)
#1 0x7f2895cad7d0 in quicktime_read_stts /home/a/Downloads/libquicktime-1.2.4/src/stts.c:115


SUMMARY: AddressSanitizer: heap-buffer-overflow /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:1242 lqt_frame_duration
Shadow bytes around the buggy address:
0x0c047fff9340: fa fa 05 fa fa fa 05 fa fa fa 04 fa fa fa 05 fa
0x0c047fff9350: fa fa 00 fa fa fa 05 fa fa fa 05 fa fa fa 05 fa
0x0c047fff9360: fa fa 05 fa fa fa 00 fa fa fa 05 fa fa fa 05 fa
0x0c047fff9370: fa fa 05 fa fa fa 00 fa fa fa 00 00 fa fa 00 01
0x0c047fff9380: fa fa 04 fa fa fa 05 fa fa fa 00 fa fa fa 05 fa
=>0x0c047fff9390: fa fa 05 fa fa fa 00 fa fa fa[01]fa fa fa 00 04
0x0c047fff93a0: fa fa 00 00 fa fa 00 fa fa fa 00 fa fa fa 00 00
0x0c047fff93b0: fa fa 00 00 fa fa 00 00 fa fa 00 fa fa fa 00 00
0x0c047fff93c0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 fa
0x0c047fff93d0: fa fa 00 00 fa fa 00 fa fa fa fd fd fa fa fd fd
0x0c047fff93e0: fa fa fd fd fa fa 00 04 fa fa 00 00 fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==40038==ABORTING


POC:
libquicktime_1.2.4_lqt_frame_duration_heap-buffer-overflow.mp4
CVE:
CVE-2017-9125


###################################
5.
the quicktime_read_dref_table function in dref.c in libquicktime 1.2.4 can cause a denial of service(heap-buffer-overflow and application crash) via a crafted mp4 file.


./lqtplay libquicktime_1.2.4_quicktime_read_dref_table_heap-buffer-overflow.mp4


=================================================================
==41637==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000009ce4 at pc 0x7f9cb9ad16e7 bp 0x7ffcf9a1e720 sp 0x7ffcf9a1e718
WRITE of size 1 at 0x602000009ce4 thread T0
#0 0x7f9cb9ad16e6 in quicktime_read_dref_table /home/a/Downloads/libquicktime-1.2.4/src/dref.c:69
#1 0x7f9cb9ad3bdd in quicktime_read_dref /home/a/Downloads/libquicktime-1.2.4/src/dref.c:147
#2 0x7f9cb9ad0388 in quicktime_read_dinf /home/a/Downloads/libquicktime-1.2.4/src/dinf.c:56
#3 0x7f9cb9afdf09 in quicktime_read_minf /home/a/Downloads/libquicktime-1.2.4/src/minf.c:220
#4 0x7f9cb9afaa9e in quicktime_read_mdia /home/a/Downloads/libquicktime-1.2.4/src/mdia.c:155
#5 0x7f9cb9b4ff1e in quicktime_read_trak /home/a/Downloads/libquicktime-1.2.4/src/trak.c:247
#6 0x7f9cb9b0172a in quicktime_read_moov /home/a/Downloads/libquicktime-1.2.4/src/moov.c:221
#7 0x7f9cb9896658 in quicktime_read_info /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:1791
#8 0x7f9cb989d4a8 in do_open /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:2026
#9 0x7f9cb986e5da in quicktime_open /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:2075
#10 0x47fad2 in qt_init /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:987
#11 0x47fad2 in main /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:1852
#12 0x7f9cb7154ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
#13 0x47f3dc in _start (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47f3dc)


0x602000009ce4 is located 12 bytes to the left of 1-byte region [0x602000009cf0,0x602000009cf1)
allocated by thread T0 here:
#0 0x4692f9 in malloc (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x4692f9)
#1 0x7f9cb9ad13ba in quicktime_read_dref_table /home/a/Downloads/libquicktime-1.2.4/src/dref.c:66


SUMMARY: AddressSanitizer: heap-buffer-overflow /home/a/Downloads/libquicktime-1.2.4/src/dref.c:69 quicktime_read_dref_table
Shadow bytes around the buggy address:
0x0c047fff9340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9370: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9390: fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa 01 fa
0x0c047fff93a0: fa fa 00 00 fa fa 00 fa fa fa 00 fa fa fa 00 00
0x0c047fff93b0: fa fa 00 00 fa fa 00 00 fa fa 00 fa fa fa 00 00
0x0c047fff93c0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 fa
0x0c047fff93d0: fa fa 00 00 fa fa 00 fa fa fa fd fd fa fa fd fd
0x0c047fff93e0: fa fa fd fd fa fa 00 04 fa fa 00 00 fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==41637==ABORTING


POC:
libquicktime_1.2.4_quicktime_read_dref_table_heap-buffer-overflow.mp4
CVE:
CVE-2017-9126


###################################
6.
the quicktime_user_atoms_read_atom function in useratoms.c in libquicktime 1.2.4 can cause a denial of service(heap-buffer-overflow and application crash) via a crafted mp4 file.


./lqtplay libquicktime_1.2.4_quicktime_user_atoms_read_atom_heap-buffer-overflow.mp4


=================================================================
==41642==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000009cb1 at pc 0x7f3aa15d47f3 bp 0x7ffc98430d00 sp 0x7ffc98430cf8
WRITE of size 1 at 0x602000009cb1 thread T0
#0 0x7f3aa15d47f2 in quicktime_user_atoms_read_atom /home/a/Downloads/libquicktime-1.2.4/src/useratoms.c:84
#1 0x7f3aa1590bd8 in quicktime_read_stsd_video /home/a/Downloads/libquicktime-1.2.4/src/stsdtable.c:557
#2 0x7f3aa1594eb8 in quicktime_read_stsd_table /home/a/Downloads/libquicktime-1.2.4/src/stsdtable.c:694
#3 0x7f3aa158bd4d in quicktime_finalize_stsd /home/a/Downloads/libquicktime-1.2.4/src/stsd.c:336
#4 0x7f3aa1566147 in quicktime_read_minf /home/a/Downloads/libquicktime-1.2.4/src/minf.c:231
#5 0x7f3aa1562a9e in quicktime_read_mdia /home/a/Downloads/libquicktime-1.2.4/src/mdia.c:155
#6 0x7f3aa15b7f1e in quicktime_read_trak /home/a/Downloads/libquicktime-1.2.4/src/trak.c:247
#7 0x7f3aa156972a in quicktime_read_moov /home/a/Downloads/libquicktime-1.2.4/src/moov.c:221
#8 0x7f3aa12fe658 in quicktime_read_info /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:1791
#9 0x7f3aa13054a8 in do_open /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:2026
#10 0x7f3aa12d65da in quicktime_open /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:2075
#11 0x47fad2 in qt_init /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:987
#12 0x47fad2 in main /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:1852
#13 0x7f3a9ebbcec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
#14 0x47f3dc in _start (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47f3dc)


0x602000009cb1 is located 0 bytes to the right of 1-byte region [0x602000009cb0,0x602000009cb1)
allocated by thread T0 here:
#0 0x4692f9 in malloc (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x4692f9)
#1 0x7f3aa15d451a in quicktime_user_atoms_read_atom /home/a/Downloads/libquicktime-1.2.4/src/useratoms.c:81


SUMMARY: AddressSanitizer: heap-buffer-overflow /home/a/Downloads/libquicktime-1.2.4/src/useratoms.c:84 quicktime_user_atoms_read_atom
Shadow bytes around the buggy address:
0x0c047fff9340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9370: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9390: fa fa fa fa fa fa[01]fa fa fa 00 fa fa fa 00 04
0x0c047fff93a0: fa fa 00 00 fa fa 00 fa fa fa 00 fa fa fa 00 00
0x0c047fff93b0: fa fa 00 00 fa fa 00 00 fa fa 00 fa fa fa 00 00
0x0c047fff93c0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 fa
0x0c047fff93d0: fa fa 00 00 fa fa 00 fa fa fa fd fd fa fa fd fd
0x0c047fff93e0: fa fa fd fd fa fa 00 04 fa fa 00 00 fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==41642==ABORTING


POC:
libquicktime_1.2.4_quicktime_user_atoms_read_atom_heap-buffer-overflow.mp4
CVE:
CVE-2017-9127


###################################
7.
the quicktime_video_width function in lqt_quicktime.c in libquicktime 1.2.4 can cause a denial of service(heap-buffer-overflow and application crash) via a crafted mp4 file.


./lqtplay libquicktime_1.2.4_quicktime_video_width_heap-buffer-overflow.mp4


=================================================================
==10979==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000009d00 at pc 0x7f36a1017a37 bp 0x7ffe65a90010 sp 0x7ffe65a90008
READ of size 4 at 0x602000009d00 thread T0
#0 0x7f36a1017a36 in quicktime_video_width /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:998
#1 0x7f36a1017a36 in quicktime_init_maps /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:1633
#2 0x7f36a101af13 in quicktime_read_info /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:1891
#3 0x7f36a10204a8 in do_open /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:2026
#4 0x7f36a0ff15da in quicktime_open /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:2075
#5 0x47fad2 in qt_init /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:987
#6 0x47fad2 in main /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:1852
#7 0x7f369e8d7ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
#8 0x47f3dc in _start (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47f3dc)


0x602000009d00 is located 4 bytes to the right of 12-byte region [0x602000009cf0,0x602000009cfc)
allocated by thread T0 here:
#0 0x4692f9 in malloc (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x4692f9)
#1 0x7f36a12543ba in quicktime_read_dref_table /home/a/Downloads/libquicktime-1.2.4/src/dref.c:66


SUMMARY: AddressSanitizer: heap-buffer-overflow /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:998 quicktime_video_width
Shadow bytes around the buggy address:
0x0c047fff9350: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff9360: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff9370: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd
0x0c047fff9380: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff9390: fa fa fd fa fa fa fd fa fa fa 01 fa fa fa 00 04
=>0x0c047fff93a0:[fa]fa 00 04 fa fa 00 fa fa fa 00 fa fa fa 00 00
0x0c047fff93b0: fa fa 00 00 fa fa 00 00 fa fa 00 fa fa fa 00 00
0x0c047fff93c0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 fa
0x0c047fff93d0: fa fa 00 00 fa fa 00 fa fa fa fd fd fa fa fd fd
0x0c047fff93e0: fa fa fd fd fa fa 00 04 fa fa 00 00 fa fa fd fa
0x0c047fff93f0: fa fa 00 fa fa fa 00 00 fa fa 00 00 fa fa 00 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==10979==ABORTING


POC:
libquicktime_1.2.4_quicktime_video_width_heap-buffer-overflow.mp4
CVE:
CVE-2017-9128




=================================


qflb.wu () dbappsecurity com cn


Proofs of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42148.zip