TECHNICAL BULLETIN

T-136: Apple Mac OS X PICT Image Handling Integer Overflow Vulnerability

[CVE-2009-0010]

May 15, 2009 15:00 GMT


PROBLEM:	Apple Mac OS X is prone to an integer-overflow vulnerability when handling PICT image files.
PLATFORM:	Apple Mac OS X Server 10.5.6 Apple Mac OS X Server 10.5.5 Apple Mac OS X Server 10.5.4 Apple Mac OS X Server 10.5.3 Apple Mac OS X Server 10.5.2 Apple Mac OS X Server 10.5.1 Apple Mac OS X Server 10.4.11 Apple Mac OS X Server 10.4.11 Apple Mac OS X Server 10.4.10 Apple Mac OS X Server 10.4.9 Apple Mac OS X Server 10.4.8 Apple Mac OS X Server 10.4.7 Apple Mac OS X Server 10.4.6 Apple Mac OS X Server 10.4.5 Apple Mac OS X Server 10.4.4 Apple Mac OS X Server 10.4.3 Apple Mac OS X Server 10.4.2 Apple Mac OS X Server 10.4.1 Apple Mac OS X Server 10.4 Apple Mac OS X Server 10.5 Apple Mac OS X 10.5.6 Apple Mac OS X 10.5.5 Apple Mac OS X 10.5.4 Apple Mac OS X 10.5.3 Apple Mac OS X 10.5.2 Apple Mac OS X 10.5.1 Apple Mac OS X 10.4.11 Apple Mac OS X 10.4.11 Apple Mac OS X 10.4.10 Apple Mac OS X 10.4.9 Apple Mac OS X 10.4.8 Apple Mac OS X 10.4.7 Apple Mac OS X 10.4.6 Apple Mac OS X 10.4.5 Apple Mac OS X 10.4.4 Apple Mac OS X 10.4.3 Apple Mac OS X 10.4.2 Apple Mac OS X 10.4.1 Apple Mac OS X 10.4 Apple Mac OS X 10.5
ABSTRACT:	This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple QuickTime. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists when the application parses a malformed .PICT image. While decoding a tag 0x77 in the image, the application misuses a 16-bit length when allocating tag data. When copying tag data into this buffer, a heap overflow occurs. This can lead to code execution under the context of the current user.

LINKS:
DOE-CIRC BULLETIN:	http://www.doecirc.energy.gov/bulletins/t-136.shtml
OTHER LINKS:	CVE-2009-0010 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0010 Security Focus http://www.securityfocus.com/bid/34938/solution NIST http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0010 Apple http://lists.apple.com/archives/security-announce/2009/May/msg00002.html

IMPACT ASSESSMENT:	This risk is medium. Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution.

[***** Start CVE-2009-0010 *****]
PROBLEM:  
Apple Mac OS X PICT Image Handling Integer Overflow Vulnerability

PLATFORM:  	 
Apple Mac OS X Server 10.5.6
Apple Mac OS X Server 10.5.5
Apple Mac OS X Server 10.5.4
Apple Mac OS X Server 10.5.3
Apple Mac OS X Server 10.5.2
Apple Mac OS X Server 10.5.1
Apple Mac OS X Server 10.4.11
Apple Mac OS X Server 10.4.11
Apple Mac OS X Server 10.4.10
Apple Mac OS X Server 10.4.9
Apple Mac OS X Server 10.4.8
Apple Mac OS X Server 10.4.7
Apple Mac OS X Server 10.4.6
Apple Mac OS X Server 10.4.5
Apple Mac OS X Server 10.4.4
Apple Mac OS X Server 10.4.3
Apple Mac OS X Server 10.4.2
Apple Mac OS X Server 10.4.1
Apple Mac OS X Server 10.4
Apple Mac OS X Server 10.5
Apple Mac OS X 10.5.6
Apple Mac OS X 10.5.5
Apple Mac OS X 10.5.4
Apple Mac OS X 10.5.3
Apple Mac OS X 10.5.2
Apple Mac OS X 10.5.1
Apple Mac OS X 10.4.11
Apple Mac OS X 10.4.11
Apple Mac OS X 10.4.10
Apple Mac OS X 10.4.9
Apple Mac OS X 10.4.8
Apple Mac OS X 10.4.7
Apple Mac OS X 10.4.6
Apple Mac OS X 10.4.5
Apple Mac OS X 10.4.4
Apple Mac OS X 10.4.3
Apple Mac OS X 10.4.2
Apple Mac OS X 10.4.1
Apple Mac OS X 10.4
Apple Mac OS X 10.5

ABSTRACT:
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple QuickTime.
User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a
malicious file.

The specific flaw exists when the application parses a malformed .PICT image. While decoding a tag 0x77 in the image,
the application misuses a 16-bit length when allocating tag data. When copying tag data into this buffer, a heap
overflow occurs. This can lead to code execution under the context of the current user. 

References:
CVE-2009-0010
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0010
Security Focus
http://www.securityfocus.com/bid/34938/solution
NIST
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0010
Apple
http://lists.apple.com/archives/security-announce/2009/May/msg00002.html

SOLUTIONS:
The vendor has released an advisory and fixes. 

Apple Mac OS X Server 10.5

    * Apple MacOSXServerUpdCombo10.5.7.dmg
      http://support.apple.com/downloads/DL829/MacOSXServerUpdCombo10.5.7.dmg

Apple Mac OS X 10.5
    * Apple MacOSXUpdCombo10.5.7.dmg
      http://support.apple.com/downloads/DL827/MacOSXUpdCombo10.5.7.dmg

Apple Mac OS X Server 10.4.11

    * Apple SecUpd2009-002Intel.dmg
      (Intel)
      http://support.apple.com/downloads/DL817/SecUpd2009-002Intel.dmg


    * Apple SecUpdSrvr2009-002PPC.dmg
      (PowerPC)
      http://support.apple.com/downloads/DL819/SecUpdSrvr2009-002PPC.dmg

*Apple SecUpdSrvr2009-002Univ.dmg

      (Universal)
      http://support.apple.com/downloads/DL816/SecUpdSrvr2009-002Univ.dmg

Apple Mac OS X 10.4.11

    * Apple SecUpd2009-002PPC.dmg
      (PowerPC)
      http://support.apple.com/downloads/DL818/SecUpd2009-002PPC.dmg

Apple Mac OS X 10.5.1

    * Apple MacOSXUpdCombo10.5.7.dmg
      http://support.apple.com/downloads/DL827/MacOSXUpdCombo10.5.7.dmg

Apple Mac OS X Server 10.5.1

    * Apple MacOSXServerUpdCombo10.5.7.dmg
      http://support.apple.com/downloads/DL829/MacOSXServerUpdCombo10.5.7.dmg

Apple Mac OS X 10.5.2

    * Apple MacOSXUpdCombo10.5.7.dmg
      http://support.apple.com/downloads/DL827/MacOSXUpdCombo10.5.7.dmg

Apple Mac OS X Server 10.5.2

    * Apple MacOSXServerUpdCombo10.5.7.dmg
      http://support.apple.com/downloads/DL829/MacOSXServerUpdCombo10.5.7.dmg

Apple Mac OS X 10.5.3

    * Apple MacOSXUpdCombo10.5.7.dmg
      http://support.apple.com/downloads/DL827/MacOSXUpdCombo10.5.7.dmg

Apple Mac OS X Server 10.5.3

    * Apple MacOSXServerUpdCombo10.5.7.dmg
      http://support.apple.com/downloads/DL829/MacOSXServerUpdCombo10.5.7.dmg

Apple Mac OS X 10.5.4

    * Apple MacOSXUpdCombo10.5.7.dmg
      http://support.apple.com/downloads/DL827/MacOSXUpdCombo10.5.7.dmg

Apple Mac OS X Server 10.5.4

    * Apple MacOSXServerUpdCombo10.5.7.dmg
      http://support.apple.com/downloads/DL829/MacOSXServerUpdCombo10.5.7.dmg

Apple Mac OS X Server 10.5.5

    * Apple MacOSXServerUpdCombo10.5.7.dmg
      http://support.apple.com/downloads/DL829/MacOSXServerUpdCombo10.5.7.dmg

Apple Mac OS X 10.5.5

    * Apple MacOSXUpdCombo10.5.7.dmg
      http://support.apple.com/downloads/DL827/MacOSXUpdCombo10.5.7.dmg

Apple Mac OS X 10.5.6

    * Apple MacOSXUpd10.5.7.dmg
      http://support.apple.com/downloads/DL826/MacOSXUpd10.5.7.dmg

Apple Mac OS X Server 10.5.6

    * Apple MacOSXServerUpd10.5.7.dmg
      http://support.apple.com/downloads/DL828/MacOSXServerUpd10.5.7.dmg
[***** End CVE-2009-0010 *****]

DOE-CIRC wishes to acknowledge the contributions of Damian Put and Sebastian Apelt working with TippingPoint's Zero Day Initiative, and Chris Ries of Carnegie Mellon Univ. for the information contained in this bulletin.

DOECIRC services are available to DOE, DOE Contractors, and the NIH. DOE-CIRC can be contacted at:

    Voice:          866-941-2472
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov

UCRL-MI-119788