iTunes .PLS Title buffer overflow

2015-05-11T00:00:00
ID SAINT:38CB7154A0A19557B449C1D3FD132829
Type saint
Reporter SAINT Corporation
Modified 2015-05-11T00:00:00

Description

Added: 05/11/2015

Background

iTunes is a free media player for multiple platforms.

Problem

A buffer overflow vulnerability in iTunes allows command execution when a .PLS file containing a specially crafted Title parameter is opened.

Resolution

Do not open untrusted .PLS files.

References

<https://www.exploit-db.com/exploits/36837/>

Limitations

Exploit works on iTunes 10.6.1.7 on Windows XP SP3 and requires a user to open the exploit file in iTunes.

Platforms

Windows XP