iTunes m3u Playlist Overflow

2012-07-03T00:00:00
ID SAINT:7C39F68D01071E0E3DAB4B727AD97F75
Type saint
Reporter SAINT Corporation
Modified 2012-07-03T00:00:00

Description

Added: 07/03/2012
CVE: CVE-2012-0677
BID: 53933
OSVDB: 82897

Background

iTunes is a free media player for multiple platforms.

Problem

iTunes does not properly validate parameters for #EXTINF: directives in m3u files. This results in an exploitable stack overflow.

Resolution

Upgrade to iTunes 10.6.3 or higher.

References

<http://support.apple.com/kb/HT5318>
<http://zeroscience.mk/en/vulnerabilities/ZSL-2012-5093.php>

Limitations

QuickTime must be installed on the target system. This exploit has been tested against iTunes 10.6.1.7 and QuickTime 7.7.2 running on Microsoft Windows XP SP3 English (DEP OptIn).

Platforms

Windows