Lucene search

SAINT CorporationSAINT:7C39F68D01071E0E3DAB4B727AD97F75

HistoryJul 03, 2012 - 12:00 a.m.

iTunes m3u Playlist Overflow

2012-07-0300:00:00

SAINT Corporation

my.saintcorporation.com

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.836 High

EPSS

Percentile

98.4%

JSON

Added: 07/03/2012
CVE: CVE-2012-0677
BID: 53933
OSVDB: 82897

Background

iTunes is a free media player for multiple platforms.

Problem

iTunes does not properly validate parameters for #EXTINF: directives in m3u files. This results in an exploitable stack overflow.

Resolution

Upgrade to iTunes 10.6.3 or higher.

References

<http://support.apple.com/kb/HT5318>
<http://zeroscience.mk/en/vulnerabilities/ZSL-2012-5093.php>

Limitations

QuickTime must be installed on the target system. This exploit has been tested against iTunes 10.6.1.7 and QuickTime 7.7.2 running on Microsoft Windows XP SP3 English (DEP OptIn).

Platforms

Windows

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.836 High

EPSS

Percentile

98.4%

JSON

Related for SAINT:7C39F68D01071E0E3DAB4B727AD97F75