← Advisories

Apple iTunes 10.6.1.7 M3U Playlist File Walking Heap Buffer Overflow

High
Advisory ID
ZSL-2012-5093
Release Date
12 June 2012
Vendor
Apple Inc. - http://www.apple.com
Affected Version
10.6.1.7 and 10.6.0.40
CVE
CVE-2012-0677
Tested On
Microsoft Windows XP Professional SP3 EN (32bit), Microsoft Windows 7 Ultimate SP1 EN (64bit)
Summary

iTunes is a free application for your Mac or PC. It lets you organize and play digital music and video on your computer. It can automatically download new music, app, and book purchases across all your devices and computers. And it’s a store that has everything you need to be entertained. Anywhere. Anytime.

Description

The vulnerability is caused due to a boundary error in the processing of a playlist file, which can be exploited to cause a heap based buffer overflow when a user opens e.g. a specially crafted .M3U file. Successful exploitation could allow execution of arbitrary code on the affected node.

(940.fc0): Access violation - code c0000005 (!!! second chance !!!) eax=41414141 ebx=08508cd8 ecx=41414141 edx=052a6528 esi=052a64b0 edi=0559ef20 eip=41414141 esp=0012d8e8 ebp=7c90ff2d iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 +0x41414130: 41414141 ?? ??? ~~~ (6b0.a04): Access violation - code c0000005 (!!! second chance !!!) eax=41414141 ebx=00000000 ecx=00000014 edx=41414141 esi=41414141 edi=0187e10d eip=0187deec esp=0b0cfcd0 ebp=0b0cfcf0 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 Defaulted to export symbols for C:\Program Files\Common Files\Apple\Apple Application Support\CoreFoundation.dll - CoreFoundation!CFWriteStreamCreateWithAllocatedBuffers+0x40: 0187deec 8b00 mov eax,dword ptr [eax] ds:0023:41414141=????????
Proof of Concept
itunes_bof.plTXT
Disclosure Timeline
13.03.2012Vulnerability discovered in version 10.6.0.40.
29.03.2012Vulnerability present in version 10.6.1.7.
11.05.2012Vendor contacted.
11.05.2012Vendor responds asking more details.
11.05.2012Sent detailed information and PoC code to the vendor.
12.05.2012Vendor begins investigation.
14.05.2012Asked vendor for confirmation.
17.05.2012Vendor confirms the vulnerability, developing patch.
17.05.2012Requested a scheduled patch release date from vendor.
18.05.2012Vendor replies.
06.06.2012Asked vendor for status update.
08.06.2012Vendor shares information about security update.
11.06.2012Vendor releases version 10.6.3 to address this issue.
12.06.2012Coordinated public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]http://support.apple.com/kb/HT5318
[2]http://support.apple.com/kb/HT1222
[3]http://www.apple.com/itunes/download
[4]http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-0677
[5]https://isc.sans.edu/diary/Apple+iTunes+Security+Update/13435
[6]http://secunia.com/advisories/49489
[7]http://cxsecurity.com/issue/WLB-2012060148
[8]http://www.exploit-db.com/exploits/19098/
[9]http://packetstormsecurity.org/files/113555
[10]http://packetstormsecurity.org/files/113566
[11]http://www.securelist.com/en/advisories/49489
[12]http://www.securitytracker.com/id/1027142
[13]http://osvdb.org/show/osvdb/82897
[14]http://www.scmagazine.com.au/News/304973,booby-trapped-playlist-pwns-itunes.aspx
[15]http://www.crn.com.au/News/304998,booby-trapped-playlist-hits-itunes.aspx
[16]http://lists.virus.org/apple-security-1206/msg00000.html
[17]http://www.camcert.gov.kh/?p=1201
[18]http://securityvulns.com/docs28127.html
[19]http://www.net-security.org/advisory.php?id=14441
[20]http://archives.neohapsis.com/archives/bugtraq/2012-06/0051.html
[21]http://www.nsfocus.net/vulndb/19773
[22]https://www.cert.be/pro/node/12532
[23]http://sylvar.tumblr.com/post/25087980360/apple-itunes-10-6-1-7-m3u-playlist-file-walking
[24]http://www.securityfocus.com/bid/53933
[25]http://www.nessus.org/plugins/index.php?view=single&id=59497
[26]http://www.nessus.org/plugins/index.php?view=single&id=59498
[27]http://www.nessus.org/plugins/index.php?view=single&id=59499
[28]http://www.scmagazine.com/itunes-vulnerability-may-enable-remote-code-execution/article/246207/
[29]http://www.informationweek.com/aroundtheweb/security/itunes-vulnerability-may-enable-remote-c/704d55486d51544d524931735147714b49364f5558773d3d
[30]http://www.msnbc.msn.com/id/47876553/ns/technology_and_science-security/#.T-H7rbVo3-s
[31]http://www.libertas.mk/vest/28065/Makedonski-IT-ekspert-otkri-opasen-bezbednosen-defekt-vo-iTjuns
[32]http://www.scip.ch/en/?vuldb.5552
[33]http://www.infosecurity-magazine.com/view/26492/researcher-publishes-proofofconcept-exploit-for-itunes/
[34]http://www.intego.com/mac-security-blog/time-to-update-itunes/
[35]http://tif.mcafee.com/threats/3500
Changelog
12.06.2012Initial release
13.06.2012Added reference [7], [8], [9], [10], [11], [12] and [13]
17.06.2012Added reference [14], [15], [16], [17], [18], [19], [20], [21], [22], [23], [24], [25], [26] and [27]
20.06.2012Added reference [28], [29], [30] and [31]
21.06.2012Added reference [32]
24.06.2012Added reference [33] and [34]
01.06.2015Added reference [35]