Apple iTunes 10.6.1.7 M3U Playlist File Walking Heap Buffer Overflow

Title: Apple iTunes 10.6.1.7 M3U Playlist File Walking Heap Buffer Overflow
Advisory ID: ZSL-2012-5093
Type: Local/Remote
Impact: System Access, DoS
Risk: (4/5)
Release Date: 12.06.2012
Summary
iTunes is a free application for your Mac or PC. It lets you organize and play digital music and video on your computer. It can automatically download new music, app, and book purchases across all your devices and computers. And it’s a store that has everything you need to be entertained. Anywhere. Anytime.
Description
The vulnerability is caused due to a boundary error in the processing of a playlist file, which can be exploited to cause a heap based buffer overflow when a user opens e.g. a specially crafted .M3U file. Successful exploitation could allow execution of arbitrary code on the affected node.

--------------------------------------------------------------------------------

(940.fc0): Access violation - code c0000005 (!!! second chance !!!)
eax=41414141 ebx=08508cd8 ecx=41414141 edx=052a6528 esi=052a64b0 edi=0559ef20
eip=41414141 esp=0012d8e8 ebp=7c90ff2d iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
+0x41414130:
41414141 ?? ???

~~~

(6b0.a04): Access violation - code c0000005 (!!! second chance !!!)
eax=41414141 ebx=00000000 ecx=00000014 edx=41414141 esi=41414141 edi=0187e10d
eip=0187deec esp=0b0cfcd0 ebp=0b0cfcf0 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
Defaulted to export symbols for C:\Program Files\Common Files\Apple\Apple Application Support\CoreFoundation.dll -
CoreFoundation!CFWriteStreamCreateWithAllocatedBuffers+0x40:
0187deec 8b00 mov eax,dword ptr [eax] ds:0023:41414141=????????

--------------------------------------------------------------------------------

Vendor
Apple Inc. - http://www.apple.com
Affected Version
10.6.1.7 and 10.6.0.40
Tested On
Microsoft Windows XP Professional SP3 EN (32bit)
Microsoft Windows 7 Ultimate SP1 EN (64bit)
Vendor Status
[13.03.2012] Vulnerability discovered in version 10.6.0.40.
[29.03.2012] Vulnerability present in version 10.6.1.7.
[11.05.2012] Vendor contacted.
[11.05.2012] Vendor responds asking more details.
[11.05.2012] Sent detailed information and PoC code to the vendor.
[12.05.2012] Vendor begins investigation.
[14.05.2012] Asked vendor for confirmation.
[17.05.2012] Vendor confirms the vulnerability, developing patch.
[17.05.2012] Requested a scheduled patch release date from vendor.
[18.05.2012] Vendor replies.
[06.06.2012] Asked vendor for status update.
[08.06.2012] Vendor shares information about security update.
[11.06.2012] Vendor releases version 10.6.3 to address this issue.
[12.06.2012] Coordinated public security advisory released.
PoC
itunes_bof.pl
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://support.apple.com/kb/HT5318
[2] http://support.apple.com/kb/HT1222
[3] http://www.apple.com/itunes/download
[4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-0677
[5] https://isc.sans.edu/diary/Apple+iTunes+Security+Update/13435
[6] http://secunia.com/advisories/49489
[7] http://cxsecurity.com/issue/WLB-2012060148
[8] http://www.exploit-db.com/exploits/19098/
[9] http://packetstormsecurity.org/files/113555
[10] http://packetstormsecurity.org/files/113566
[11] http://www.securelist.com/en/advisories/49489
[12] http://www.securitytracker.com/id/1027142
[13] http://osvdb.org/show/osvdb/82897
[14] http://www.scmagazine.com.au/News/304973,booby-trapped-playlist-pwns-itunes.aspx
[15] http://www.crn.com.au/News/304998,booby-trapped-playlist-hits-itunes.aspx
[16] http://lists.virus.org/apple-security-1206/msg00000.html
[17] http://www.camcert.gov.kh/?p=1201
[18] http://securityvulns.com/docs28127.html
[19] http://www.net-security.org/advisory.php?id=14441
[20] http://archives.neohapsis.com/archives/bugtraq/2012-06/0051.html
[21] http://www.nsfocus.net/vulndb/19773
[22] https://www.cert.be/pro/node/12532
[23] http://sylvar.tumblr.com/post/25087980360/apple-itunes-10-6-1-7-m3u-playlist-file-walking
[24] http://www.securityfocus.com/bid/53933
[25] http://www.nessus.org/plugins/index.php?view=single&id=59497
[26] http://www.nessus.org/plugins/index.php?view=single&id=59498
[27] http://www.nessus.org/plugins/index.php?view=single&id=59499
[28] http://www.scmagazine.com/itunes-vulnerability-may-enable-remote-code-execution/article/246207/
[29] http://www.informationweek.com/aroundtheweb/security/itunes-vulnerability-may-enable-remote-c/704d55486d51544d524931735147714b49364f5558773d3d
[30] http://www.msnbc.msn.com/id/47876553/ns/technology_and_science-security/#.T-H7rbVo3-s
[31] http://www.libertas.mk/vest/28065/Makedonski-IT-ekspert-otkri-opasen-bezbednosen-defekt-vo-iTjuns
[32] http://www.scip.ch/en/?vuldb.5552
[33] http://www.infosecurity-magazine.com/view/26492/researcher-publishes-proofofconcept-exploit-for-itunes/
[34] http://www.intego.com/mac-security-blog/time-to-update-itunes/
[35] http://tif.mcafee.com/threats/3500
Changelog
[12.06.2012] - Initial release
[13.06.2012] - Added reference [7], [8], [9], [10], [11], [12] and [13]
[17.06.2012] - Added reference [14], [15], [16], [17], [18], [19], [20], [21], [22], [23], [24], [25], [26] and [27]
[20.06.2012] - Added reference [28], [29], [30] and [31]
[21.06.2012] - Added reference [32]
[24.06.2012] - Added reference [33] and [34]
[01.06.2015] - Added reference [35]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk