Itunes Vulnerability

[Mobo]

Apple iTunes is a digital jukebox capable of playing a variety of sound file formats, sharing music and burning music CD's. More information about iTunes is available from:

http://www.apple.com/itunes/

II. DESCRIPTION

Remote exploitation of a buffer overflow vulnerability in Apple Computer Inc.'s iTunes music player allows attackers to execute arbitrary code.

The problem specifically exists when parsing playlist files that contain long URL file entries. Malicious playlist files can come with either the .m3u or .pls extension. Though their formats are different, the vulnerability in each is the same.

An example malicious .pls file with a long URL:

[playlist]
NumberOfEntries=1
File1=http://[A x 3045]1234

An example malicious .m3u file with a long URL:

http://[A x 3045]1234

In both cases '[A x 3045]' represents any string of 3,045 bytes in length. Opening either malicious playlist file on the Microsoft Windows platform will cause iTunes to crash with an access violation when attempting to execute instruction 0x34333231, which is the little-endian ASCII code representation of '1234'. An attacker can exploit this vulnerability to redirect the flow of control and eventually execute arbitrary code. While this example is specific to the Microsoft Windows platform, exploitation on the Apple Mac OS platform is also possible.

III. ANALYSIS

Exploitation of the described vulnerability allows remote attackers to execute arbitrary code under the context of the user who started iTunes. Exploitation requires that an attacker convince a target user to open a malicious playlist file with a vulnerable version of iTunes.

IV. DETECTION

iTunes 4.7 as installed on the Microsoft Windows and Apple Mac OS platforms are affected. Earlier versions may also be susceptible.

V. WORKAROUND

Do not open playlist files from untrusted sources. Inspect the contents of .m3u and .pls playlist files for long URL file names prior to opening them with iTunes.