Apple iTunes Buffer Overflow (July 2, 2009)

By

A URL (Universal Resource Locator) specifies parameters to request for a resource. Typically, a URL composed of the following components:

://[:@][:][/]

For example:

http://www.example.com:8080/pub/afile.txt

Apple iTunes is a multimedia player that supports a wide range of media formats. When iTunes is installed, it registers itself with the host Operating System as a protocol handler for several application URL schemes.

A buffer overflow vulnerability exists in iTunes. The vulnerability is due to a boundary error when parsing URLs containing iTunes-specific schemes such as iTunes Music Store Protocol (itms://), Podcast (itpc://) and Digital Audio Access Protocol (daap://). Specifically, the application copies the port value from an URL into a fixed size (256 bytes) stack buffer without performing boundary checks. If URL contains an overly long port string, it will overflow the stack buffer, potentially ovewriting critical process data such as function return addresses and SEH pointers.

Remote attackers could exploit this vulnerability by persuading a target user to open a specially crafted URL, causing a stack-based buffer overflow. Successful exploitation would lead to arbitrary code execution in the security context of the logged in user, or terminate the application resulting in a Denial of Service condition.

The vulnerability has been assigned as CVE-2009-0950.

SonicWALL has released several IPS signatures to detect and block specific exploitation attempts targeting this vulnerability. The signatures are listed bellow:

  • 3013 – Apple iTunes DAAP Handler BO Attempt
  • 3808 – Apple iTunes ITMS Handler BO Attempt
  • 3836 – Apple iTunes ITMS Handler BO Attempt 2
  • 3840 – Apple iTunes ITPC Handler BO Attempt
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.