cbcvebase.
CVE-2005-0043
published 2005-05-02

CVE-2005-0043: Buffer overflow in Apple iTunes 4.7 allows remote attackers to execute arbitrary code via a long URL in (1) .m3u or (2) .pls playlist files.

PriorityP348high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
69.01%
99.3th percentile
Buffer overflow in Apple iTunes 4.7 allows remote attackers to execute arbitrary code via a long URL in (1) .m3u or (2) .pls playlist files.

Affected

1 ranges
VendorProductVersion rangeFixed in
appleitunes

Detection & IOCsextracted from sources · hover to see the quote

filename.pls
filename.m3u
otherNOP sled length: 2545 bytes before payload
otherPLS playlist trigger string: [playlist]\r\nNumberOfEntries=
otherPLS File1 URL prefix trigger: File1=http://
otherStack return address offset: 0x3DA8
otherStack pivot adjustment: -3500
bytes
\x7c\xa5\x2a\x79\x40\x82\xff\xfd\x7f\xe8\x02\xa6\x3b\xff\x07\xfa\x38\xa5\xf8\x4a\x3c\xc0\xee\x83\x60\xc6\xb7\xfb\x38\x85\x07\xee
  • Detect PLS playlist files delivered over HTTP where the File1= field contains an abnormally long URL (>1598 bytes), indicative of the buffer overflow trigger.
  • Flag HTTP responses with Content-Type text/plain serving .pls files that contain a [playlist] header followed by a NumberOfEntries field and an oversized File1=http:// URL.
  • Monitor iTunes process for network connections to port 4444 immediately after opening a .pls file, which may indicate successful bindshell exploitation on macOS.
  • Payload bad characters for this exploit are: \x00\x09\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40 — shellcode in .pls URLs will avoid these bytes, which can help tune detection signatures.
  • Detect NOP sleds of ~2545 bytes prepended to shellcode within a URL embedded in a .pls playlist file.
  • The OS X PoC shellcode fills the buffer with \x60 bytes as padding; scanning .pls file content for long runs of \x60 bytes followed by shellcode is a viable detection approach.
  • ·The Metasploit module requires the URIPATH to be set with a .pls extension for the exploit to function; without this, iTunes will not parse the file as a playlist.
  • ·The Windows return addresses are version-specific: 0x75033083 targets Windows 2000 Pro SP4 and 0x77dc2063 targets Windows XP Pro SP2; using the wrong target will cause a crash rather than code execution.
  • ·The OS X PoC targets iTunes on OS X 10.3.7 specifically and uses a hardcoded stack offset of 0x3DA8; this offset may need adjustment on other builds.
  • ·The vulnerable iTunes version is specifically build 4.7.0.42; other builds may not be exploitable with these exact offsets.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.