CVE-2009-0950
published 2009-06-02CVE-2009-0950: Stack-based buffer overflow in Apple iTunes before 8.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via…
PriorityP259critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
28.82%
97.9th percentile
Stack-based buffer overflow in Apple iTunes before 8.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via an itms: URL with a long URL component after a colon.
Affected
72 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | itunes | <= 8.1.1 | — |
| apple | itunes | — | — |
| apple | itunes | — | — |
| apple | itunes | — | — |
| apple | itunes | — | — |
| apple | itunes | — | — |
| apple | itunes | — | — |
| apple | itunes | — | — |
| apple | itunes | — | — |
| apple | itunes | — | — |
| apple | itunes | — | — |
| apple | itunes | — | — |
| apple | itunes | — | — |
| apple | itunes | — | — |
| apple | itunes | — | — |
| apple | itunes | — | — |
| apple | itunes | — | — |
| apple | itunes | — | — |
| apple | itunes | — | — |
| apple | itunes | — | — |
| apple | itunes | — | — |
| apple | itunes | — | — |
| apple | itunes | — | — |
| apple | itunes | — | — |
| apple | itunes | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort↗
GID 1, SIDs 15703 through 15707
bytes↗
VVVVVVVVVVVVVVVVV7RYjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIOqhDahIoS0
- →In Safari/browser context, itms:// URLs are automatically passed to iTunes without user interaction, making drive-by exploitation possible; monitor browser-to-iTunes URL handler invocations. ↗
- →SafeSEH bypass uses QuickTime.qts gadget at 0x67215e2a (ADD ESP,8; RETN); presence of this return address in memory or network payload is a strong exploit indicator. ↗
- ·Only vfork-based payloads are reliable on OS X due to iTunes being multithreaded; standard fork/exec payloads may be unstable. ↗
- ·The exploit payload space is limited to approximately 1024 bytes due to browser URL length constraints. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Apple iTunes 8.1.1 (Mac OSX) - ITms Overflow (Metasploit)
exploitdb·2010-11-11
CVE-2009-0950 Apple iTunes 8.1.1 (Mac OSX) - ITms Overflow (Metasploit)
Apple iTunes 8.1.1 (Mac OSX) - ITms Overflow (Metasploit)
---
##
# $Id: itms_overflow.rb 10998 2010-11-11 22:43:22Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Apple OS X iTunes 8.1.1 ITMS Overflow',
'Description' => %q{
This modules exploits a stack-based buffer overflow in iTunes
itms:// URL parsing. It is accessible from the browser and
in Safari, itms urls will be opened in iTunes automatically.
Because iTunes is multithreaded, only vfork-based payloads should
be used.
},
'Author' => [ 'Will Drewry ' ],
'License' => MSF_LIC
Exploit-DB
Apple iTunes 8.1.x - 'daap' Remote Buffer Overflow
exploitdb·2010-01-14·CVSS 9.3
CVE-2009-0950 [CRITICAL] Apple iTunes 8.1.x - 'daap' Remote Buffer Overflow
Apple iTunes 8.1.x - 'daap' Remote Buffer Overflow
---
/* iTunes-CVE09-s36.c
*
* Apple iTunes 8.1.x (daap) Buffer overflow remote exploit (CVE-2009-0950)
*
* Coded By :
* .:: [ Simo36 ] ::.
*
* Contact : [email protected]
* [email protected]
*
* Home : www.sec-r1z.com
*
* Tested on : Win XP SP/SP3 Frensh , Win2k pro SP4 english
*
* Thanks To : Ryujin & Stack & r1z
*
* finally I want to thanks mr ryujin for printable shellcode and jump back .
*
* C:\Documents and Settings\Administrateur\Bureau\exploit>iTunes-CVE09-s36..exe
*
* [+] Apple iTunes 8.1.x Buffer overflow remote exploit CVE-2009-0950
*
* [+] By : Simo36 & His0k4 ( [email protected] )
*
* [+] Home : www.sec-r1z.com
* [+] Listen on port 80
*
* [+] Connection accepted from 127.0.0.1:1097
*
* [x] Sendin welcome informatio
Exploit-DB
Apple iTunes 8.1.1.10 (Windows) - 'itms/itcp' Remote Buffer Overflow
exploitdb·2009-06-12·CVSS 9.3
CVE-2009-0950 [CRITICAL] Apple iTunes 8.1.1.10 (Windows) - 'itms/itcp' Remote Buffer Overflow
Apple iTunes 8.1.1.10 (Windows) - 'itms/itcp' Remote Buffer Overflow
---
#!/usr/bin/python
# Apple iTunes 8.1.1.10 itms/itcp BOF Windows Exploit
# www.offensive-security.com/blog/vulndev/itunes-exploitation-case-study/
# Matteo Memelli | ryujin __A-T__ offensive-security.com
# Spaghetti & Pwnsauce - 06/10/2009
# CVE-2009-0950 http://dvlabs.tippingpoint.com/advisory/TPTI-09-03
#
# Vulnerability can't be exploited simply overwriting a return address on the
# stack because of stack canary protection. Increasing buffer size leads to
# SEH overwrite but it seems that the Access Violation needed to get our own
# Exception Handler called is not always thrown.
# So, to increase reliability, the exploit sends two URI to iTunes:
# - the 1st payload corrupts the stack (it doesnt overwrite cookie, n
Exploit-DB
Apple iTunes 8.1.1 - 'ITMS' Multiple Protocol Handler Buffer Overflow (Metasploit)
exploitdb·2009-06-03·CVSS 9.3
CVE-2009-0950 [CRITICAL] Apple iTunes 8.1.1 - 'ITMS' Multiple Protocol Handler Buffer Overflow (Metasploit)
Apple iTunes 8.1.1 - 'ITMS' Multiple Protocol Handler Buffer Overflow (Metasploit)
---
##
# $Id: $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##
require 'msf/core'
class Metasploit3 'Apple OS X iTunes 8.1.1 ITMS Overflow',
'Description' => %q{
This modules exploits a stack-based buffer overflow in iTunes
itms:// URL parsing. It is accessible from the browser and
in Safari, itms urls will be opened in iTunes automatically.
Because iTunes is multithreaded, only vfork-based payloads should
be used.
},
'Author' => [ 'Will Drewry ' ],
'License' => MSF_LICENSE,
'Version'
Metasploit
Apple OS X iTunes 8.1.1 ITMS Overflow
metasploit
Apple OS X iTunes 8.1.1 ITMS Overflow
Apple OS X iTunes 8.1.1 ITMS Overflow
This modules exploits a stack-based buffer overflow in iTunes itms:// URL parsing. It is accessible from the browser and in Safari, itms urls will be opened in iTunes automatically. Because iTunes is multithreaded, only vfork-based payloads should be used.
Talos
Rule release for today - July 21st 2009
blogs_talos·2009-07-21·CVSS 9.3
CVE-2009-0950 [CRITICAL] Rule release for today - July 21st 2009
A few new rules and some modifications to improve rule performance in today's release.
Apple iTunes Buffer Overflow (CVE-2009-0950):
Apple iTunes contains a programming error that may allow a remote attacker to execute code on a vulnerable system.
Rules to detect attacks targeting this vulnerability are included in this release and are identified with GID 1, SIDs 15703 through 15707.
Unisys Business Information Server Buffer Overflow (CVE-2009-1628):
The Unisys Business Information Server contains a programming error that may allow a remote attacker to execute code on an affected system.
A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 15708.
As a result of ongoing research the Sourcefire VRT has added multiple rules t
Talos
Rule release for today - July 21st 2009
blogs_talos·2009-07-21·CVSS 9.3
CVE-2009-0950 [CRITICAL] Rule release for today - July 21st 2009
## Rule release for today - July 21st 2009
A few new rules and some modifications to improve rule performance in today's release.
Apple iTunes Buffer Overflow (CVE-2009-0950): Apple iTunes contains a programming error that may allow a remote attacker to execute code on a vulnerable system.
Rules to detect attacks targeting this vulnerability are included in this release and are identified with GID 1, SIDs 15703 through 15707.
Unisys Business Information Server Buffer Overflow (CVE-2009-1628): The Unisys Business Information Server contains a programming error that may allow a remote attacker to execute code on an affected system.
A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 15708.
As a result of ongoing research t
http://lists.apple.com/archives/security-announce/2009/Jun/msg00001.htmlhttp://osvdb.org/54833http://redpig.dataspill.org/2009/05/drive-by-attack-for-itunes-811.htmlhttp://secunia.com/advisories/35314http://static.dataspill.org/releases/itunes/itms_overflow.rbhttp://support.apple.com/kb/HT3592http://www.securityfocus.com/archive/1/504043/100/0/threadedhttp://www.securityfocus.com/bid/35157http://www.securitytracker.com/id?1022313http://www.vupen.com/english/advisories/2009/1470https://exchange.xforce.ibmcloud.com/vulnerabilities/50899https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A17099https://www.exploit-db.com/exploits/8861https://www.exploit-db.com/exploits/8934http://lists.apple.com/archives/security-announce/2009/Jun/msg00001.htmlhttp://osvdb.org/54833http://redpig.dataspill.org/2009/05/drive-by-attack-for-itunes-811.htmlhttp://secunia.com/advisories/35314http://static.dataspill.org/releases/itunes/itms_overflow.rbhttp://support.apple.com/kb/HT3592http://www.securityfocus.com/archive/1/504043/100/0/threadedhttp://www.securityfocus.com/bid/35157http://www.securitytracker.com/id?1022313http://www.vupen.com/english/advisories/2009/1470https://exchange.xforce.ibmcloud.com/vulnerabilities/50899https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A17099https://www.exploit-db.com/exploits/8861https://www.exploit-db.com/exploits/8934
2009-06-02
Published