Re: TPTI-09-03: Apple iTunes Multiple Protocol Handler Buffer --Overflow Vulnerabilities

From: Will Drewry <redpig@dataspill.org>
To: dvlabs <dvlabs@tippingpoint.com>
Cc: FD <full-disclosure@lists.grok.org.uk>,bugtraq <bugtraq@securityfocus.com>,ZDI Disclosures <zdi-disclosures@tippingpoint.com>
Subject: Re: TPTI-09-03: Apple iTunes Multiple Protocol Handler Buffer --Overflow Vulnerabilities
Date:


Here's the (mac) exploit module to go along with my simul-report to
apple:  http://static.dataspill.org/releases/itunes/itms_overflow.rb

On Tue, Jun 2, 2009 at 3:27 PM, dvlabs <dvlabs@tippingpoint.com> wrote:
> TPTI-09-03: Apple iTunes Multiple Protocol Handler Buffer Overflow
> Vulnerabilities
> http://dvlabs.tippingpoint.com/advisory/TPTI-09-03
> June 2, 2009
>
> -- CVE ID:
> CVE-2009-0950
>
> -- Affected Vendors:
> Apple
>
> -- Affected Products:
> Apple iTunes
>
> -- TippingPoint(TM) IPS Customer Protection:
> TippingPoint IPS customers have been protected against this
> vulnerability by Digital Vaccine protection filter ID 8013.
> For further product information on the TippingPoint IPS, visit:
>
>  http://www.tippingpoint.com
>
> -- Vulnerability Details:
> This vulnerability allows remote attackers to execute arbitrary code on
> vulnerable installations of Apple iTunes. User interaction is required
> to exploit this vulnerability in that the target must visit a malicious
> page.
>
> The specific flaw exists in the URL handlers associated with iTunes.
> When processing URLs via the protocol handlers "itms", "itmss", "daap",
> "pcast", and "itpc" an exploitable stack overflow occurs. Successful
> exploitation can lead to a remote system compromise under the
> credentials of the currently logged in user.
>
> -- Vendor Response:
> Apple has issued an update to correct this vulnerability. More
> details can be found at:
>
> http://support.apple.com/kb/HT3592
>
> -- Disclosure Timeline:
> 2009-04-09 - Vulnerability reported to vendor
> 2009-06-02 - Coordinated public release of advisory
>
> -- Credit:
> This vulnerability was discovered by:
>  * James King, TippingPoint DVLabs
>
>





Copyright © 1995-2018 LinuxRocket.net. All rights reserved.