Here's the (mac) exploit module to go along with my simul-report to apple: http://static.dataspill.org/releases/itunes/itms_overflow.rb On Tue, Jun 2, 2009 at 3:27 PM, dvlabs <dvlabs@xxxxxxxxxxxxxxxx> wrote: > TPTI-09-03: Apple iTunes Multiple Protocol Handler Buffer Overflow > Vulnerabilities > http://dvlabs.tippingpoint.com/advisory/TPTI-09-03 > June 2, 2009 > > -- CVE ID: > CVE-2009-0950 > > -- Affected Vendors: > Apple > > -- Affected Products: > Apple iTunes > > -- TippingPoint(TM) IPS Customer Protection: > TippingPoint IPS customers have been protected against this > vulnerability by Digital Vaccine protection filter ID 8013. > For further product information on the TippingPoint IPS, visit: > > http://www.tippingpoint.com > > -- Vulnerability Details: > This vulnerability allows remote attackers to execute arbitrary code on > vulnerable installations of Apple iTunes. User interaction is required > to exploit this vulnerability in that the target must visit a malicious > page. > > The specific flaw exists in the URL handlers associated with iTunes. > When processing URLs via the protocol handlers "itms", "itmss", "daap", > "pcast", and "itpc" an exploitable stack overflow occurs. Successful > exploitation can lead to a remote system compromise under the > credentials of the currently logged in user. > > -- Vendor Response: > Apple has issued an update to correct this vulnerability. More > details can be found at: > > http://support.apple.com/kb/HT3592 > > -- Disclosure Timeline: > 2009-04-09 - Vulnerability reported to vendor > 2009-06-02 - Coordinated public release of advisory > > -- Credit: > This vulnerability was discovered by: > * James King, TippingPoint DVLabs > >
