iTunes m3u Playlist Overflow

Added: 07/03/2012
CVE: CVE-2012-0677
BID: 53933
OSVDB: 82897

Background

iTunes is a free media player for multiple platforms.

Problem

iTunes does not properly validate parameters for #EXTINF: directives in m3u files. This results in an exploitable stack overflow.

Resolution

Upgrade to iTunes 10.6.3 or higher.

References

http://support.apple.com/kb/HT5318
http://zeroscience.mk/en/vulnerabilities/ZSL-2012-5093.php

Limitations

QuickTime must be installed on the target system. This exploit has been tested against iTunes 10.6.1.7 and QuickTime 7.7.2 running on Microsoft Windows XP SP3 English (DEP OptIn).

Platforms

Windows

Back to exploit index