Apple iTunes Buffer Overflow

July 2, 2009

A URL (Universal Resource Locator) specifies parameters to request for a resource. Typically, a URL composed of the following components:


For example:

Apple iTunes is a multimedia player that supports a wide range of media formats. When iTunes is installed, it registers itself with the host Operating System as a protocol handler for several application URL schemes.

A buffer overflow vulnerability exists in iTunes. The vulnerability is due to a boundary error when parsing URLs containing iTunes-specific schemes such as iTunes Music Store Protocol (itms://), Podcast (itpc://) and Digital Audio Access Protocol (daap://). Specifically, the application copies the port value from an URL into a fixed size (256 bytes) stack buffer without performing boundary checks. If URL contains an overly long port string, it will overflow the stack buffer, potentially ovewriting critical process data such as function return addresses and SEH pointers.

Remote attackers could exploit this vulnerability by persuading a target user to open a specially crafted URL, causing a stack-based buffer overflow. Successful exploitation would lead to arbitrary code execution in the security context of the logged in user, or terminate the application resulting in a Denial of Service condition.

The vulnerability has been assigned as CVE-2009-0950.

SonicWALL has released several IPS signatures to detect and block specific exploitation attempts targeting this vulnerability. The signatures are listed bellow:

  • 3013 - Apple iTunes DAAP Handler BO Attempt
  • 3808 - Apple iTunes ITMS Handler BO Attempt
  • 3836 - Apple iTunes ITMS Handler BO Attempt 2
  • 3840 - Apple iTunes ITPC Handler BO Attempt