Apple iTunes m3u Playlist Buffer Overflows
Apple iTunes is a digital media player application used for playback and organization of digital media content. It is also used to manage content on Apple devices such as iPod, iPhone, iPod Touch and others. iTunes is capable of creating and processing playlists of the PLS and M3U formats. There are two types of M3U playlists, the standard and extended formats. An example snippet of the standard M3U playlist follows:
# this is a comment http://server.com/file2.mp3 http://test.com/file10.mp3
The media resource may be either a music file on the local file system or a remote server specified via a URL. An extended M3U file contains different types of records. An example snippet follows:
#EXTM3U #EXTINF:-1,Rock 101 : My rock station http://mediaserver.com:8000/rock.mp3
Multiple buffer overflows exist in Apple iTunes when parsing M3U files with overly long records. Overflows exist within three records. EXTINF records begin with the string #EXTINF. Two buffer overflows can occur when handling overly long #EXTINF records. Both occur when the affected record value is copied into a fixed size buffer without proper length validation. The first flaw results in a heap buffer overflow, while the second in a stack buffer overflow.
Filename records, which follow an EXTINF record can also be used to exploit another vulnerability. The filename flaw is also a case of a string being copied into a fixed size heap buffer.
Additional records contained within the m3u file which fall outside of the file format specification are also processed by iTunes. These records are copied into fixed size heap buffers without proper length checks. Supplying overly long strings in these records may also result in heap buffer overflows which consequently may result in termination of the application or diversion of process flow.
An attacker can exploit this vulnerability by enticing a user to open a malicious M3U file with a vulnerable version of iTunes. Successful exploitation could result in the injection and execution of arbitrary code in the context of the currently logged in user. Unsuccessful exploitation could result in the application terminating abnormally.
Dell SonicWALL has existing signatures that address M3U file exploits as well as a host of generic signatures which are likely to pro-actively catch exploits targeting this vulnerability. The published exploit is caught by the following IPS signature:
- 6808 - Client Application Shellcode Exploit 26