Vulnerabilities > CVE-2006-1467 - Numeric Errors vulnerability in Apple Itunes

047910
CVSS 5.1 - MEDIUM
Attack vector
NETWORK
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
high complexity
apple
CWE-189
nessus

Summary

Integer overflow in the AAC file parsing code in Apple iTunes before 6.0.5 on Mac OS X 10.2.8 or later, and Windows XP and 2000, allows remote user-assisted attackers to execute arbitrary code via an AAC (M4P, M4A, or M4B) file with a sample table size (STSZ) atom with a "malformed" sample_size_table value.

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyWindows
    NASL idITUNES_605.NASL
    descriptionThe remote host is running Apple iTunes, a popular media player. The remote version of iTunes is vulnerable to an integer overflow when it parses a specially crafted AAC file. By tricking a user into opening such a file, a remote attacker may be able to leverage this issue to execute arbitrary code on the affected host, subject to the privileges of the user running the application.
    last seen2020-06-01
    modified2020-06-02
    plugin id21782
    published2006-06-30
    reporterThis script is Copyright (C) 2006-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/21782
    titleApple iTunes AAC File Parsing Integer Overflow (credentialed check)
    code
    #
    #  (C) Tenable Network Security, Inc.
    #
    
    
    include("compat.inc");
    
    if (description)
    {
      script_id(21782);
      script_version("1.19");
     script_cvs_date("Date: 2018/11/15 20:50:27");
    
      script_cve_id("CVE-2006-1467");
      script_bugtraq_id(18730);
    
      script_name(english:"Apple iTunes AAC File Parsing Integer Overflow (credentialed check)");
      script_summary(english:"Check the version of iTunes");
    
     script_set_attribute(attribute:"synopsis", value:
    "The remote Windows host contains an application that is affected by a
    remote code execution flaw.");
     script_set_attribute(attribute:"description", value:
    "The remote host is running Apple iTunes, a popular media player.
    
    The remote version of iTunes is vulnerable to an integer overflow when
    it parses a specially crafted AAC file. By tricking a user into
    opening such a file, a remote attacker may be able to leverage this
    issue to execute arbitrary code on the affected host, subject to the
    privileges of the user running the application.");
     script_set_attribute(attribute:"see_also", value:"http://www.securityfocus.com/advisories/10781");
     script_set_attribute(attribute:"see_also", value:"https://lists.apple.com/archives/security-announce/2006/Jun/msg00001.html");
     script_set_attribute(attribute:"solution", value:"Upgrade to Apple iTunes 6.0.5 or later.");
     script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P");
     script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
     script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
     script_set_attribute(attribute:"exploit_available", value:"false");
    
     script_set_attribute(attribute:"vuln_publication_date", value:"2006/06/29");
     script_set_attribute(attribute:"plugin_publication_date", value:"2006/06/30");
    
    script_set_attribute(attribute:"plugin_type", value:"local");
    script_set_attribute(attribute:"cpe", value:"cpe:/a:apple:itunes");
    script_end_attributes();
    
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows");
      script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");
      script_dependencies("smb_hotfixes.nasl");
      script_require_keys("SMB/Registry/Enumerated");
      script_require_ports(139, 445);
    
      exit(0);
    }
    
    
    include("smb_func.inc");
    include("audit.inc");
    
    
    # Connect to the appropriate share.
    if (!get_kb_item("SMB/Registry/Enumerated")) exit(0);
    
    name    =  kb_smb_name();
    port    =  kb_smb_transport();
    
    login   =  kb_smb_login();
    pass    =  kb_smb_password();
    domain  =  kb_smb_domain();
    
    
    
    if(! smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');
    rc = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$");
    if (rc != 1)
    {
      NetUseDel();
      exit(0);
    }
    
    
    # Connect to remote registry.
    hklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);
    if (isnull(hklm))
    {
      NetUseDel();
      exit(0);
    }
    
    
    # Get some info about the install.
    exe = NULL;
    key = "SOFTWARE\Classes\Applications\iTunes.exe\shell\open\command";
    key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
    if (!isnull(key_h))
    {
      item = RegQueryValue(handle:key_h, item:NULL);
      if (!isnull(item)) exe = item[1];
    
      RegCloseKey(handle:key_h);
    }
    RegCloseKey(handle:hklm);
    
    
    # If it is...
    if (exe)
    {
      # Determine its version from the executable itself.
      exe = ereg_replace(pattern:'^"([^"]+)".*$', replace:"\1", string:exe);
    
      share = ereg_replace(pattern:"^([A-Za-z]):.*", replace:"\1$", string:exe);
      exe =  ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1", string:exe);
      NetUseDel(close:FALSE);
    
      rc = NetUseAdd(login:login, password:pass, domain:domain, share:share);
      if (rc != 1)
      {
        NetUseDel();
        exit(0);
      }
    
      fh = CreateFile(
        file:exe,
        desired_access:GENERIC_READ,
        file_attributes:FILE_ATTRIBUTE_NORMAL,
        share_mode:FILE_SHARE_READ,
        create_disposition:OPEN_EXISTING
      );
      if (!isnull(fh))
      {
        ver = GetFileVersion(handle:fh);
        CloseFile(handle:fh);
      }
    
      # There's a problem if the version is before 6.0.5.
      if (!isnull(ver))
      {
        if (
          ver[0] < 6 ||
          (ver[0] == 6 && ver[1] == 0 && ver[2] < 5)
        ) security_warning(kb_smb_transport());
      }
    }
    
    
    # Clean up.
    NetUseDel();
    
  • NASL familyPeer-To-Peer File Sharing
    NASL idITUNES_605_BANNER.NASL
    descriptionThe version of Apple iTunes running on the remote host is affected by an integer overflow vulnerability when it parses specially crafted AAC files. By convincing a user to open such a file, a remote attacker can execute arbitrary code with the same level of privileges as the user.
    last seen2020-06-01
    modified2020-06-02
    plugin id21783
    published2006-06-30
    reporterThis script is Copyright (C) 2006-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/21783
    titleApple iTunes AAC File Parsing Integer Overflow (uncredentialed check)
    code
    #
    #  (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(21783);
      script_version("1.20");
      script_cvs_date("Date: 2018/11/15 20:50:24");
    
      script_cve_id("CVE-2006-1467");
      script_bugtraq_id(18730);
    
      script_name(english:"Apple iTunes AAC File Parsing Integer Overflow (uncredentialed check)");
      script_summary(english:"Checks the version of iTunes.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote host contains an application that is affected by a code
    execution vulnerability.");
      script_set_attribute(attribute:"description", value:
    "The version of Apple iTunes running on the remote host is affected by
    an integer overflow vulnerability when it parses specially crafted AAC
    files. By convincing a user to open such a file, a remote attacker can
    execute arbitrary code with the same level of privileges as the user.");
      script_set_attribute(attribute:"see_also", value:"http://www.securityfocus.com/advisories/10781");
      script_set_attribute(attribute:"see_also", value:"https://lists.apple.com/archives/security-announce/2006/Jun/msg00001.html");
      script_set_attribute(attribute:"solution", value:"Upgrade to Apple iTunes 6.0.5 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2006/06/29");
      script_set_attribute(attribute:"patch_publication_date", value:"2006/06/29");
      script_set_attribute(attribute:"plugin_publication_date", value:"2006/06/30");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:apple:itunes");
      script_end_attributes();
    
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Peer-To-Peer File Sharing");
      script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");
    
      script_dependencies("itunes_sharing.nasl");
      script_require_keys("iTunes/sharing");
      script_require_ports("Services/www", 3689);
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("http.inc");
    
    port = get_http_port(default:3689, embedded:TRUE, ignore_broken:TRUE);
    
    get_kb_item_or_exit("iTunes/" + port + "/enabled");
    
    type = get_kb_item_or_exit("iTunes/" + port + "/type");
    source = get_kb_item_or_exit("iTunes/" + port + "/source");
    version = get_kb_item_or_exit("iTunes/" + port + "/version");
    
    if (type == 'AppleTV') audit(AUDIT_LISTEN_NOT_VULN, "iTunes on AppleTV", port, version);
    
    fixed_version = "6.0.5";
    
    if (ver_compare(ver:version, fix:fixed_version, strict:FALSE) == -1)
    {
      if (report_verbosity > 0)
      {
        report = '\n  Version source    : ' + source +
                 '\n  Installed version : ' + version +
                 '\n  Fixed version     : ' + fixed_version + '\n';
        security_warning(port:port, extra:report);
      }
      else security_warning(port);
    }
    else audit(AUDIT_LISTEN_NOT_VULN, "iTunes", port, version);
    
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_ITUNES_OVERFLOW3.NASL
    descriptionThe remote host is running iTunes, a popular jukebox program. The remote version of this software is vulnerable to an integer overflow when it parses specially crafted AAC files which may lead to the execution of arbitrary code. An attacker may exploit this flaw by sending a malformed AAC file to a user on the remote host and wait for him to play it with iTunes.
    last seen2020-06-01
    modified2020-06-02
    plugin id21781
    published2006-06-29
    reporterThis script is Copyright (C) 2006-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/21781
    titleiTunes < 6.0.5 AAC File Integer Overflow (Mac OS X)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    
    if ( ! defined_func("bn_random") ) exit(0);
    
    
    include("compat.inc");
    
    if(description)
    {
     script_id(21781);
     script_version ("1.17");
     script_cvs_date("Date: 2018/07/14  1:59:35");
    
     script_cve_id("CVE-2006-1467");
     script_bugtraq_id(18730);
    
     script_name(english:"iTunes < 6.0.5 AAC File Integer Overflow (Mac OS X)");
     script_summary(english:"Check the version of iTunes");
     
     script_set_attribute(attribute:"synopsis", value:
    "The remote host contains an application that is affected by a remote
    code execution flaw." );
     script_set_attribute(attribute:"description", value:
    "The remote host is running iTunes, a popular jukebox program. 
    
    The remote version of this software is vulnerable to an integer
    overflow when it parses specially crafted AAC files which may lead to
    the execution of arbitrary code. 
    
    An attacker may exploit this flaw by sending a malformed AAC file to a
    user on the remote host and wait for him to play it with iTunes." );
     script_set_attribute(attribute:"see_also", value:"http://www.securityfocus.com/advisories/10781" );
     script_set_attribute(attribute:"solution", value:
    "Upgrade to iTunes 6.0.5 or newer" );
     script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P");
     script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
     script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
     script_set_attribute(attribute:"exploit_available", value:"false");
     script_set_attribute(attribute:"plugin_publication_date", value: "2006/06/29");
     script_set_attribute(attribute:"vuln_publication_date", value: "2006/06/29");
     script_set_attribute(attribute:"patch_publication_date", value: "2006/06/23");
     script_set_attribute(attribute:"plugin_type", value:"local");
     script_set_attribute(attribute:"cpe", value:"cpe:/a:apple:itunes");
     script_end_attributes();
     
     script_category(ACT_GATHER_INFO);
     script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");
     script_family(english:"MacOS X Local Security Checks");
     script_dependencies("macosx_iTunes_Overflow.nasl");
     script_require_keys("iTunes/Version");
     exit(0);
    }
    
    
    version = get_kb_item("iTunes/Version");
    if ( ! version ) exit(0);
    if ( egrep(pattern:"^([1-5]\..*|6\.0($|\.[0-4]$))", string:version )) security_warning(0);