The Synopsys Software Integrity Group is now Black Duck®. Learn More

close search bar

Sorry, not available in this language yet

close language selection

CyRC Vulnerability Advisory: CVE-2023-32353, Apple iTunes local privilege escalation on Windows

Zeeshan Shaikh

Jun 01, 2023 / 1 min read

Overview

The Black Duck Cybersecurity Research Center (CyRC) has discovered CVE-2023-32353, a local privilege escalation vulnerability in Apple iTunes on Microsoft Windows. iTunes is a software program that acts as a media player, media library, mobile device management utility, and the client app for the iTunes Store. It is developed by Apple Inc.

The application creates a privileged folder with weak access control. It is possible for a regular user to redirect this folder creation to the Windows system directory. This can then be leveraged to obtain a higher-privileged system shell.

Exploitation

The iTunes application creates a folder, SC Info, in the C:\ProgramData\Apple Computer\iTunes directory as a system user and gives full control over this directory to all users. After the installation, the first user to run the iTunes application can delete the SC Info folder, create a link to the Windows system folder, and re-create the folder by forcing an MSI repair, which can be later used to gain Windows SYSTEM level access.

Affected software

  • Apple iTunes versions prior to 12.12.9

Impact

Exploitation of this vulnerability can lead to local privilege escalation on Windows, yielding system level privileges.

CVSS Base Score: 7.8 (high)

CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Remediation

The vulnerability is patched.

Discovery credit

Zeeshan Shaikh (@bugzzzhunter) is a researcher with the Black Duck Cybersecurity Research Center.

Timeline

  • September 27, 2022: Initial disclosure
  • November 24, 2022: Apple confirms vulnerability
  • May 23, 2023: Apple releases patch
  • June 01, 2023: Black Duck publishes disclosure

About CVSS

FIRST.Org, Inc (FIRST) is a nonprofit organization based out of U.S. that owns and manages CVSS. It is not required to be a member of FIRST to utilize or implement CVSS, but FIRST does require any individual or organization give appropriate attribution while using CVSS. FIRST also states that any individual or organization that publishes scores follow the guideline so that anyone can understand how the score was calculated.

Continue Reading

Explore Topics