CyRC Vulnerability Advisory: CVE-2023-32353, Apple iTunes local privilege escalation on Windows

Overview

The Synopsys Cybersecurity Research Center (CyRC) has discovered CVE-2023-32353, a local privilege escalation vulnerability in Apple iTunes on Microsoft Windows. iTunes is a software program that acts as a media player, media library, mobile device management utility, and the client app for the iTunes Store. It is developed by Apple Inc.

The application creates a privileged folder with weak access control. It is possible for a regular user to redirect this folder creation to the Windows system directory. This can then be leveraged to obtain a higher-privileged system shell.

Exploitation

The iTunes application creates a folder, SC Info, in the C:\ProgramData\Apple Computer\iTunes directory as a system user and gives full control over this directory to all users. After the installation, the first user to run the iTunes application can delete the SC Info folder, create a link to the Windows system folder, and re-create the folder by forcing an MSI repair, which can be later used to gain Windows SYSTEM level access.

Affected software

• Apple iTunes versions prior to 12.12.9

Impact

Exploitation of this vulnerability can lead to local privilege escalation on Windows, yielding system level privileges.

CVSS Base Score: 7.8 (high)

CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Discovery credit

Zeeshan Shaikh (@bugzzzhunter) is a researcher with the Synopsys Cybersecurity Research Center.