Date: Wed, 18 Aug 2010 17:12:53 +0200
From: "Mitja Kolsek" <mitja.kolsek@...os.si>
To: <bugtraq@...urityfocus.com>, <NTBUGTRAQ@...TSERV.NTBUGTRAQ.COM>,
	<cert@...t.org>, <si-cert@...es.si>
Subject: ACROS Security: Remote Binary Planting in Apple iTunes for Windows (ASPR #2010-08-18-1)

=====[BEGIN-ACROS-REPORT]=====

PUBLIC

=========================================================================
ACROS Security Problem Report #2010-08-18-1
-------------------------------------------------------------------------
ASPR #2010-08-18-1: Remote Binary Planting in Apple iTunes for Windows
=========================================================================

Document ID:     ASPR #2010-08-18-1-PUB
Vendor:          Apple, Inc. (http://www.apple.com)
Target:          Apple iTunes for Windows
Impact:          Remote execution of arbitrary code
Severity:        Very high
Status:          Official patch available, workarounds available
Discovered by:   Simon Raner of ACROS Security

Current version 
   http://www.acrossecurity.com/aspr/ASPR-2010-08-18-1-PUB.txt


Summary
=======

A "binary planting" vulnerability in Apple iTunes for Windows allows local 
or remote (even Internet-based) attackers to deploy and execute malicious 
code on Windows machines in the context of logged-on users. 


Product Coverage
================

- Apple iTunes 9.0.3.15 for Windows (at least XP, Vista and Windows 7)

Note:  We only tested the above version; other versions may also be 
affected. 


Analysis 
========

As a result of an incorrect dynamic link library loading in Apple iTunes 
for Windows, an attacker can cause her malicious DLL to be loaded and 
executed from local drives, remote Windows shares, and even shares 
located on Internet. 

All a remote attacker has to do is plant a malicious DLL with a specific 
name on a network share and get the user to open a media file from this 
network location in iTunes - which should require minimal social 
engineering. Since Windows systems by default have the Web Client service 
running - which makes remote network shares accessible via WebDAV -, the 
malicious DLL can also be deployed from an Internet-based network share as 
long as the intermediate firewalls allow outbound HTTP traffic to the 
Internet. 

A systematic attack could deploy malicious code to a large number of 
Windows workstations in a short period of time, possibly as an Internet 
worm.

Additional details are available to interested corporate and government 
customers under NDA, as public disclosure would reveal too many details on 
the vulnerability and unduly accelerate malicious exploitation.


Mitigating Factors 
==================

- A firewall blocking outbound WebDAV traffic (in addition to blocking all 
Windows Networking protocols) could stop an Internet-based attack.


Solution 
========

Apple has issued a security bulletin [1] and published remediated 
versions of iTunes for Windows that fix this issue.


Workaround 
==========

- Stopping the Web Client service could stop Internet-based attacks 
as long as the network firewall stops outbound Microsoft Networking 
protocols. This would not, however, stop remote LAN-based attacks where 
the attacker is able to place a malicious DLL on a network share inside 
the target (e.g., corporate) network.

Other workarounds are available to interested corporate and government 
customers under NDA, as public disclosure would reveal too many details on 
the vulnerability and unduly accelerate malicious exploitation.


Related Services
================

ACROS is offering professional consulting on this issue to interested 
corporate and government customers. Typical questions we can help you 
answer are:

1) To what extent is your organization affected by this issue?

2) Is it possible to get remote code from the Internet launched inside 
   your network? Can this be demonstrated?

3) Have you adequately applied the remedies to remove the vulnerability?

4) Are there other workarounds that you could implement to fix this issue 
   more efficiently and/or inexpensively?

5) Are your systems or applications vulnerable to other similar issues?


Interested parties are encouraged to ask for more information at 
security@...ossecurity.com.
 

References
==========

[1] About the security content of iTunes 9.1 
    http://support.apple.com/kb/HT4105


Acknowledgments
===============

/


Contact
=======

ACROS d.o.o.
Makedonska ulica 113
SI - 2000 Maribor

e-mail: security@...ossecurity.com
web:    http://www.acrossecurity.com
phone:  +386 2 3000 280
fax:    +386 2 3000 282

ACROS Security PGP Key
   http://www.acrossecurity.com/pgpkey.asc
   [Fingerprint: FE9E 0CFB CE41 36B0 4720 C4F1 38A3 F7DD]

ACROS Security Advisories
   http://www.acrossecurity.com/advisories.htm

ACROS Security Papers
   http://www.acrossecurity.com/papers.htm

ASPR Notification and Publishing Policy
   http://www.acrossecurity.com/asprNotificationAndPublishingPolicy.htm


Disclaimer
==========

The content of this report is purely informational and meant only for the 
purpose of education and protection. ACROS d.o.o. shall in no event be 
liable for any damage whatsoever, direct or implied, arising from use or 
spread of this information. All identifiers (hostnames, IP addresses, 
company names, individual names etc.) used in examples and demonstrations 
are used only for explanatory purposes and have no connection with any 
real host, company or individual. In no event should it be assumed that 
use of these names means specific hosts, companies or individuals are 
vulnerable to any attacks nor does it mean that they consent to being used 
in any vulnerability tests. The use of information in this report is 
entirely at user's risk.


Revision History
================

August 18, 2010: Initial release


Copyright
=========

(c) 2010 ACROS d.o.o. Forwarding and publishing of this document is
permitted providing the content between "[BEGIN-ACROS-REPORT]" and
"[END-ACROS-REPORT]" marks remains unchanged.

=====[END-ACROS-REPORT]=====

Powered by blists - more mailing lists