lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <F215DD4495814B258D56742DAFBDDDB5@W340>
Date: Mon, 2 Feb 2015 20:57:57 +0100
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: "Brandon Perry" <bperry.volatile@...il.com>
Cc: fulldisclosure@...lists.org, bugtraq@...urityfocus.com
Subject: Re: [FD] iTunes 12.1 for Windows: still outdated and VULNERABLE 3rd
	party libraries,
	still UNQUOTED and VULNERABLE pathnames C:\Program Files\...

"Brandon Perry" <bperry.volatile@...il.com> wrote:

>I think you would get more traction on possibly getting Apple to fix these
> if you wrote exploits proving they were a problem.

Or do you mean exploits like this one:
<http://seclists.org/fulldisclosure/2014/May/163>

EVERY developer should know that

* his/her software is not the only application installed on a users PC;

* the outdated or vulnerable components s/he delivers and ínstalls can
  be called by every other application or malware running on a users PC!

JFTR: the MSVCRT DLL of Visual C++ 2003 which was/is used for example
      in Sun/Oracle Java 6.x and thus installed on many user systems is
      a good trampoline for attacks.

      There is ABSOLUTELY no justification for Apple or any other
      developer to ship VULNERABLE components at all!


regards
Stefan Kanthak

> On Sat, Jan 31, 2015 at 10:11 AM, Stefan Kanthak <stefan.kanthak@...go.de>
> wrote:
>
>> Hi @ll,
>>
>> See <http://seclists.org/bugtraq/2014/Oct/164>,
>> <http://seclists.org/fulldisclosure/2014/Oct/109>,
>> <http://seclists.org/fulldisclosure/2014/Aug/44>,
>> <http://seclists.org/fulldisclosure/2014/Aug/33> and
>> <http://seclists.org/fulldisclosure/2014/Jul/30> for the
>> prequel.
>>
>>
>> The just released iTunes 12.1 for Windows comes again with
>> outdated and VULNERABLE 3rd party libraries.
>>
>> In AppleMobileDeviceSupport.msi:
>>
>> * libeay32.dll and ssleay32.dll 0.9.8za from 2014-06-05
>>
>>   The current version is 0.9.8ze and has 21 security fixes
>>   which are missing in 0.9.8za; see <http://openssl.org/news/>
>>
>>   At last, these DLLs are no more 7 years old as before, but
>>   "only" 7 months old.
>>
>>
>> * libcurl.dll 7.16.2
>>
>>   is almost EIGHT years old and has at least 22 unfixed CVEs!
>>
>>   The current version is 7.40.0; for the fixed vulnerabilities
>>   see <http://curl.haxx.se/docs/security.html>
>>
>>
>> In AppleApplicationSupport.msi:
>>
>> * msvcr100.dll and msvcp100.dll 10.0.40219.1 from 2011-02-20
>>
>>   These are the runtime DLLs for Visual C++ 2010 RTM.
>>
>>   The current version is but 10.0.40219.325; see
>>   https://technet.microsoft.com/library/security/bulletin/MS11-025
>>
>>
>>
>> Additionally the following VULNERABLE[*] command lines with unquoted
>> pathnames containing spaces are registered.
>>
>> By AppleApplicationSupport.msi:
>>
>>
>> [HKEY_CLASSES_ROOT\CLSID\{fdd068c2-d51a-4175-8a20-5cbc704ea3bd}\LocalServer32]
>> @="[#AppleApplicationSupport_APSDaemon.exe]"
>>
>>
>> [HKEY_CLASSES_ROOT\CLSID\{6812639B-FD61-4329-9901-22CFDBD690FE}\LocalServer32]
>> @="[#AppleApplicationSupport_APSDaemon.exe]"
>>
>>
>> [HKEY_CLASSES_ROOT\CLSID\{D9E904CA-8865-42E7-B0F0-B7B8C4D54D70}\LocalServer32]
>> @="[#AppleApplicationSupport_APSDaemon.exe]"
>>
>>
>> For beginners: the value of the unnamed registry entry is a COMMAND
>> LINE and has to be quoted properly!
>>
>> From <https://msdn.microsoft.com/library/ms683844.aspx>
>>
>> | To help provide system security, use quoted strings in the path to
>> | indicate where the executable filename ends and the arguments begin.
>>
>> As of Windows 2003 developers who are NOT completely unaware of
>> Microsofts documentation might want to use the "ServerExecutable"
>> registry entry described there too.
>> But 12 years are surely way too short for Apple's developers, QA and
>> management to learn about such "new" features which help improve safety
>> and security.
>>
>>
>> By iTunes.msi:
>>
>> [HKEY_CLASSES_ROOT\itms\shell\open\command]
>> @="[#iTunes.exe] /url \"%1\""
>>
>> [HKEY_CLASSES_ROOT\iTunes\shell\open\command]
>> @="[#iTunes.exe] /url \"%1\""
>>
>> [HKEY_CLASSES_ROOT\daap\shell\open\command]
>> @="[#iTunes.exe] /url \"%1\""
>>
>> [HKEY_CLASSES_ROOT\itmss\shell\open\command]
>> @="[#iTunes.exe] /url \"%1\""
>>
>> [HKEY_CLASSES_ROOT\itsradio\shell\open\command]
>> @="[#iTunes.exe] /url \"%1\""
>>
>> [HKEY_CLASSES_ROOT\itunesradio\shell\open\command]
>> @="[#iTunes.exe] /url \"%1\""
>>
>> [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Media\iTunes\shell\open\command]
>> @="[#iTunes.exe]"
>>
>> [HKEY_CLASSES_ROOT\itpc\shell\open\command]
>> @="[#iTunes.exe] /url \"%1\""
>>
>> [HKEY_CLASSES_ROOT\itls\shell\open\command]
>> @="[#iTunes.exe] /url \"%1\""
>>
>> [HKEY_CLASSES_ROOT\iTunes.AssocProtocol.itls\shell\open\command]
>> @="[INSTALLDIR]iTunes.exe /url \"%1\""
>>
>> [HKEY_CLASSES_ROOT\pcast\shell\open\command]
>> @="[INSTALLDIR]iTunes.exe /url \"%1\""
>>
>> [HKEY_CLASSES_ROOT\iTunes.AssocProtocol.daap\shell\open\command]
>> @="[INSTALLDIR]iTunes.exe /url \"%1\""
>>
>> [HKEY_CLASSES_ROOT\iTunes.AssocProtocol.itms\shell\open\command]
>> @="[INSTALLDIR]iTunes.exe /url \"%1\""
>>
>> [HKEY_CLASSES_ROOT\iTunes.AssocProtocol.itmss\shell\open\command]
>> @="[INSTALLDIR]iTunes.exe /url \"%1\""
>>
>> [HKEY_CLASSES_ROOT\iTunes.AssocProtocol.itpc\shell\open\command]
>> @="[INSTALLDIR]iTunes.exe /url \"%1\""
>>
>> [HKEY_CLASSES_ROOT\iTunes.AssocProtocol.pcast\shell\open\command]
>> @="[INSTALLDIR]iTunes.exe /url \"%1\""
>>
>>
>> From <http://msdn.microsoft.com/library/cc144175.aspx>:
>>
>> | If any element of the command string contains or might contain
>> | spaces, it must be enclosed in quotation marks. Otherwise, if
>>           ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> | the element contains a space, it will not parse correctly.
>>
>>
>> See <http://home.arcor.de/skanthak/sentinel.html> if you want to
>> detect software with this 20+ year old vulnerability[*] without
>> dissecting its *.MSI files.
>>
>>
>> Until Apple's developers, their QA and their managers start to
>> develop a sense for their customers safety and security:
>> stay away from Apple's (Windows) software!
>>
>>
>> stay tuned
>> Stefan Kanthak
>>
>>
>> [*] <https://cwe.mitre.org/data/definitions/428.html>
>>     You'll read more about it soon!
>>
>> _______________________________________________
>> Sent through the Full Disclosure mailing list
>> https://nmap.org/mailman/listinfo/fulldisclosure
>> Web Archives & RSS: http://seclists.org/fulldisclosure/
>>
>
>
>
> -- 
> http://volatile-minds.blogspot.com -- blog
> http://www.volatileminds.net -- website
>


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists