Airscanner Mobile Security Advisory #05101001: iTunes Shared Music Denial of Service/Spoofing/Flooding/Abuse

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Airscanner Mobile Security Advisory #05101001: iTunes Shared Music Denial of Service/Spoofing/Flooding/Abuse
From: Seth Fogie <seth@xxxxxxxxxxxxxx>
Date: Fri, 14 Oct 2005 11:08:37 -0400
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Mozilla Thunderbird 1.0.6 (Windows/20050716)

*Airscanner Mobile Security Advisory #05101001:
iTunes 6.0 Shared Music Denial of Service/Spoofing/Flooding/Abuse*

*Demo:*

The following is a link to a Flash demo in which we demonstrate thevulnerability. (link to flash demo<http://www.airscanner.com/security/itwns2.html>)


*URL:
*http://www.airscanner.com/security/05101001_itunes.htm

*Product:*
iTunes 6.0

*Platform:*
Tested on Windows XP and OSX

*Requirements:*

Nemesis for spoofing. Perl for the scripting environment. iTunes oneither OSX or Windows.


* Credits:*
Seth Fogie
Airscanner Mobile Security
http://www.airscanner.com
Mobile Antivirus Researchers Association
http://www.mobileav.org
October 10, 2005

* Risk Level:*

Low: Denial of service (Shared Music anonymous forced disconnect) andlist abuse attacks are both merely annoying to iTunes users.Medium: Shared Music lists from various users can be renamed andswapped, thus creating an environment in which you can't be sure to whomyou are connecting.

*
* *Summary:*

iTunes is a popular service allowing you to play music, buy music,download music, share music, create playlists, etc.; it includes a videoplayer and other features: http://www.itunes.com

The iTunes Shared Music feature allows users on a network to createplaylists from songs on their computer and to share them on the network.When you create a new list and enable sharing, other iTunes users willsee your lists under the Shared Music list, unless they change theirpreferences from the default settings. We discovered that it is possibleto create spoofed Shared Music entries, to rename existing entries, todisconnect existing entries, and to re-initiate existing lists. We canalso kill an existing stream without authorization via an anonymous packet.

*
* *Details:*

iTunes Shared Music Entry Spoofing: It is possible to create fake SharedMusic entries by spoofing fake domain/list names and IP addresses insidean MDNS packet that is used to broadcast existing lists. This spoofingattack can be scripted to post numerous entries to specific or alliTunes users on a network (flooding). By repeated excessive posting ofShared Music Entries, we were able to create a major system load onsystems using iTunes.

iTunes Shared Music Entry Rename: It is possible to rename a valid entryacross the network by spoofing the IP of the originating computer. Withthis power, we can swap existing Shared Music Entries and trick peopleinto connecting to the wrong list.

iTunes Shared Music Entry Time To Live Spoofing: It is possible to resetthe TTL value of existing lists (or new lists), thus allowing anattacker to set the TTL on an existing list to one second, resulting inthe list being removed from all client computers, even if a song iscurrently being shared.

In order to spoof entries, you have to first send a SVR packet out withall the appropriate information, which must then be followed by aspoofed response packet to convince other iTunes clients that the firstpacket was real. In order to create spoofed lists, or to alter existinglists, you must also spoof the originating IP. The IP does not have tobe on the local subnet.

For an example of what is possible, we have recorded a session in ratherlarge swf files. Click here<http://www.airscanner.com/security/itwns2.html> or here for the 2MB webbased video. Screen shot of a multi-spoof<http://www.airscanner.com/security/images/itunes.JPG> also available.


*Credits and Thanks:

*Special thanks to the creators of nemesis, without which this testingwould have been much more difficult. We also would like to acknowledgethe creators of Ethereal for an excellent sniffer.


* Workaround:*
Disable 'Look for shared music' option under the Sharing tab in Preferences.

*Vendor Response:*
Awaiting Response.

Copyright (c) 2005 Airscanner Corp.

Permission is granted for the redistribution of this alertelectronically. It may not be edited in any way without the expresswritten consent of Airscanner Corp. If you wish to reprint the whole orany part of this alert in any other medium other than electronically,please contact Airscanner Corp. for permission.

Disclaimer: The information in the advisory is believed to be accurateat the time of publishing based on currently available information. Useof the information constitutes acceptance for use on an AS IS condition.There are no warranties with regard to this information. Neither theauthor nor the publisher accepts any liability for any direct, indirect,or consequential loss or damage arising from use of, or reliance on,this information.

Prev by Date: Gallery 2.x Remote File Access Vulnerability
Next by Date: MDKSA-2005:183 - Updated wget packages fix NTLM authentication vulnerability
Previous by thread: Gallery 2.x Remote File Access Vulnerability
Next by thread: MDKSA-2005:183 - Updated wget packages fix NTLM authentication vulnerability
Index(es):
- Date
- Thread