Elevation of Privilege Vulnerability in iTunes for Windows=0D
----------------------------------------------------------=0D
=0D
March 31th, 2010=0D
=0D
========0D
Summary=0D
========0D
Name: Elevation of Privilege Vulnerability in iTunes for Windows=0D
Release Date: March 31th, 2010=0D
Discoverer: Jason Geffner=0D
Vendor: Apple Inc.=0D
Systems Affected: iTunes 9.0.0, iTunes 9.0.1, iTunes 9.0.2, iTunes 9.0.3=0D
                  (version previous to iTunes 9.0.0 not tested)=0D
Risk: High=0D
Apple Security Advisory ID: APPLE-SA-2010-03-30-2 [1]=0D
Apple Knowledge Base Article: HT4105 [2]=0D
CVE-ID: CVE-2010-0532=0D
Status: Published=0D
=0D
=============0D
Introduction=0D
=============0D
This paper discusses how an unprivileged local attacker can elevate their=0D
privileges during an initial installation or update of iTunes for Windows. This=0D
vulnerability was responsibly disclosed to Apple Inc. and this advisory was not=0D
released until a fixed build of iTunes was released.=0D
=0D
===========0D
Background=0D
===========0D
"iTunes is a proprietary digital media player application, used for playing and=0D
organizing digital music and video files. The program is also an interface to=0D
manage the contents on Apple's popular iPod and other digital media players=0D
such as the iPhone and iPad. Additionally, iTunes can connect to the iTunes=0D
Store via the Internet to purchase and download music, music videos, television=0D
shows, applications, iPod games, audiobooks, podcasts, feature length films and=0D
movie rentals (not available in all countries), and ringtones (only used for=0D
iPhone). It is also used to download applications for the iPhone and iPod touch=0D
running iPhone OS 2.0 or later." [3]=0D
=0D
=========0D
Timeline=0D
=========0D
09/22/09 iTunes 9.0.1 released=0D
10/22/09 Elevation of privilege vulnerability discovered in iTunes 9.0.1=0D
10/22/09 Detailed vulnerability report responsibly disclosed to Apple Inc.=0D
10/22/09 Automated response received from Apple Inc.=0D
10/28/09 Automated response received from Apple Inc.=0D
10/29/09 iTunes 9.0.2 released=0D
12/23/09 Status request sent to Apple Inc.=0D
01/06/10 First personal response formally received from Apple Inc.=0D
02/01/10 iTunes 9.0.3 released=0D
03/30/10 iTunes 9.1.0 released, fixing elevation of privilege vulnerability=0D
03/31/10 Advisory released=0D
=0D
==============0D
Vulnerability=0D
==============0D
Upon first-time installation, iTunes installs GEAR Software ASPI driver=0D
components and Microsoft Driver Install Frameworks API components in =0D
"%ALLUSERSPROFILE%\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}\x86"=0D
for 32-bit installations and in "%ALLUSERSPROFILE%\Application Data\=0D
{0DD0EEEE-2A7C-411C-9243-1AE62F445FC3}\x64" for 64-bit installations. The=0D
installer installs in this directory DifXInstall32.exe or DifXInstall64.exe for=0D
32-bit or 64-bit installations, respectively, along with DIFxAPI.dll and other=0D
files. After the installer writes these files to the directory, it will execute=0D
DifXInstall32.exe or DifXInstall64.exe in the context of Local System, a=0D
privileged user.=0D
=0D
On a standard Windows installation, unprivileged users have write-access to=0D
"%ALLUSERSPROFILE%\Application Data". As such, prior to a first-time iTunes=0D
installation, an unprivileged attacker can create these directories and place a=0D
malicious executable at "%ALLUSERSPROFILE%\Application Data\=0D
{755AC846-7372-4AC8-8550-C52491DAA8BD}\x86\DifXInstall32.exe" or=0D
"%ALLUSERSPROFILE%\Application Data\{0DD0EEEE-2A7C-411C-9243-1AE62F445FC3}\x64\=0D
DifXInstall64.exe", which could for example add the unprivileged attacker to=0D
the Administrators group in Windows when DifXInstall32.exe or DifXInstall64.exe=0D
is executed by a privileged user. During installation, the installer won't=0D
overwrite an existing DifXInstall32.exe or DifXInstall64.exe; it will execute=0D
the existing program in the context of Local System.=0D
=0D
On the other hand, if iTunes is already installed on the system, an=0D
unprivileged attacker won't have access to overwrite DifXInstall32.exe,=0D
DifXInstall64.exe, or DIFxAPI.dll. However, unprivileged attackers still have=0D
write-access to create new files in "%ALLUSERSPROFILE%\Application Data\=0D
{755AC846-7372-4AC8-8550-C52491DAA8BD}\x86" or "%ALLUSERSPROFILE%\=0D
Application Data\{0DD0EEEE-2A7C-411C-9243-1AE62F445FC3}\x64". Therefore, an=0D
unprivileged attacker could place into the directory a malicious DLL that=0D
DifXInstall32.exe, DifXInstall64.exe, or DIFxAPI.dll depends on. For example,=0D
DIFxAPI.dll imports setupapi.dll; an unprivileged attacker could place a=0D
malicious setupapi.dll file into that directory such that when=0D
DifXInstall32.exe or DifXInstall64.exe is executed, it loads DIFxAPI.dll, which=0D
in turn loads the malicious setupapi.dll, which could for example add the=0D
unprivileged attacker to the Administrators group in Windows when=0D
DifXInstall32.exe or DifXInstall64.exe is executed by a privileged user. When=0D
an existing iTunes installation is updated to a newer version, the update=0D
installer will execute DifXInstall32.exe or DifXInstall64.exe in the context of=0D
Local System.=0D
=0D
========0D
Exploit=0D
========0D
Ideally, the attacker's DLL should have all the functionality of the DLL that=0D
the application expected to load, including the same exported functions. An=0D
attacker can patch the original DLL so that the attacker's code runs before the=0D
DLL's original DllMain code is executed, after which the original DllMain code=0D
is called. This allows the DLL to continue to operate as normal.=0D
=0D
The program at http://www.malwareanalysis.com/releases/dllpatcher.zip [4] can be=0D 
used to redirect a given DLL's entrypoint (which originally pointed to DllMain)=0D
to point to code that has been patched into the DLL. This patched-in code will=0D
add a given user to the Administrators group in Windows (assuming that it's=0D
being run in the context of a privileged user), after which it will transfer=0D
control back to the DLL's original DllMain. The patcher also updates the Import=0D
Table for the DLL since the patched-in code relies on the function=0D
NetLocalGroupAddMembers(...) from netapi32.dll. The only other side effect of=0D
the patcher is that it clears the Bound Imports for the DLL; the only adverse=0D
side effect of this is that this may cause the DLL to take a few extra=0D
milliseconds to load.=0D
=0D
The patcher is compatible with both 32-bit and 64-bit DLLs and displays usage=0D
instructions when executed without command line arguments.=0D
=0D
As an example, an attacker could use this patcher as follows to patch=0D
setupapi.dll so that it will add unprivileged user MyComputer\Jason to the=0D
Administrators group when the DLL is loaded by a privileged user:=0D
=0D
DllPatcher.exe %WINDIR%\system32\setupapi.dll "%ALLUSERSPROFILE%\Application =0D
Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}\x86\setupapi.dll" MyComputer\Jason=0D
=0D
===========0D
Conclusion=0D
===========0D
Proper ACLs should be used to prevent such elevation of privilege attacks and=0D
great care should be taken when choosing which directories to use for=0D
executable files.=0D
=0D
NGSSoftware would like to thank Alex Ionescu for his assistance in=0D
communications with the Apple Product Security Team.=0D
=0D
================0D
Fix Information=0D
================0D
This issue has now been resolved. iTunes 9.1.0 can be downloaded from:=0D
http://www.apple.com/itunes/download=0D 
=0D
===========0D
References=0D
===========0D
[1] http://lists.apple.com/archives/security-announce/2010/Mar/msg00003.html=0D 
[2] http://support.apple.com/kb/HT4105=0D 
[3] http://en.wikipedia.org/wiki/ITunes=0D 
[4] http://www.malwareanalysis.com/releases/dllpatcher.zip=0D 
=0D
NGSSoftware Insight Security Research=0D
http://www.ngssoftware.com/=0D 
http://www.databasesecurity.com/=0D 
http://www.nextgenss.com/=0D 
+44(0)208 401 0070