|
Elevation of Privilege Vulnerability in iTunes for Windows=0D ----------------------------------------------------------=0D =0D March 31th, 2010=0D =0D ========0D Summary=0D ========0D Name: Elevation of Privilege Vulnerability in iTunes for Windows=0D Release Date: March 31th, 2010=0D Discoverer: Jason Geffner=0D Vendor: Apple Inc.=0D Systems Affected: iTunes 9.0.0, iTunes 9.0.1, iTunes 9.0.2, iTunes 9.0.3=0D (version previous to iTunes 9.0.0 not tested)=0D Risk: High=0D Apple Security Advisory ID: APPLE-SA-2010-03-30-2 [1]=0D Apple Knowledge Base Article: HT4105 [2]=0D CVE-ID: CVE-2010-0532=0D Status: Published=0D =0D =============0D Introduction=0D =============0D This paper discusses how an unprivileged local attacker can elevate their=0D privileges during an initial installation or update of iTunes for Windows. This=0D vulnerability was responsibly disclosed to Apple Inc. and this advisory was not=0D released until a fixed build of iTunes was released.=0D =0D ===========0D Background=0D ===========0D "iTunes is a proprietary digital media player application, used for playing and=0D organizing digital music and video files. The program is also an interface to=0D manage the contents on Apple's popular iPod and other digital media players=0D such as the iPhone and iPad. Additionally, iTunes can connect to the iTunes=0D Store via the Internet to purchase and download music, music videos, television=0D shows, applications, iPod games, audiobooks, podcasts, feature length films and=0D movie rentals (not available in all countries), and ringtones (only used for=0D iPhone). It is also used to download applications for the iPhone and iPod touch=0D running iPhone OS 2.0 or later." [3]=0D =0D =========0D Timeline=0D =========0D 09/22/09 iTunes 9.0.1 released=0D 10/22/09 Elevation of privilege vulnerability discovered in iTunes 9.0.1=0D 10/22/09 Detailed vulnerability report responsibly disclosed to Apple Inc.=0D 10/22/09 Automated response received from Apple Inc.=0D 10/28/09 Automated response received from Apple Inc.=0D 10/29/09 iTunes 9.0.2 released=0D 12/23/09 Status request sent to Apple Inc.=0D 01/06/10 First personal response formally received from Apple Inc.=0D 02/01/10 iTunes 9.0.3 released=0D 03/30/10 iTunes 9.1.0 released, fixing elevation of privilege vulnerability=0D 03/31/10 Advisory released=0D =0D ==============0D Vulnerability=0D ==============0D Upon first-time installation, iTunes installs GEAR Software ASPI driver=0D components and Microsoft Driver Install Frameworks API components in =0D "%ALLUSERSPROFILE%\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}\x86"=0D for 32-bit installations and in "%ALLUSERSPROFILE%\Application Data\=0D {0DD0EEEE-2A7C-411C-9243-1AE62F445FC3}\x64" for 64-bit installations. The=0D installer installs in this directory DifXInstall32.exe or DifXInstall64.exe for=0D 32-bit or 64-bit installations, respectively, along with DIFxAPI.dll and other=0D files. After the installer writes these files to the directory, it will execute=0D DifXInstall32.exe or DifXInstall64.exe in the context of Local System, a=0D privileged user.=0D =0D On a standard Windows installation, unprivileged users have write-access to=0D "%ALLUSERSPROFILE%\Application Data". As such, prior to a first-time iTunes=0D installation, an unprivileged attacker can create these directories and place a=0D malicious executable at "%ALLUSERSPROFILE%\Application Data\=0D {755AC846-7372-4AC8-8550-C52491DAA8BD}\x86\DifXInstall32.exe" or=0D "%ALLUSERSPROFILE%\Application Data\{0DD0EEEE-2A7C-411C-9243-1AE62F445FC3}\x64\=0D DifXInstall64.exe", which could for example add the unprivileged attacker to=0D the Administrators group in Windows when DifXInstall32.exe or DifXInstall64.exe=0D is executed by a privileged user. During installation, the installer won't=0D overwrite an existing DifXInstall32.exe or DifXInstall64.exe; it will execute=0D the existing program in the context of Local System.=0D =0D On the other hand, if iTunes is already installed on the system, an=0D unprivileged attacker won't have access to overwrite DifXInstall32.exe,=0D DifXInstall64.exe, or DIFxAPI.dll. However, unprivileged attackers still have=0D write-access to create new files in "%ALLUSERSPROFILE%\Application Data\=0D {755AC846-7372-4AC8-8550-C52491DAA8BD}\x86" or "%ALLUSERSPROFILE%\=0D Application Data\{0DD0EEEE-2A7C-411C-9243-1AE62F445FC3}\x64". Therefore, an=0D unprivileged attacker could place into the directory a malicious DLL that=0D DifXInstall32.exe, DifXInstall64.exe, or DIFxAPI.dll depends on. For example,=0D DIFxAPI.dll imports setupapi.dll; an unprivileged attacker could place a=0D malicious setupapi.dll file into that directory such that when=0D DifXInstall32.exe or DifXInstall64.exe is executed, it loads DIFxAPI.dll, which=0D in turn loads the malicious setupapi.dll, which could for example add the=0D unprivileged attacker to the Administrators group in Windows when=0D DifXInstall32.exe or DifXInstall64.exe is executed by a privileged user. When=0D an existing iTunes installation is updated to a newer version, the update=0D installer will execute DifXInstall32.exe or DifXInstall64.exe in the context of=0D Local System.=0D =0D ========0D Exploit=0D ========0D Ideally, the attacker's DLL should have all the functionality of the DLL that=0D the application expected to load, including the same exported functions. An=0D attacker can patch the original DLL so that the attacker's code runs before the=0D DLL's original DllMain code is executed, after which the original DllMain code=0D is called. This allows the DLL to continue to operate as normal.=0D =0D The program at http://www.malwareanalysis.com/releases/dllpatcher.zip [4] can be=0D used to redirect a given DLL's entrypoint (which originally pointed to DllMain)=0D to point to code that has been patched into the DLL. This patched-in code will=0D add a given user to the Administrators group in Windows (assuming that it's=0D being run in the context of a privileged user), after which it will transfer=0D control back to the DLL's original DllMain. The patcher also updates the Import=0D Table for the DLL since the patched-in code relies on the function=0D NetLocalGroupAddMembers(...) from netapi32.dll. The only other side effect of=0D the patcher is that it clears the Bound Imports for the DLL; the only adverse=0D side effect of this is that this may cause the DLL to take a few extra=0D milliseconds to load.=0D =0D The patcher is compatible with both 32-bit and 64-bit DLLs and displays usage=0D instructions when executed without command line arguments.=0D =0D As an example, an attacker could use this patcher as follows to patch=0D setupapi.dll so that it will add unprivileged user MyComputer\Jason to the=0D Administrators group when the DLL is loaded by a privileged user:=0D =0D DllPatcher.exe %WINDIR%\system32\setupapi.dll "%ALLUSERSPROFILE%\Application =0D Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}\x86\setupapi.dll" MyComputer\Jason=0D =0D ===========0D Conclusion=0D ===========0D Proper ACLs should be used to prevent such elevation of privilege attacks and=0D great care should be taken when choosing which directories to use for=0D executable files.=0D =0D NGSSoftware would like to thank Alex Ionescu for his assistance in=0D communications with the Apple Product Security Team.=0D =0D ================0D Fix Information=0D ================0D This issue has now been resolved. iTunes 9.1.0 can be downloaded from:=0D http://www.apple.com/itunes/download=0D =0D ===========0D References=0D ===========0D [1] http://lists.apple.com/archives/security-announce/2010/Mar/msg00003.html=0D [2] http://support.apple.com/kb/HT4105=0D [3] http://en.wikipedia.org/wiki/ITunes=0D [4] http://www.malwareanalysis.com/releases/dllpatcher.zip=0D =0D NGSSoftware Insight Security Research=0D http://www.ngssoftware.com/=0D http://www.databasesecurity.com/=0D http://www.nextgenss.com/=0D +44(0)208 401 0070