*Airscanner Mobile Security Advisory #05101001:
iTunes 6.0 Shared Music Denial of Service/Spoofing/Flooding/Abuse*
*Demo:*
The following is a link to a Flash demo in which we demonstrate the
vulnerability. (link to flash demo
)
*URL:
*http://www.airscanner.com/security/05101001_itunes.htm
*Product:*
iTunes 6.0
*Platform:*
Tested on Windows XP and OSX
*Requirements:*
Nemesis for spoofing. Perl for the scripting environment. iTunes on
either OSX or Windows.
* Credits:*
Seth Fogie
Airscanner Mobile Security
http://www.airscanner.com
Mobile Antivirus Researchers Association
http://www.mobileav.org
October 10, 2005
* Risk Level:*
Low: Denial of service (Shared Music anonymous forced disconnect) and
list abuse attacks are both merely annoying to iTunes users.
Medium: Shared Music lists from various users can be renamed and
swapped, thus creating an environment in which you can't be sure to whom
you are connecting.
*
* *Summary:*
iTunes is a popular service allowing you to play music, buy music,
download music, share music, create playlists, etc.; it includes a video
player and other features: http://www.itunes.com
The iTunes Shared Music feature allows users on a network to create
playlists from songs on their computer and to share them on the network.
When you create a new list and enable sharing, other iTunes users will
see your lists under the Shared Music list, unless they change their
preferences from the default settings. We discovered that it is possible
to create spoofed Shared Music entries, to rename existing entries, to
disconnect existing entries, and to re-initiate existing lists. We can
also kill an existing stream without authorization via an anonymous packet.
*
* *Details:*
iTunes Shared Music Entry Spoofing: It is possible to create fake Shared
Music entries by spoofing fake domain/list names and IP addresses inside
an MDNS packet that is used to broadcast existing lists. This spoofing
attack can be scripted to post numerous entries to specific or all
iTunes users on a network (flooding). By repeated excessive posting of
Shared Music Entries, we were able to create a major system load on
systems using iTunes.
iTunes Shared Music Entry Rename: It is possible to rename a valid entry
across the network by spoofing the IP of the originating computer. With
this power, we can swap existing Shared Music Entries and trick people
into connecting to the wrong list.
iTunes Shared Music Entry Time To Live Spoofing: It is possible to reset
the TTL value of existing lists (or new lists), thus allowing an
attacker to set the TTL on an existing list to one second, resulting in
the list being removed from all client computers, even if a song is
currently being shared.
In order to spoof entries, you have to first send a SVR packet out with
all the appropriate information, which must then be followed by a
spoofed response packet to convince other iTunes clients that the first
packet was real. In order to create spoofed lists, or to alter existing
lists, you must also spoof the originating IP. The IP does not have to
be on the local subnet.
For an example of what is possible, we have recorded a session in rather
large swf files. Click here
or here for the 2MB web
based video. Screen shot of a multi-spoof
also available.
*Credits and Thanks:
*Special thanks to the creators of nemesis, without which this testing
would have been much more difficult. We also would like to acknowledge
the creators of Ethereal for an excellent sniffer.
* Workaround:*
Disable 'Look for shared music' option under the Sharing tab in Preferences.
*Vendor Response:*
Awaiting Response.
Copyright (c) 2005 Airscanner Corp.
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of Airscanner Corp. If you wish to reprint the whole or
any part of this alert in any other medium other than electronically,
please contact Airscanner Corp. for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use on an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.