Vulnerabilities > CVE-2006-1467 - Numeric Errors vulnerability in Apple Itunes

#
#  (C) Tenable Network Security, Inc.
#


include("compat.inc");

if (description)
{
  script_id(21782);
  script_version("1.19");
 script_cvs_date("Date: 2018/11/15 20:50:27");

  script_cve_id("CVE-2006-1467");
  script_bugtraq_id(18730);

  script_name(english:"Apple iTunes AAC File Parsing Integer Overflow (credentialed check)");
  script_summary(english:"Check the version of iTunes");

 script_set_attribute(attribute:"synopsis", value:
"The remote Windows host contains an application that is affected by a
remote code execution flaw.");
 script_set_attribute(attribute:"description", value:
"The remote host is running Apple iTunes, a popular media player.

The remote version of iTunes is vulnerable to an integer overflow when
it parses a specially crafted AAC file. By tricking a user into
opening such a file, a remote attacker may be able to leverage this
issue to execute arbitrary code on the affected host, subject to the
privileges of the user running the application.");
 script_set_attribute(attribute:"see_also", value:"http://www.securityfocus.com/advisories/10781");
 script_set_attribute(attribute:"see_also", value:"https://lists.apple.com/archives/security-announce/2006/Jun/msg00001.html");
 script_set_attribute(attribute:"solution", value:"Upgrade to Apple iTunes 6.0.5 or later.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"false");

 script_set_attribute(attribute:"vuln_publication_date", value:"2006/06/29");
 script_set_attribute(attribute:"plugin_publication_date", value:"2006/06/30");

script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/a:apple:itunes");
script_end_attributes();


  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");
  script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");
  script_dependencies("smb_hotfixes.nasl");
  script_require_keys("SMB/Registry/Enumerated");
  script_require_ports(139, 445);

  exit(0);
}


include("smb_func.inc");
include("audit.inc");


# Connect to the appropriate share.
if (!get_kb_item("SMB/Registry/Enumerated")) exit(0);

name    =  kb_smb_name();
port    =  kb_smb_transport();

login   =  kb_smb_login();
pass    =  kb_smb_password();
domain  =  kb_smb_domain();



if(! smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');
rc = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$");
if (rc != 1)
{
  NetUseDel();
  exit(0);
}


# Connect to remote registry.
hklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);
if (isnull(hklm))
{
  NetUseDel();
  exit(0);
}


# Get some info about the install.
exe = NULL;
key = "SOFTWARE\Classes\Applications\iTunes.exe\shell\open\command";
key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
if (!isnull(key_h))
{
  item = RegQueryValue(handle:key_h, item:NULL);
  if (!isnull(item)) exe = item[1];

  RegCloseKey(handle:key_h);
}
RegCloseKey(handle:hklm);


# If it is...
if (exe)
{
  # Determine its version from the executable itself.
  exe = ereg_replace(pattern:'^"([^"]+)".*$', replace:"\1", string:exe);

  share = ereg_replace(pattern:"^([A-Za-z]):.*", replace:"\1$", string:exe);
  exe =  ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1", string:exe);
  NetUseDel(close:FALSE);

  rc = NetUseAdd(login:login, password:pass, domain:domain, share:share);
  if (rc != 1)
  {
    NetUseDel();
    exit(0);
  }

  fh = CreateFile(
    file:exe,
    desired_access:GENERIC_READ,
    file_attributes:FILE_ATTRIBUTE_NORMAL,
    share_mode:FILE_SHARE_READ,
    create_disposition:OPEN_EXISTING
  );
  if (!isnull(fh))
  {
    ver = GetFileVersion(handle:fh);
    CloseFile(handle:fh);
  }

  # There's a problem if the version is before 6.0.5.
  if (!isnull(ver))
  {
    if (
      ver[0] < 6 ||
      (ver[0] == 6 && ver[1] == 0 && ver[2] < 5)
    ) security_warning(kb_smb_transport());
  }
}


# Clean up.
NetUseDel();

#
#  (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(21783);
  script_version("1.20");
  script_cvs_date("Date: 2018/11/15 20:50:24");

  script_cve_id("CVE-2006-1467");
  script_bugtraq_id(18730);

  script_name(english:"Apple iTunes AAC File Parsing Integer Overflow (uncredentialed check)");
  script_summary(english:"Checks the version of iTunes.");

  script_set_attribute(attribute:"synopsis", value:
"The remote host contains an application that is affected by a code
execution vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of Apple iTunes running on the remote host is affected by
an integer overflow vulnerability when it parses specially crafted AAC
files. By convincing a user to open such a file, a remote attacker can
execute arbitrary code with the same level of privileges as the user.");
  script_set_attribute(attribute:"see_also", value:"http://www.securityfocus.com/advisories/10781");
  script_set_attribute(attribute:"see_also", value:"https://lists.apple.com/archives/security-announce/2006/Jun/msg00001.html");
  script_set_attribute(attribute:"solution", value:"Upgrade to Apple iTunes 6.0.5 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2006/06/29");
  script_set_attribute(attribute:"patch_publication_date", value:"2006/06/29");
  script_set_attribute(attribute:"plugin_publication_date", value:"2006/06/30");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:apple:itunes");
  script_end_attributes();


  script_category(ACT_GATHER_INFO);
  script_family(english:"Peer-To-Peer File Sharing");
  script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");

  script_dependencies("itunes_sharing.nasl");
  script_require_keys("iTunes/sharing");
  script_require_ports("Services/www", 3689);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

port = get_http_port(default:3689, embedded:TRUE, ignore_broken:TRUE);

get_kb_item_or_exit("iTunes/" + port + "/enabled");

type = get_kb_item_or_exit("iTunes/" + port + "/type");
source = get_kb_item_or_exit("iTunes/" + port + "/source");
version = get_kb_item_or_exit("iTunes/" + port + "/version");

if (type == 'AppleTV') audit(AUDIT_LISTEN_NOT_VULN, "iTunes on AppleTV", port, version);

fixed_version = "6.0.5";

if (ver_compare(ver:version, fix:fixed_version, strict:FALSE) == -1)
{
  if (report_verbosity > 0)
  {
    report = '\n  Version source    : ' + source +
             '\n  Installed version : ' + version +
             '\n  Fixed version     : ' + fixed_version + '\n';
    security_warning(port:port, extra:report);
  }
  else security_warning(port);
}
else audit(AUDIT_LISTEN_NOT_VULN, "iTunes", port, version);

#
# (C) Tenable Network Security, Inc.
#


if ( ! defined_func("bn_random") ) exit(0);


include("compat.inc");

if(description)
{
 script_id(21781);
 script_version ("1.17");
 script_cvs_date("Date: 2018/07/14  1:59:35");

 script_cve_id("CVE-2006-1467");
 script_bugtraq_id(18730);

 script_name(english:"iTunes < 6.0.5 AAC File Integer Overflow (Mac OS X)");
 script_summary(english:"Check the version of iTunes");
 
 script_set_attribute(attribute:"synopsis", value:
"The remote host contains an application that is affected by a remote
code execution flaw." );
 script_set_attribute(attribute:"description", value:
"The remote host is running iTunes, a popular jukebox program. 

The remote version of this software is vulnerable to an integer
overflow when it parses specially crafted AAC files which may lead to
the execution of arbitrary code. 

An attacker may exploit this flaw by sending a malformed AAC file to a
user on the remote host and wait for him to play it with iTunes." );
 script_set_attribute(attribute:"see_also", value:"http://www.securityfocus.com/advisories/10781" );
 script_set_attribute(attribute:"solution", value:
"Upgrade to iTunes 6.0.5 or newer" );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"false");
 script_set_attribute(attribute:"plugin_publication_date", value: "2006/06/29");
 script_set_attribute(attribute:"vuln_publication_date", value: "2006/06/29");
 script_set_attribute(attribute:"patch_publication_date", value: "2006/06/23");
 script_set_attribute(attribute:"plugin_type", value:"local");
 script_set_attribute(attribute:"cpe", value:"cpe:/a:apple:itunes");
 script_end_attributes();
 
 script_category(ACT_GATHER_INFO);
 script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");
 script_family(english:"MacOS X Local Security Checks");
 script_dependencies("macosx_iTunes_Overflow.nasl");
 script_require_keys("iTunes/Version");
 exit(0);
}


version = get_kb_item("iTunes/Version");
if ( ! version ) exit(0);
if ( egrep(pattern:"^([1-5]\..*|6\.0($|\.[0-4]$))", string:version )) security_warning(0);