Vulnerabilities > CVE-2008-3434 - Code Injection vulnerability in Apple Itunes

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
apple
CWE-94
nessus

Summary

Apple iTunes before 10.5.1 does not properly verify the authenticity of updates, which allows man-in-the-middle attackers to execute arbitrary code via a Trojan horse update, as demonstrated by evilgrade and DNS cache poisoning.

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Leverage Executable Code in Non-Executable Files
    An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
  • Manipulating User-Controlled Variables
    This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An attacker can override environment variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the attacker can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.

Nessus

  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_ITUNES_10_5_1.NASL
    descriptionThe version of iTunes installed on the remote Mac OS X host is earlier than 10.5.1. As such, it uses an unsecured HTTP connection when checking for or retrieving software updates, which could allow a man-in-the-middle attacker to provide a Trojan horse update that appears to originate from Apple.
    last seen2020-06-01
    modified2020-06-02
    plugin id56871
    published2011-11-18
    reporterThis script is Copyright (C) 2011-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/56871
    titleiTunes < 10.5.1 Update Authenticity Verification Weakness (Mac OS X)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(56871);
      script_version("1.8");
      script_cvs_date("Date: 2018/07/14  1:59:35");
    
      script_cve_id("CVE-2008-3434");
      script_bugtraq_id(50672);
    
      script_name(english:"iTunes < 10.5.1 Update Authenticity Verification Weakness (Mac OS X)");
      script_summary(english:"Checks version of iTunes on Mac OS X");
    
      script_set_attribute(
        attribute:"synopsis",
        value:
    "The remote host contains an application that is susceptible to a
    man-in-the-middle attack."
      );
      script_set_attribute(
        attribute:"description",
        value:
    "The version of iTunes installed on the remote Mac OS X host is
    earlier than 10.5.1.  As such, it uses an unsecured HTTP connection
    when checking for or retrieving software updates, which could allow a
    man-in-the-middle attacker to provide a Trojan horse update that
    appears to originate from Apple."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://seclists.org/bugtraq/2008/Jul/249"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://support.apple.com/kb/HT5030"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://lists.apple.com/archives/security-announce/2011/Nov/msg00003.html"
      );
      script_set_attribute(
        attribute:"solution",
        value:"Upgrade to iTunes 10.5.1 or later."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
      script_cwe_id(94);
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2008/07/28");
      script_set_attribute(attribute:"patch_publication_date", value:"2011/11/14");
      script_set_attribute(attribute:"plugin_publication_date", value:"2011/11/18");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:apple:itunes");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"MacOS X Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.");
    
      script_dependencies("macosx_itunes_detect.nasl");
      script_require_keys("Host/MacOSX/Version", "installed_sw/iTunes");
    
      exit(0);
    }
    
    include("vcf.inc");
    
    os = get_kb_item("Host/MacOSX/Version");
    if (!os) audit(AUDIT_OS_NOT, "Mac OS X");
    
    app_info = vcf::get_app_info(app:"iTunes");
    
    constraints = [{"fixed_version" : "10.5.1"}];
    
    vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);
    
  • NASL familyWindows
    NASL idITUNES_10_5_1.NASL
    descriptionThe version of Apple iTunes installed on the remote Mac OS X host is earlier than 10.5.1. As such, it uses an unsecured HTTP connection when checking for or retrieving software updates, which could allow a man-in-the-middle attacker to provide a Trojan horse update that appears to originate from Apple.
    last seen2020-06-01
    modified2020-06-02
    plugin id56872
    published2011-11-18
    reporterThis script is Copyright (C) 2011-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/56872
    titleApple iTunes < 10.5.1 Update Authenticity Verification Weakness (credentialed check)
  • NASL familyPeer-To-Peer File Sharing
    NASL idITUNES_10_5_1_BANNER.NASL
    descriptionThe version of Apple iTunes on the remote host is prior to version 10.5.1. It is, therefore, affected by a man-in-the-middle vulnerability due to using unsecured HTTP connections when checking for or retrieving software updates. A remote attacker can exploit this to execute arbitrary code by means of a trojan horse update that appears to originate from Apple.
    last seen2020-06-01
    modified2020-06-02
    plugin id56873
    published2011-11-18
    reporterThis script is Copyright (C) 2011-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/56873
    titleApple iTunes < 10.5.1 Update Authenticity Verification Weakness (uncredentialed check)

Oval

accepted2015-06-22T04:00:20.049-04:00
classvulnerability
contributors
  • nameShane Shaffer
    organizationG2, Inc.
  • nameShane Shaffer
    organizationG2, Inc.
  • nameBernd Eggenmueller
    organizationbaramundi software
definition_extensions
commentApple iTunes is installed
ovaloval:org.mitre.oval:def:12353
descriptionApple iTunes before 10.5.1 does not properly verify the authenticity of updates, which allows man-in-the-middle attackers to execute arbitrary code via a Trojan horse update, as demonstrated by evilgrade and DNS cache poisoning.
familywindows
idoval:org.mitre.oval:def:17136
statusaccepted
submitted2013-07-30T11:32:03.685-04:00
titleApple iTunes before 10.5.1 does not properly verify the authenticity of updates, which allows man-in-the-middle attackers to execute arbitrary code via a Trojan horse update, as demonstrated by evilgrade and DNS cache poisoning
version7

Seebug

bulletinFamilyexploit
descriptionCVE ID:CVE-2008-3434 Apple iTunes是一款用于Mac和PC的一款免费应用程序。它可以播放你的全部音乐和视频内容。 Apple iTunes存在一个安全漏洞,允许恶意用户进行伪造攻击。 使用HTTP请求检查新的更新时软件升级机制存在缺陷,攻击者可以利用漏洞通过中间人攻击伪造更新。 要成功利用漏洞需要目标系统没有安装Apple Software Update。 Apple iTunes 10.x 厂商解决方案 Apple iTunes 10.5.1已经修复此漏洞,建议用户下载使用: http://www.apple.com
idSSV:23205
last seen2017-11-19
modified2011-11-16
published2011-11-16
reporterRoot
titleApple iTunes 10.x软件更新伪造漏洞