Vulnerabilities > CVE-2012-3726 - Resource Management Errors vulnerability in Apple Iphone OS

047910
CVSS 6.8 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
apple
CWE-399
nessus

Summary

Double free vulnerability in ImageIO in Apple iOS before 6 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted JPEG image.

Common Weakness Enumeration (CWE)

Nessus

NASL familyGain a shell remotely
NASL idAPPLETV_5_1.NASL
descriptionAccording to its banner, the remote Apple TV 2nd generation or later device has a version of iOS that is prior to 5.1. It is, therefore, reportedly affected by several vulnerabilities : - An uninitialized memory access issue in the handling of Sorenson encoded movie files could lead to arbitrary code execution. (CVE-2012-3722) - Following the DNAv4 protocol, the device may broadcast MAC addresses of previously accessed networks when connecting to a Wi-Fi network. (CVE-2012-3725) - A buffer overflow in libtiff
last seen2020-06-01
modified2020-06-02
plugin id62357
published2012-09-27
reporterThis script is Copyright (C) 2012-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/62357
titleApple TV < 5.1 Multiple Vulnerabilities
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(62357);
  script_version("1.18");
  script_cvs_date("Date: 2018/11/15 20:50:22");

  script_cve_id(
    "CVE-2011-1167",
    "CVE-2011-1944",
    "CVE-2011-2821",
    "CVE-2011-2834",
    "CVE-2011-3026",
    "CVE-2011-3048",
    "CVE-2011-3328",
    "CVE-2011-3919",
    "CVE-2011-4599",
    "CVE-2012-0682",
    "CVE-2012-0683",
    "CVE-2012-1173",
    "CVE-2012-3589",
    "CVE-2012-3590",
    "CVE-2012-3591",
    "CVE-2012-3592",
    "CVE-2012-3678",
    "CVE-2012-3679",
    "CVE-2012-3722",
    "CVE-2012-3725",
    "CVE-2012-3726"
  );
  script_bugtraq_id(
    46951,
    48056,
    49279,
    49658,
    49744,
    51006,
    51300,
    52049,
    52830,
    52891,
    54680,
    56264,
    56268,
    56273
  );
  script_xref(name:"APPLE-SA", value:"APPLE-SA-2012-09-24-1");

  script_name(english:"Apple TV < 5.1 Multiple Vulnerabilities");
  script_summary(english:"Checks version in banner");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"According to its banner, the remote Apple TV 2nd generation or later
device has a version of iOS that is prior to 5.1. It is, therefore,
reportedly affected by several vulnerabilities :

  - An uninitialized memory access issue in the handling of
    Sorenson encoded movie files could lead to arbitrary
    code execution. (CVE-2012-3722)

  - Following the DNAv4 protocol, the device may broadcast
    MAC addresses of previously accessed networks when
    connecting to a Wi-Fi network. (CVE-2012-3725)

  - A buffer overflow in libtiff's handling of ThunderScan
    encoded TIFF images could lead to arbitrary code
    execution. (CVE-2011-1167)

  - Multiple memory corruption issues in libpng's handling
    of PNG images could lead to arbitrary code execution.
    (CVE-2011-3026 / CVE-2011-3048 / CVE-2011-3328)

  - A double free issue in ImageIO's handling of JPEG
    images could lead to arbitrary code execution.
    (CVE-2012-3726)

  - An integer overflow issue in libTIFF's handling of TIFF
    images could lead to arbitrary code execution.
    (CVE-2012-1173)

  - A stack-based buffer overflow in the handling of ICU
    locale IDs could lead to arbitrary code execution.
    (CVE-2011-4599)

  - Multiple vulnerabilities in libxml could have a variety
    of impacts, including arbitrary code execution.
    (CVE-2011-1944 / CVE-2011-2821 / CVE-2011-2834 /
    CVE-2011-3919)

  - Multiple memory corruption issues in JavaScriptCore
    could lead to arbitrary code execution.
    (CVE-2012-0682 / CVE-2012-0683 / CVE-2012-3589 /
    CVE-2012-3590 / CVE-2012-3591 / CVE-2012-3592 /
    CVE-2012-3678 / CVE-2012-3679)");
  script_set_attribute(attribute:"see_also", value:"https://support.apple.com/en-us/HT202614");
  script_set_attribute(attribute:"see_also", value:"https://lists.apple.com/archives/security-announce/2012/Sep/msg00006.html");
  script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/524229/30/0/threaded");
  script_set_attribute(attribute:"solution", value:"Upgrade the Apple TV to iOS 5.1 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2011/03/21");
  script_set_attribute(attribute:"patch_publication_date", value:"2012/09/24");
  script_set_attribute(attribute:"plugin_publication_date", value:"2012/09/27");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:apple:apple_tv");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Gain a shell remotely");

  script_copyright(english:"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.");

  script_dependencies("appletv_detect.nasl");
  script_require_keys("www/appletv");
  script_require_ports(3689);
  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");


port = 3689;
banner = get_http_banner(port:port, broken:TRUE, exit_on_fail:TRUE);
if (
  "DAAP-Server: iTunes/" >!< banner &&
  "RIPT-Server: iTunesLib/" >!< banner
) audit(AUDIT_WRONG_WEB_SERVER, port, 'iTunes');

pat = "^DAAP-Server: iTunes/([0-9][0-9.]+)[a-z]([0-9]+) \((Mac )?OS X\)";
if (
  "DAAP-Server: iTunes/" >< banner &&
  !egrep(pattern:pat, string:banner)
) exit(0, "The web server listening on port "+port+" does not appear to be from iTunes on an Apple TV.");


fixed_major = "11.0";
fixed_minor = "46";

report = "";

# Check first for 3rd gen and recent 2nd gen models.
matches = egrep(pattern:pat, string:banner);
if (matches)
{
  foreach line (split(matches, keep:FALSE))
  {
    match = eregmatch(pattern:pat, string:line);
    if (!isnull(match))
    {
      major = match[1];
      minor = match[2];

      if (
        ver_compare(ver:major, fix:fixed_major, strict:FALSE) < 0 ||
        (
          ver_compare(ver:major, fix:fixed_major, strict:FALSE) == 0 &&
          int(minor) < int(fixed_minor)
        )
      )
      {
        report = '\n  Source                   : ' + line +
                 '\n  Installed iTunes version : ' + major + 'd' + minor +
                 '\n  Fixed iTunes version     : ' + fixed_major + 'd' + fixed_minor +
                 '\n';
      }
      break;
    }
  }
}
else
{
  pat2 = "^RIPT-Server: iTunesLib/([0-9]+)\.";
  matches = egrep(pattern:pat2, string:banner);
  if (matches)
  {
    foreach line (split(matches, keep:FALSE))
    {
      match = eregmatch(pattern:pat2, string:line);
      if (!isnull(match))
      {
        major = int(match[1]);
        if (major < 4) exit(0, "The web server listening on port "+port+" is from iTunes on a 1st generation Apple TV, which is no longer supported.");
        else if (major >= 4 && major <= 9)
        {
          report = '\n  Source : ' + line +
                   '\n';
        }
        break;
      }
    }
  }
}


if (report)
{
  if (report_verbosity > 0) security_hole(port:0, extra:report);
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");