Vulnerabilities > CVE-2013-1014 - Improper Input Validation vulnerability in Apple Itunes

047910
CVSS 4.3 - MEDIUM
Attack vector
ADJACENT_NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
NONE

Summary

Apple iTunes before 11.0.3 does not properly verify X.509 certificates, which allows man-in-the-middle attackers to spoof HTTPS servers via an arbitrary valid certificate.

Vulnerable Configurations

Part Description Count
Application
Apple
176
OS
Apple
7
OS
Microsoft
3

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Server Side Include (SSI) Injection
    An attacker can use Server Side Include (SSI) Injection to send code to a web application that then gets executed by the web server. Doing so enables the attacker to achieve similar results to Cross Site Scripting, viz., arbitrary code execution and information disclosure, albeit on a more limited scale, since the SSI directives are nowhere near as powerful as a full-fledged scripting language. Nonetheless, the attacker can conveniently gain access to sensitive files, such as password files, and execute shell commands.
  • Cross Zone Scripting
    An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security. In a zone-based model, pages belong to one of a set of zones corresponding to the level of privilege assigned to that page. Pages in an untrusted zone would have a lesser level of access to the system and/or be restricted in the types of executable content it was allowed to invoke. In a cross-zone scripting attack, a page that should be assigned to a less privileged zone is granted the privileges of a more trusted zone. This can be accomplished by exploiting bugs in the browser, exploiting incorrect configuration in the zone controls, through a cross-site scripting attack that causes the attackers' content to be treated as coming from a more trusted page, or by leveraging some piece of system functionality that is accessible from both the trusted and less trusted zone. This attack differs from "Restful Privilege Escalation" in that the latter correlates to the inadequate securing of RESTful access methods (such as HTTP DELETE) on the server, while cross-zone scripting attacks the concept of security zones as implemented by a browser.
  • Cross Site Scripting through Log Files
    An attacker may leverage a system weakness where logs are susceptible to log injection to insert scripts into the system's logs. If these logs are later viewed by an administrator through a thin administrative interface and the log data is not properly HTML encoded before being written to the page, the attackers' scripts stored in the log will be executed in the administrative interface with potentially serious consequences. This attack pattern is really a combination of two other attack patterns: log injection and stored cross site scripting.
  • Command Line Execution through SQL Injection
    An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.

Nessus

  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_ITUNES_11_0_3.NASL
    descriptionThe version of iTunes installed on the remote Mac OS X host is earlier than 11.0.3 and is, therefore, affected by an information disclosure vulnerability related to certificate validation.
    last seen2020-06-01
    modified2020-06-02
    plugin id66500
    published2013-05-17
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/66500
    titleiTunes < 11.0.3 Certificate Validation Vulnerability (Mac OS X)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(66500);
      script_version("1.8");
      script_cvs_date("Date: 2019/11/27");
    
      script_cve_id("CVE-2013-1014");
      script_bugtraq_id(59941);
    
      script_name(english:"iTunes < 11.0.3 Certificate Validation Vulnerability (Mac OS X)");
      script_summary(english:"Checks version of iTunes on Mac OS X");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote host contains a multimedia application that has an
    information disclosure vulnerability.");
      script_set_attribute(attribute:"description", value:
    "The version of iTunes installed on the remote Mac OS X host is
    earlier than 11.0.3 and is, therefore, affected by an information
    disclosure vulnerability related to certificate validation.");
      script_set_attribute(attribute:"see_also", value:"http://support.apple.com/kb/HT5766");
      script_set_attribute(attribute:"see_also", value:"http://lists.apple.com/archives/security-announce/2013/May/msg00000.html");
      script_set_attribute(attribute:"see_also", value:"http://www.securityfocus.com/archive/1/526623/30/0/threaded");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to iTunes 11.0.3 or later.");
      script_set_cvss_base_vector("CVSS2#AV:A/AC:M/Au:N/C:P/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2013-1014");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2013/05/16");
      script_set_attribute(attribute:"patch_publication_date", value:"2013/05/16");
      script_set_attribute(attribute:"plugin_publication_date", value:"2013/05/17");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:apple:itunes");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"MacOS X Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("macosx_itunes_detect.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/MacOSX/Version", "installed_sw/iTunes");
    
      exit(0);
    }
    
    include("vcf.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    os = get_kb_item("Host/MacOSX/Version");
    if (!os) audit(AUDIT_OS_NOT, "Mac OS X");
    
    app_info = vcf::get_app_info(app:"iTunes");
    
    constraints = [{"fixed_version" : "11.0.3"}];
    
    vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);
    
  • NASL familyWindows
    NASL idITUNES_11_0_3.NASL
    descriptionThe version of Apple iTunes installed on the remote Windows host is older than 11.0.3. It therefore is potentially affected by several issues : - An error exists related to certificate validation that could allow disclosure of sensitive information and could allow the application to trust data from untrusted sources. (CVE-2013-1014) - The included version of WebKit contains several errors that could lead to memory corruption and possibly arbitrary code execution. The vendor notes one possible attack vector is a man-in-the-middle attack while the application browses the
    last seen2020-06-01
    modified2020-06-02
    plugin id66498
    published2013-05-17
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/66498
    titleApple iTunes < 11.0.3 Multiple Vulnerabilities (credentialed check)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(66498);
      script_version("1.14");
      script_cvs_date("Date: 2019/11/27");
    
      script_cve_id(
        "CVE-2012-2824",
        "CVE-2012-2857",
        "CVE-2012-3748",
        "CVE-2012-5112",
        "CVE-2013-0879",
        "CVE-2013-0912",
        "CVE-2013-0948",
        "CVE-2013-0949",
        "CVE-2013-0950",
        "CVE-2013-0951",
        "CVE-2013-0952",
        "CVE-2013-0953",
        "CVE-2013-0954",
        "CVE-2013-0955",
        "CVE-2013-0956",
        "CVE-2013-0958",
        "CVE-2013-0959",
        "CVE-2013-0960",
        "CVE-2013-0961",
        "CVE-2013-0991",
        "CVE-2013-0992",
        "CVE-2013-0993",
        "CVE-2013-0994",
        "CVE-2013-0995",
        "CVE-2013-0996",
        "CVE-2013-0997",
        "CVE-2013-0998",
        "CVE-2013-0999",
        "CVE-2013-1000",
        "CVE-2013-1001",
        "CVE-2013-1002",
        "CVE-2013-1003",
        "CVE-2013-1004",
        "CVE-2013-1005",
        "CVE-2013-1006",
        "CVE-2013-1007",
        "CVE-2013-1008",
        "CVE-2013-1010",
        "CVE-2013-1011",
        "CVE-2013-1014"
      );
      script_bugtraq_id(
        54203,
        54749,
        55867,
        56362,
        57576,
        57580,
        57581,
        57582,
        57584,
        57585,
        57586,
        57587,
        57588,
        57589,
        57590,
        58388,
        58495,
        58496,
        59941,
        59944,
        59953,
        59954,
        59955,
        59956,
        59957,
        59958,
        59959,
        59960,
        59963,
        59964,
        59965,
        59967,
        59970,
        59971,
        59972,
        59973,
        59974,
        59976,
        59977
      );
      script_xref(name:"EDB-ID", value:"28081");
    
      script_name(english:"Apple iTunes < 11.0.3 Multiple Vulnerabilities (credentialed check)");
      script_summary(english:"Checks version of iTunes on Windows");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote host contains an application that has multiple
    vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The version of Apple iTunes installed on the remote Windows host is
    older than 11.0.3.  It therefore is potentially affected by several
    issues :
    
      - An error exists related to certificate validation
        that could allow disclosure of sensitive information
        and could allow the application to trust data from
        untrusted sources. (CVE-2013-1014)
    
      - The included version of WebKit contains several errors
        that could lead to memory corruption and possibly
        arbitrary code execution. The vendor notes one possible
        attack vector is a man-in-the-middle attack while the
        application browses the 'iTunes Store'.
        (CVE-2012-2824, CVE-2012-2857, CVE-2012-3748,
        CVE-2012-5112, CVE-2013-0879, CVE-2013-0912,
        CVE-2013-0948, CVE-2013-0949, CVE-2013-0950,
        CVE-2013-0951, CVE-2013-0952, CVE-2013-0953,
        CVE-2013-0954, CVE-2013-0955, CVE-2013-0956,
        CVE-2013-0958, CVE-2013-0959, CVE-2013-0960,
        CVE-2013-0961, CVE-2013-0991, CVE-2013-0992,
        CVE-2013-0993, CVE-2013-0994, CVE-2013-0995,
        CVE-2013-0996, CVE-2013-0997, CVE-2013-0998,
        CVE-2013-0999, CVE-2013-1000, CVE-2013-1001,
        CVE-2013-1002, CVE-2013-1003, CVE-2013-1004,
        CVE-2013-1005, CVE-2013-1006, CVE-2013-1007,
        CVE-2013-1008, CVE-2013-1010, CVE-2013-1011)");
      script_set_attribute(attribute:"see_also", value:"http://www.zerodayinitiative.com/advisories/ZDI-13-107/");
      script_set_attribute(attribute:"see_also", value:"http://www.zerodayinitiative.com/advisories/ZDI-13-108/");
      script_set_attribute(attribute:"see_also", value:"http://www.zerodayinitiative.com/advisories/ZDI-13-109/");
      script_set_attribute(attribute:"see_also", value:"http://support.apple.com/kb/HT5766");
      script_set_attribute(attribute:"see_also", value:"http://lists.apple.com/archives/security-announce/2013/May/msg00000.html");
      script_set_attribute(attribute:"see_also", value:"http://www.securityfocus.com/archive/1/526623/30/0/threaded");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to Apple iTunes 11.0.3 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2012-5112");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2013/05/16");
      script_set_attribute(attribute:"patch_publication_date", value:"2013/05/16");
      script_set_attribute(attribute:"plugin_publication_date", value:"2013/05/17");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:apple:itunes");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows");
    
      script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("itunes_detect.nasl");
      script_require_keys("SMB/iTunes/Version");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    
    
    version = get_kb_item_or_exit("SMB/iTunes/Version");
    fixed_version = "11.0.3.42";
    path = get_kb_item_or_exit("SMB/iTunes/Path");
    
    if (ver_compare(ver:version, fix:fixed_version) == -1)
    {
      port = get_kb_item("SMB/transport");
      if (!port) port = 445;
    
      if (report_verbosity > 0)
      {
        report =
          '\n  Path              : '+path+
          '\n  Installed version : '+version+
          '\n  Fixed version     : '+fixed_version+'\n';
        security_hole(port:port, extra:report);
      }
      else security_hole(port);
    }
    else audit(AUDIT_INST_PATH_NOT_VULN, "iTunes", version, path);
    
  • NASL familyPeer-To-Peer File Sharing
    NASL idITUNES_11_0_3_BANNER.NASL
    descriptionThe version of Apple iTunes on the remote host is prior to version 11.0.3. It is, therefore, affected by multiple vulnerabilities : - An error exists related to certificate validation. A man-in-the-middle attacker can exploit this to spoof HTTPS servers, which allows the disclosure of sensitive information or the application to trust data from untrusted sources. Note that this issue affects the application regardless of the operating system. (CVE-2013-1014) - The version of WebKit included in iTunes contains several errors that can lead to memory corruption and arbitrary code execution. The vendor states that one possible vector is a man-in-the-middle attack while the application browses the
    last seen2020-06-01
    modified2020-06-02
    plugin id66499
    published2013-05-17
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/66499
    titleApple iTunes < 11.0.3 Multiple Vulnerabilities (uncredentialed check)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(66499);
      script_version("1.16");
      script_cvs_date("Date: 2019/11/27");
    
      script_cve_id(
        "CVE-2012-2824",
        "CVE-2012-2857",
        "CVE-2012-3748",
        "CVE-2012-5112",
        "CVE-2013-0879",
        "CVE-2013-0912",
        "CVE-2013-0948",
        "CVE-2013-0949",
        "CVE-2013-0950",
        "CVE-2013-0951",
        "CVE-2013-0952",
        "CVE-2013-0953",
        "CVE-2013-0954",
        "CVE-2013-0955",
        "CVE-2013-0956",
        "CVE-2013-0958",
        "CVE-2013-0959",
        "CVE-2013-0960",
        "CVE-2013-0961",
        "CVE-2013-0991",
        "CVE-2013-0992",
        "CVE-2013-0993",
        "CVE-2013-0994",
        "CVE-2013-0995",
        "CVE-2013-0996",
        "CVE-2013-0997",
        "CVE-2013-0998",
        "CVE-2013-0999",
        "CVE-2013-1000",
        "CVE-2013-1001",
        "CVE-2013-1002",
        "CVE-2013-1003",
        "CVE-2013-1004",
        "CVE-2013-1005",
        "CVE-2013-1006",
        "CVE-2013-1007",
        "CVE-2013-1008",
        "CVE-2013-1010",
        "CVE-2013-1011",
        "CVE-2013-1014"
      );
      script_bugtraq_id(
        54203,
        54749,
        55867,
        56362,
        57576,
        57580,
        57581,
        57582,
        57584,
        57585,
        57586,
        57587,
        57588,
        57589,
        57590,
        58388,
        58495,
        58496,
        59941,
        59944,
        59953,
        59954,
        59955,
        59956,
        59957,
        59958,
        59959,
        59960,
        59963,
        59964,
        59965,
        59967,
        59970,
        59971,
        59972,
        59973,
        59974,
        59976,
        59977
      );
      script_xref(name:"EDB-ID", value:"28081");
    
      script_name(english:"Apple iTunes < 11.0.3 Multiple Vulnerabilities (uncredentialed check)");
      script_summary(english:"Checks the version of iTunes.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote host contains a multimedia application that has multiple
    vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The version of Apple iTunes on the remote host is prior to version
    11.0.3. It is, therefore, affected by multiple vulnerabilities :
    
      - An error exists related to certificate validation. A
        man-in-the-middle attacker can exploit this to spoof
        HTTPS servers, which allows the disclosure of sensitive
        information or the application to trust data from
        untrusted sources. Note that this issue affects the
        application regardless of the operating system.
        (CVE-2013-1014)
    
      - The version of WebKit included in iTunes contains
        several errors that can lead to memory corruption and
        arbitrary code execution. The vendor states that one
        possible vector is a man-in-the-middle attack while the
        application browses the 'iTunes Store'. Please note that
        these vulnerabilities only affect the application when
        it is running on a Windows host.
        (CVE-2012-2824, CVE-2012-2857, CVE-2012-3748,
        CVE-2012-5112, CVE-2013-0879, CVE-2013-0912,
        CVE-2013-0948, CVE-2013-0949, CVE-2013-0950,
        CVE-2013-0951, CVE-2013-0952, CVE-2013-0953,
        CVE-2013-0954, CVE-2013-0955, CVE-2013-0956,
        CVE-2013-0958, CVE-2013-0959, CVE-2013-0960,
        CVE-2013-0961, CVE-2013-0991, CVE-2013-0992,
        CVE-2013-0993, CVE-2013-0994, CVE-2013-0995,
        CVE-2013-0996, CVE-2013-0997, CVE-2013-0998,
        CVE-2013-0999, CVE-2013-1000, CVE-2013-1001,
        CVE-2013-1002, CVE-2013-1003, CVE-2013-1004,
        CVE-2013-1005, CVE-2013-1006, CVE-2013-1007,
        CVE-2013-1008, CVE-2013-1010, CVE-2013-1011)");
      script_set_attribute(attribute:"see_also", value:"http://www.zerodayinitiative.com/advisories/ZDI-13-107/");
      script_set_attribute(attribute:"see_also", value:"http://www.zerodayinitiative.com/advisories/ZDI-13-108/");
      script_set_attribute(attribute:"see_also", value:"http://www.zerodayinitiative.com/advisories/ZDI-13-109/");
      script_set_attribute(attribute:"see_also", value:"http://support.apple.com/kb/HT5766");
      script_set_attribute(attribute:"see_also", value:"http://lists.apple.com/archives/security-announce/2013/May/msg00000.html");
      script_set_attribute(attribute:"see_also", value:"http://www.securityfocus.com/archive/1/526623/30/0/threaded");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to Apple iTunes 11.0.3 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2012-5112");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2013/05/16");
      script_set_attribute(attribute:"patch_publication_date", value:"2013/05/16");
      script_set_attribute(attribute:"plugin_publication_date", value:"2013/05/17");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:apple:itunes");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Peer-To-Peer File Sharing");
    
      script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("itunes_sharing.nasl");
      script_require_keys("iTunes/sharing");
      script_require_ports("Services/www", 3689);
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("http.inc");
    
    port = get_http_port(default:3689, embedded:TRUE, ignore_broken:TRUE);
    
    get_kb_item_or_exit("iTunes/" + port + "/enabled");
    
    type = get_kb_item_or_exit("iTunes/" + port + "/type");
    source = get_kb_item_or_exit("iTunes/" + port + "/source");
    version = get_kb_item_or_exit("iTunes/" + port + "/version");
    
    if (type == 'AppleTV') audit(AUDIT_LISTEN_NOT_VULN, "iTunes on AppleTV", port, version);
    
    fixed_version = "11.0.3";
    
    if (ver_compare(ver:version, fix:fixed_version, strict:FALSE) == -1)
    {
      if (report_verbosity > 0)
      {
        report = '\n  Version source    : ' + source +
                 '\n  Installed version : ' + version +
                 '\n  Fixed version     : ' + fixed_version + '\n';
        security_hole(port:port, extra:report);
      }
      else security_hole(port);
    }
    else audit(AUDIT_LISTEN_NOT_VULN, "iTunes", port, version);
    

Oval

accepted2015-06-22T04:00:42.161-04:00
classvulnerability
contributors
  • nameShane Shaffer
    organizationG2, Inc.
  • nameShane Shaffer
    organizationG2, Inc.
  • nameBernd Eggenmueller
    organizationbaramundi software
definition_extensions
commentApple iTunes is installed
ovaloval:org.mitre.oval:def:12353
descriptionApple iTunes before 11.0.3 does not properly verify X.509 certificates, which allows man-in-the-middle attackers to spoof HTTPS servers via an arbitrary valid certificate.
familywindows
idoval:org.mitre.oval:def:17605
statusaccepted
submitted2013-07-30T11:32:03.685-04:00
titleApple iTunes before 11.0.3 does not properly verify X.509 certificates, which allows man-in-the-middle attackers to spoof HTTPS servers via an arbitrary valid certificate
version7