BugTraq
Elevation of Privilege Vulnerability in iTunes for Windows Mar 31 2010 01:39PM
jason ngssoftware com
Elevation of Privilege Vulnerability in iTunes for Windows

----------------------------------------------------------

March 31th, 2010

=======

Summary

=======

Name: Elevation of Privilege Vulnerability in iTunes for Windows

Release Date: March 31th, 2010

Discoverer: Jason Geffner

Vendor: Apple Inc.

Systems Affected: iTunes 9.0.0, iTunes 9.0.1, iTunes 9.0.2, iTunes 9.0.3

(version previous to iTunes 9.0.0 not tested)

Risk: High

Apple Security Advisory ID: APPLE-SA-2010-03-30-2 [1]

Apple Knowledge Base Article: HT4105 [2]

CVE-ID: CVE-2010-0532

Status: Published

============

Introduction

============

This paper discusses how an unprivileged local attacker can elevate their

privileges during an initial installation or update of iTunes for Windows. This

vulnerability was responsibly disclosed to Apple Inc. and this advisory was not

released until a fixed build of iTunes was released.

==========

Background

==========

"iTunes is a proprietary digital media player application, used for playing and

organizing digital music and video files. The program is also an interface to

manage the contents on Apple's popular iPod and other digital media players

such as the iPhone and iPad. Additionally, iTunes can connect to the iTunes

Store via the Internet to purchase and download music, music videos, television

shows, applications, iPod games, audiobooks, podcasts, feature length films and

movie rentals (not available in all countries), and ringtones (only used for

iPhone). It is also used to download applications for the iPhone and iPod touch

running iPhone OS 2.0 or later." [3]

========

Timeline

========

09/22/09 iTunes 9.0.1 released

10/22/09 Elevation of privilege vulnerability discovered in iTunes 9.0.1

10/22/09 Detailed vulnerability report responsibly disclosed to Apple Inc.

10/22/09 Automated response received from Apple Inc.

10/28/09 Automated response received from Apple Inc.

10/29/09 iTunes 9.0.2 released

12/23/09 Status request sent to Apple Inc.

01/06/10 First personal response formally received from Apple Inc.

02/01/10 iTunes 9.0.3 released

03/30/10 iTunes 9.1.0 released, fixing elevation of privilege vulnerability

03/31/10 Advisory released

=============

Vulnerability

=============

Upon first-time installation, iTunes installs GEAR Software ASPI driver

components and Microsoft Driver Install Frameworks API components in

"%ALLUSERSPROFILE%\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}\x86"

for 32-bit installations and in "%ALLUSERSPROFILE%\Application Data{0DD0EEEE-2A7C-411C-9243-1AE62F445FC3}\x64" for 64-bit installations. The

installer installs in this directory DifXInstall32.exe or DifXInstall64.exe for

32-bit or 64-bit installations, respectively, along with DIFxAPI.dll and other

files. After the installer writes these files to the directory, it will execute

DifXInstall32.exe or DifXInstall64.exe in the context of Local System, a

privileged user.

On a standard Windows installation, unprivileged users have write-access to

"%ALLUSERSPROFILE%\Application Data". As such, prior to a first-time iTunes

installation, an unprivileged attacker can create these directories and place a

malicious executable at "%ALLUSERSPROFILE%\Application Data{755AC846-7372-4AC8-8550-C52491DAA8BD}\x86\DifXInstall32.exe" or

"%ALLUSERSPROFILE%\Application Data\{0DD0EEEE-2A7C-411C-9243-1AE62F445FC3}\x64DifXInstall64.exe", which could for example add the unprivileged attacker to

the Administrators group in Windows when DifXInstall32.exe or DifXInstall64.exe

is executed by a privileged user. During installation, the installer won't

overwrite an existing DifXInstall32.exe or DifXInstall64.exe; it will execute

the existing program in the context of Local System.

On the other hand, if iTunes is already installed on the system, an

unprivileged attacker won't have access to overwrite DifXInstall32.exe,

DifXInstall64.exe, or DIFxAPI.dll. However, unprivileged attackers still have

write-access to create new files in "%ALLUSERSPROFILE%\Application Data{755AC846-7372-4AC8-8550-C52491DAA8BD}\x86" or "%ALLUSERSPROFILE%Application Data\{0DD0EEEE-2A7C-411C-9243-1AE62F445FC3}\x64". Therefore, an

unprivileged attacker could place into the directory a malicious DLL that

DifXInstall32.exe, DifXInstall64.exe, or DIFxAPI.dll depends on. For example,

DIFxAPI.dll imports setupapi.dll; an unprivileged attacker could place a

malicious setupapi.dll file into that directory such that when

DifXInstall32.exe or DifXInstall64.exe is executed, it loads DIFxAPI.dll, which

in turn loads the malicious setupapi.dll, which could for example add the

unprivileged attacker to the Administrators group in Windows when

DifXInstall32.exe or DifXInstall64.exe is executed by a privileged user. When

an existing iTunes installation is updated to a newer version, the update

installer will execute DifXInstall32.exe or DifXInstall64.exe in the context of

Local System.

=======

Exploit

=======

Ideally, the attacker's DLL should have all the functionality of the DLL that

the application expected to load, including the same exported functions. An

attacker can patch the original DLL so that the attacker's code runs before the

DLL's original DllMain code is executed, after which the original DllMain code

is called. This allows the DLL to continue to operate as normal.

The program at http://www.malwareanalysis.com/releases/dllpatcher.zip [4] can be

used to redirect a given DLL's entrypoint (which originally pointed to DllMain)

to point to code that has been patched into the DLL. This patched-in code will

add a given user to the Administrators group in Windows (assuming that it's

being run in the context of a privileged user), after which it will transfer

control back to the DLL's original DllMain. The patcher also updates the Import

Table for the DLL since the patched-in code relies on the function

NetLocalGroupAddMembers(...) from netapi32.dll. The only other side effect of

the patcher is that it clears the Bound Imports for the DLL; the only adverse

side effect of this is that this may cause the DLL to take a few extra

milliseconds to load.

The patcher is compatible with both 32-bit and 64-bit DLLs and displays usage

instructions when executed without command line arguments.

As an example, an attacker could use this patcher as follows to patch

setupapi.dll so that it will add unprivileged user MyComputer\Jason to the

Administrators group when the DLL is loaded by a privileged user:

DllPatcher.exe %WINDIR%\system32\setupapi.dll "%ALLUSERSPROFILE%\Application

Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}\x86\setupapi.dll" MyComputer\Jason

==========

Conclusion

==========

Proper ACLs should be used to prevent such elevation of privilege attacks and

great care should be taken when choosing which directories to use for

executable files.

NGSSoftware would like to thank Alex Ionescu for his assistance in

communications with the Apple Product Security Team.

===============

Fix Information

===============

This issue has now been resolved. iTunes 9.1.0 can be downloaded from:

http://www.apple.com/itunes/download

==========

References

==========

[1] http://lists.apple.com/archives/security-announce/2010/Mar/msg00003.html

[2] http://support.apple.com/kb/HT4105

[3] http://en.wikipedia.org/wiki/ITunes

[4] http://www.malwareanalysis.com/releases/dllpatcher.zip

NGSSoftware Insight Security Research

http://www.ngssoftware.com/

http://www.databasesecurity.com/

http://www.nextgenss.com/

+44(0)208 401 0070

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus