Airscanner Mobile Security Advisory #05101001: iTunes Shared Music Denial of Service/Spoofing/Flooding/Abuse

[Seth Fogie <seth () airscanner com>]

*Airscanner Mobile Security Advisory #05101001:
iTunes 6.0 Shared Music Denial of Service/Spoofing/Flooding/Abuse*

*Demo:*
The following is a link to a Flash demo in which we demonstrate the 
vulnerability. (link to flash demo 
<http://www.airscanner.com/security/itwns2.html>)

*URL:
*http://www.airscanner.com/security/05101001_itunes.htm

*Product:*
iTunes 6.0

*Platform:*
Tested on Windows XP and OSX

*Requirements:*
Nemesis for spoofing. Perl for the scripting environment. iTunes on 
either OSX or Windows.

* Credits:*
Seth Fogie
Airscanner Mobile Security
http://www.airscanner.com
Mobile Antivirus Researchers Association
http://www.mobileav.org
October 10, 2005

* Risk Level:*
Low: Denial of service (Shared Music anonymous forced disconnect) and 
list abuse attacks are both merely annoying to iTunes users.
Medium: Shared Music lists from various users can be renamed and 
swapped, thus creating an environment in which you can't be sure to whom 
you are connecting.
*
* *Summary:*
iTunes is a popular service allowing you to play music, buy music, 
download music, share music, create playlists, etc.; it includes a video 
player and other features: http://www.itunes.com

The iTunes Shared Music feature allows users on a network to create 
playlists from songs on their computer and to share them on the network. 
When you create a new list and enable sharing, other iTunes users will 
see your lists under the Shared Music list, unless they change their 
preferences from the default settings. We discovered that it is possible 
to create spoofed Shared Music entries, to rename existing entries, to 
disconnect existing entries, and to re-initiate existing lists. We can 
also kill an existing stream without authorization via an anonymous packet.
*
* *Details:*
iTunes Shared Music Entry Spoofing: It is possible to create fake Shared 
Music entries by spoofing fake domain/list names and IP addresses inside 
an MDNS packet that is used to broadcast existing lists. This spoofing 
attack can be scripted to post numerous entries to specific or all 
iTunes users on a network (flooding). By repeated excessive posting of 
Shared Music Entries, we were able to create a major system load on 
systems using iTunes.

iTunes Shared Music Entry Rename: It is possible to rename a valid entry 
across the network by spoofing the IP of the originating computer. With 
this power, we can swap existing Shared Music Entries and trick people 
into connecting to the wrong list.

iTunes Shared Music Entry Time To Live Spoofing: It is possible to reset 
the TTL value of existing lists (or new lists), thus allowing an 
attacker to set the TTL on an existing list to one second, resulting in 
the list being removed from all client computers, even if a song is 
currently being shared.

In order to spoof entries, you have to first send a SVR packet out with 
all the appropriate information, which must then be followed by a 
spoofed response packet to convince other iTunes clients that the first 
packet was real. In order to create spoofed lists, or to alter existing 
lists, you must also spoof the originating IP. The IP does not have to 
be on the local subnet.

For an example of what is possible, we have recorded a session in rather 
large swf files. Click here 
<http://www.airscanner.com/security/itwns2.html> or here for the 2MB web 
based video. Screen shot of a multi-spoof 
<http://www.airscanner.com/security/images/itunes.JPG> also available.

*Credits and Thanks:
*Special thanks to the creators of nemesis, without which this testing 
would have been much more difficult. We also would like to acknowledge 
the creators of Ethereal for an excellent sniffer.

* Workaround:*
Disable 'Look for shared music' option under the Sharing tab in Preferences.

*Vendor Response:*
Awaiting Response.

Copyright (c) 2005 Airscanner Corp.

Permission is granted for the redistribution of this alert 
electronically. It may not be edited in any way without the express 
written consent of Airscanner Corp. If you wish to reprint the whole or 
any part of this alert in any other medium other than electronically, 
please contact Airscanner Corp. for permission.

Disclaimer: The information in the advisory is believed to be accurate 
at the time of publishing based on currently available information. Use 
of the information constitutes acceptance for use on an AS IS condition. 
There are no warranties with regard to this information. Neither the 
author nor the publisher accepts any liability for any direct, indirect, 
or consequential loss or damage arising from use of, or reliance on, 
this information.