Airscanner Mobile Security Advisory #05101001:
iTunes 6.0 Shared Music Denial of Service/Spoofing/Flooding/Abuse

Demo:
The following is a link to a Flash demo in which we demonstrate the vulnerability. (Mirror 1 Mirror 2)

URL:
http://www.airscanner.com/security/05101001_itunes.htm

Product:
iTunes 6.0 and below

Platform:
Tested on Windows XP and OSX

Requirements:
Nemesis for spoofing. Perl for the scripting environment. iTunes on either OSX or Windows.

Credits:
Seth Fogie
Airscanner Mobile Security
http://www.airscanner.com
Mobile Antivirus Researchers Association
http://www.mobileav.org
October 10, 2005

Risk Level:
Low: Denial of service (Shared Music anonymous forced disconnect) and list abuse attacks are both merely annoying to iTunes users.
Medium: Shared Music lists from various users can be renamed and swapped, thus creating an environment in which you can't be sure to whom you are connecting.

Summary:
iTunes is a popular service allowing you to play music, buy music, download music, share music, create playlists, etc.; it includes a video player and other features: http://www.itunes.com

The iTunes Shared Music feature allows users on a network to create playlists from songs on their computer and to share them on the network. When you create a new list and enable sharing, other iTunes users will see your lists under the Shared Music list, unless they change their preferences from the default settings. We discovered that it is possible to create spoofed Shared Music entries, to rename existing entries, to disconnect existing entries, and to re-initiate existing lists. We can also kill an existing stream without authorization via an anonymous packet.

Details:
iTunes Shared Music Entry Spoofing: It is possible to create fake Shared Music entries by spoofing fake domain/list names and IP addresses inside an MDNS packet that is used to broadcast existing lists. This spoofing attack can be scripted to post numerous entries to specific or all iTunes users on a network (flooding). By repeated excessive posting of Shared Music Entries, we were able to create a major system load on systems using iTunes.

iTunes Shared Music Entry Rename: It is possible to rename a valid entry across the network by spoofing the IP of the originating computer. With this power, we can swap existing Shared Music Entries and trick people into connecting to the wrong list.

iTunes Shared Music Entry Time To Live Spoofing: It is possible to reset the TTL value of existing lists (or new lists), thus allowing an attacker to set the TTL on an existing list to one second, resulting in the list being removed from all client computers, even if a song is currently being shared.

In order to spoof entries, you have to first send a SVR packet out with all the appropriate information, which must then be followed by a spoofed response packet to convince other iTunes clients that the first packet was real. In order to create spoofed lists, or to alter existing lists, you must also spoof the originating IP. The IP does not have to be on the local subnet.

For an example of what is possible, we have recorded a session in rather large swf files. Click here or here for the 2MB web based video. Screen shot of a multi-spoof also available.

Credits and Thanks:
Special thanks to the creators of nemesis, without which this testing would have been much more difficult. We also would like to acknowledge the creators of Ethereal for an excellent sniffer.

Workaround:
Disable 'Look for shared music' option under the Sharing tab in Preferences.

Vendor Response:
Awaiting Response.

Copyright (c) 2005 Airscanner Corp.

Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of Airscanner Corp. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please contact Airscanner Corp. for permission.

Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use on an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.