-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Symantec Vulnerability Alert
Apple iPhone and iPod Touch MP3 and AAC File Heap Buffer Overflow Vulnerability
Bugtraq ID 36338
CVE CVE-2009-2206(Candidate)
Published Sep 09 2009
Last Update 09/14/2009 8:03:56 PM GMT
Remote Yes
Local Yes
Credibility Vendor Confirmed
Classification Boundary Condition Error
Ease No Exploit Available
Availability User Initiated
Authentication Not Required
CVSS Version 2 Scores
CVSS2 Base 9.3
CVSS2 Temporal 6.9
CVSS2 Base Vector AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSS2 Temporal VectorE:U/RL:OF/RC:C
CVSS Version 1 Scores
CVSS1 Base 8
CVSS1 Temporal 5.9
Impact 10 Severity 9.4 Urgency Rating 7.8
Last Change Additional reference is available; technical
information updated.
Vulnerable Systems
- ------------------
Apple iPhone
Apple iPhone 1
Apple iPhone 1.0.1
Apple iPhone 1.0.2
Apple iPhone 1.1
Apple iPhone 1.1.1
Apple iPhone 1.1.2
Apple iPhone 1.1.3
Apple iPhone 1.1.4
Apple iPhone 2.0
Apple iPhone 2.0.1
Apple iPhone 2.0.2
Apple iPhone 2.1
Apple iPhone 2.2
Apple iPhone 2.2.1
Apple iPhone 3.0
Apple iPhone 3.0.1
Apple iPod Touch
Apple iPod Touch 1.1
Apple iPod Touch 1.1.1
Apple iPod Touch 1.1.2
Apple iPod Touch 1.1.3
Apple iPod Touch 1.1.4
Apple iPod Touch 2.0
Apple iPod Touch 2.0.1
Apple iPod Touch 2.0.2
Apple iPod Touch 2.1
Apple iPod Touch 2.2
Apple iPod Touch 2.2.1
Apple iPod Touch 3.0
Non-Vulnerable Systems
- ----------------------
Apple iPhone 3.1
Apple iPod Touch 3.1.1
Short Summary
- -------------
Apple iPhone and iPod touch are prone to a heap-based buffer-overflow vulnerability; fixes are available.
Impact
- ------
Successful exploits may allow attackers to execute arbitrary code on the vulnerable device. Failed attacks will cause denial-of-service conditions.
Technical Description
- ---------------------
Apple iPhone is a mobile phone that runs on the ARM architecture. Apple iPod touch is a portable music player that also contains the Safari browser.
The devices are prone to a heap-based buffer-overflow vulnerability that is triggered when handling crafted AAC or MP3 files. In particular, this issue can be triggered when a vulnerable device handles a ringtone file containing malformed sample size table entries. This issue affects the 'ACTransformerCodec::AppendInputData()' of the '/System/Library/Frameworks/AudioToolbox.framework/AudioCodecs' library file.
Successful exploits may allow an attacker to execute arbitrary code on the vulnerable device. Failed attacks will cause denial-of-service conditions.
This issue was previously covered in BID 36326 (Apple iPhone prior to 3.1 and iPod touch Prior to3.1.1 Multiple Vulnerabilities) but has been given its own record to better document it.
This issue affects the following:
iPhone OS 1.0 through 3.0.1
iPhone OS for iPod touch 1.1 through 3.0
Attack Scenarios
- ----------------
1. An attacker crafts an MP3 or AAC file to leverage this issue. The file may contain arbitrary code with replacement memory addresses and possibly NOP instructions.
2. The attacker hosts the malicious data in a remotely accessible location and entices an unsuspecting user to visit the site. The attacker may also send the file to users through email or other means.
3. When the data is processed, the attacker's code runs on the vulnerable device.
Failed attacks will cause denial-of-service conditions.
Exploits
- --------
Currently we are not aware of any working exploits. If you feel we are in error or if you are aware of more recent information, please mail us at:
vuldb@securityfocus.com.
Mitigating Strategies
- ---------------------
Run all software as a nonprivileged user with minimal access rights.
To limit the potential damage that a successful exploit may achieve, run all nonadministrative software as a regular user with the least amount of privileges required to successfully operate.
Do not accept or execute files from untrusted or unknown sources.
To reduce the likelihood of successful attacks never handle or open files from unknown sources.
Do not allow untrusted users physical access to systems.
Users should not allow unknown or untrusted users to access affected devices.
Solutions
- ---------
The vendor has released an advisory and fixes. Please see the references for details.
Credit
- ------
Tobias Klein of trapkit.de
References
- ----------
advisory:
17855 iPhone OS 3.1 and iPhone OS 3.1.1 for iPod touch
Apple
Advisory: iPhone OS 3.1 and iPhone OS 3.1.1 for iPod touch
Advisory:[TKADV2009-007] Apple iPhone OS AudioCodecs Heap Buffer Overflow
(Tobias Klein <tk@trapkit.de>) Tobias Klein <tk@trapkit.de>
SecurityFocus
Web Page:Apple iPhone OS AudioCodecs Heap Buffer Overflow (Tobias Klein)
Tobias Klein
http://www.trapkit.de/advisories/TKADV2009-007.txt
Web Page:iPhone Product Page (Apple) Apple
Apple - iPhone - Mobile phone, iPod, and Internet device.
Web Page:iPod touch Product Page (Apple) Apple
Apple - iPod touch - Music, games, apps, and more on a great iPod.
Change Log
- ----------
2009.09.14: Additional reference is available; technical information
updated.
2009.09.09: Initial analysis.
URL
- ---
https://alerts.symantec.com/loaddocu...2-db7f86fe51c9
View public key at:
https://alerts.symantec.com/gpgkey.aspx
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (MingW32)
iD8DBQFKrqPoUuGvlu3xvN4RAs+MAJ9b5P97Wi+brc01MX1x7g ypL1SN+wCgvNtq
JFBKQU83ylIh2ISh58HmtJk=
=BzOQ
-----END PGP SIGNATURE-----
This alert was triggered by the monitor: Vulnerability Monitor
This delivery method is named: Default Delivery Method
Symantec Corporation
The World Leader in Internet Security Technology and Early Warning Solutions
Visit our website at Symantec - AntiVirus, Anti-Spyware, Endpoint Security, Backup, Storage Solutions
_______________________________
Symantec Deepsight Alert Services
Powered by EnvoyWorldWide, Inc.
For all you iPhone users out there...FYI
Posting Permissions
