Associated Vulnerability
Title:Apple iTunes 输入验证错误漏洞 (CVE-2021-30862)Description:Apple iTunes是美国苹果(Apple)公司的一套媒体播放器应用程序,它主要用于对数字音乐和视频文件进行播放以及管理。 Apple iTunes U 3.8.3之前版本存在输入验证错误漏洞,攻击者可能通过恶意生成的URL导致任意javascript代码的执行。
Description
Write-up and proof of concepts for my vulnerability CVE-2021-30862, 1-click RCE bug in iOS iTunes U
Readme
# CVE-2021-30862
In 2021, CodeColorist released his writeups on the [Mistuned vulnerabilities](https://codecolor.ist/2021/08/04/mistuned-part-i/), a series of vulnerabilities affecting the iTunes Store allowing for one-click remote code execution. Notably, he demonstrated popping calc with no memory corruption at all, but with just a logic bug. During this time period, I was investigating URL schemes in various apps, because 2 years before, I had reported a [security issue regarding App Store's itms-services:// URL scheme](https://support.apple.com/en-us/HT211850). One URL scheme I had found that was pretty similar was iTunes U's itms-itunesu:// URL scheme. At the time though, I had no idea that it accepted user supplied input and thought it was only used to open the app, but later I realized this was not the case.
Upon reading his writeup, one thing caught my eye in particular: Jung Hoon Lee's sandbox escape using itmss:// during Pwn2Own 2014. At the time, iTunes Store accepted arbitrary URLs and would gladly load them into its SUWebView, even if they were not from Apple (CVE-2014-8840). At this point, you might be able to guess where I'm headed. I noticed that itmss:// was very similar to iTunes U's URL scheme, so I decided to see if iTunes U would load up google.com into it's web view. And lo and behold, it did. And then I decided to try using the same iTunes API that was used by Mistuned bugs in an attempt to pop calc, fully not expecting it to work, but to my greatest surprise, it did. It turns out that both iTunes Store and iTunes U share this same API. And what about the UAF from Mistuned? Was that in iTunes U too? Turns out it was as well, and I was able to create a proof-of-concept that crashes iTunes U by double freeing memory (POC_6.html). I attached some of the POCs I sent Apple as well as an attempt at a [fakeobj/addrof primitive](http://www.phrack.org/papers/attacking_javascript_engines.html) from this vulnerability in main.js with help from the Mistuned write-up, tho iirc I don't think I got the fakeobj primitive working fully. You can read CodeColorist's write-up for more information on the impact of these vulnerabilities, but in short, they allow for a lot of sensitive data to be retrieved from the victim as well as potential 1-click RCE.
# Disclosure Timeline
* My initial report to product-security: 8/6/2021
* Vulnerability acknowledged and reproduced ~ 8/23/2021
* [Patch released in 3.8.3 update and CVE ID CVE-2021-30862](https://support.apple.com/en-us/103152) given: 9/15/2021
* $10,000 bounty awarded: 12/23/2021
File Snapshot
[4.0K] /data/pocs/31e9ba34836be25c7687fd04250f1b6588986f48
├── [1.8K] main.js
├── [ 163] POC_2.html
├── [ 167] POC_3.html
├── [ 264] POC_4.html
├── [ 94] POC_5.html
├── [ 76] POC_6.html
├── [ 94] POC.html
└── [2.5K] README.md
0 directories, 8 files
Remarks
1. It is advised to access via the original source first.
2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.