The RedTeam, a penetration testing group, has released two security advisories which explain security holes in two podcast clients (podcatchers).

Both exploits are possible because the input of the programs is not properly (or at all) sanitized. Basically, they call system($wget_cmd) where $wget_cmd is shell (/bin/sh) code which shall download a file via wget. As the $wget_cmd string contains contents from an untrusted source (HTML/XML on some random server), this results in an "arbitrary code execution" vulnerability, the worst-case scenario you could imagine.

If someone is naive enough to even run such a podcatcher as root, this means a remote root exploit!

Anyways, the RedTeam is definately correct in saying that more and more people start listening to podcasts, and more and more podcatchers are written. But few of them are written with security in mind, which leaves many listeners at risk... I wonder how popular closed-source podcatchers such as iTunes are affected here. Are there any published audits/audit-results (black-box auditing, obviously, as you don't have the source code) for iTunes?

As for Free Software implementations... consider this a call for reviews and audits! If you know/use one of the many podcatchers (or an RSS feed aggregator, which are affected by similar issues), and have some knowledge on secure programming, get the source and review the application. Make the software you use, and the world at large, a little safer.

I'll definately have a look at the programs I'm using soonish...

Syndicate content