Your Digital Media Has Never Looked So Good

 
mas
Topic Author
Posts: 281
Joined: Tue Dec 05, 2006 11:46 am

Security problem with svn-1696

Wed Nov 05, 2008 4:30 pm

Please beware of the following security problem with svn-1696 and possibly also all other versions.

I found this breach by chance when I was trying to give a DAAP-protocal streaming link to a friend and discovered, that the user password was NOT neccessary to access the file, despite the fact that I have of course a user password set.

Affected:
All remote accessible DAAP databases with a user password set.

Bug:
Even when a user password to access a music database is configured, it is possible to access the whole database without authentification.

Cause:
It turns out that the DAAP handler (the RSP handler does not seem to be affected) excludes certain requests from authentifications to work around bugs in the DAAP protocol. Unfortunately also the streaming requests for the actual music files are excluded, but especially these links are easy to guess. Therefore in fact the server only checks calls to browse the database. Anyone guessing a file id right can however download the file without authentification.
If that is really neccessary because of bugs in DAAP protocol as the source code states, then all I can say is thanks Apple for such a crappy protocol.

Confirmation:
Just point your normal browser to

http://yourserver:3689/databases/1/items/idnr.mp3

with idnr = any existing id number. These are easy to guess as the server usually numbers starting from 1. Oh and you have to guess the file ending but thats rather simple as well. Most will use mp3s.

And voila, no password request, it all downloads unauthorized.

Workaround:

plugins/out-daap.c:
/**
* check for auth. Kind of a ham-handed implementation, but
* works.
*/
int plugin_auth(WS_CONNINFO *pwsc, char *username, char *password) {
char *uri = pi_ws_uri(pwsc);

/* don't auth for stuff we shouldn't */
if(strncasecmp(uri,"/server-info",12) == 0)
return TRUE;
if(strncasecmp(uri,"/logout",7) == 0)
return TRUE;
/**
* Grrr, not authing the database is a huge security hole!
* I dont care what braindead itunes DB it breaks but
* not authing this means everyone can download
* all songs easily by just guessing the id!

if(strncasecmp(uri,"/databases/1/items/",19) == 0)
return TRUE;

* Thats insane!
* hence taken out
*/
if(strncasecmp(uri,"/activity",9) == 0)
return TRUE;

return pi_ws_matchesrole(pwsc,username,password,"user");
}


----------

The commented out the culprit here. Quite possible that this breaks some braindead DAAP clients.

P.S.: I have no itunes installed so I cannot say if this security fix breaks itunes. I only tested GIT as the only free DAAP client on windows and it continues to work with this fix. Also my Soundbride uses the RSP protocol so I cannot say if an original SB from Roku is affected when it uses the DAAP protocol.
Those who sacrifice freedom over safety deserve neither.

Who is online

Users browsing this forum: No registered users and 1 guest