According to its banner, the remote Apple TV 2nd generation or later device is prior to 6.0. It is, therefore, reportedly affected by multiple vulnerabilities, the most serious issues of which could result in arbitrary code execution.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(70257);
script_version("1.14");
script_cvs_date("Date: 2019/11/27");
script_cve_id(
"CVE-2011-2391",
"CVE-2011-3102",
"CVE-2012-0841",
"CVE-2012-2807",
"CVE-2012-2825",
"CVE-2012-2870",
"CVE-2012-2871",
"CVE-2012-5134",
"CVE-2013-0879",
"CVE-2013-0991",
"CVE-2013-0992",
"CVE-2013-0993",
"CVE-2013-0994",
"CVE-2013-0995",
"CVE-2013-0996",
"CVE-2013-0997",
"CVE-2013-0998",
"CVE-2013-0999",
"CVE-2013-1000",
"CVE-2013-1001",
"CVE-2013-1002",
"CVE-2013-1003",
"CVE-2013-1004",
"CVE-2013-1005",
"CVE-2013-1006",
"CVE-2013-1007",
"CVE-2013-1008",
"CVE-2013-1010",
"CVE-2013-1011",
"CVE-2013-1019",
"CVE-2013-1025",
"CVE-2013-1026",
"CVE-2013-1037",
"CVE-2013-1038",
"CVE-2013-1039",
"CVE-2013-1040",
"CVE-2013-1041",
"CVE-2013-1042",
"CVE-2013-1043",
"CVE-2013-1044",
"CVE-2013-1045",
"CVE-2013-1046",
"CVE-2013-1047",
"CVE-2013-2842",
"CVE-2013-3950",
"CVE-2013-3953",
"CVE-2013-3954",
"CVE-2013-5125",
"CVE-2013-5126",
"CVE-2013-5127",
"CVE-2013-5128",
"CVE-2013-5138",
"CVE-2013-5139",
"CVE-2013-5140",
"CVE-2013-5142",
"CVE-2013-5145"
);
script_bugtraq_id(
52107,
53540,
54203,
54718,
55331,
56684,
59326,
59944,
59953,
59954,
59955,
59956,
59957,
59958,
59959,
59960,
59963,
59964,
59965,
59967,
59970,
59971,
59972,
59973,
59974,
59976,
59977,
60067,
60102,
60437,
60441,
60444,
62368,
62369,
62520,
62522,
62524,
62529,
62531,
62536,
62551,
62553,
62554,
62556,
62557,
62558,
62559,
62560,
62563,
62565,
62567,
62568,
62569,
62570,
62571
);
script_xref(name:"APPLE-SA", value:"APPLE-SA-2013-09-20-1");
script_name(english:"Apple TV < 6.0 Multiple Vulnerabilities");
script_summary(english:"Checks version in banner");
script_set_attribute(attribute:"synopsis", value:
"The remote device is affected by multiple vulnerabilities.");
script_set_attribute(attribute:"description", value:
"According to its banner, the remote Apple TV 2nd generation or later
device is prior to 6.0. It is, therefore, reportedly affected by
multiple vulnerabilities, the most serious issues of which could
result in arbitrary code execution.");
script_set_attribute(attribute:"see_also", value:"https://support.apple.com/en-us/HT202815");
script_set_attribute(attribute:"see_also", value:"https://lists.apple.com/archives/security-announce/2013/Sep/msg00008.html");
script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/528762/30/0/threaded");
script_set_attribute(attribute:"solution", value:
"Upgrade to Apple TV 6.0 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2013-5139");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2012/02/22");
script_set_attribute(attribute:"patch_publication_date", value:"2013/09/20");
script_set_attribute(attribute:"plugin_publication_date", value:"2013/10/01");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:apple:apple_tv");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Misc.");
script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("appletv_detect.nasl");
script_require_keys("www/appletv");
script_require_ports(3689);
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
port = 3689;
banner = get_http_banner(port:port, broken:TRUE, exit_on_fail:TRUE);
if (
"DAAP-Server: iTunes/" >!< banner &&
"RIPT-Server: iTunesLib/" >!< banner
) audit(AUDIT_WRONG_WEB_SERVER, port, 'iTunes');
pat = "^DAAP-Server: iTunes/([0-9][0-9.]+)([a-z])([0-9]+) \((Mac )?OS X\)";
matches = egrep(pattern:pat, string:banner);
if (
"DAAP-Server: iTunes/" >< banner &&
isnull(matches)
) exit(0, "The web server listening on port "+port+" does not appear to be from iTunes on an Apple TV.");
fixed_major = "11.1";
fixed_char = "b";
fixed_minor = "37";
report = "";
# Check first for 3rd gen and recent 2nd gen models.
if (matches)
{
foreach line (split(matches, keep:FALSE))
{
match = eregmatch(pattern:pat, string:line);
if (!isnull(match))
{
major = match[1];
char = match[2];
minor = int(match[3]);
if (
ver_compare(ver:major, fix:fixed_major, strict:FALSE) < 0 ||
(
ver_compare(ver:major, fix:fixed_major, strict:FALSE) == 0 &&
(
ord(char) < ord(fixed_char) ||
(
ord(char) == ord(fixed_char) &&
minor < fixed_minor
)
)
)
)
{
report = '\n Source : ' + line +
'\n Installed iTunes version : ' + major + char + minor +
'\n Fixed iTunes version : ' + fixed_major + fixed_char + fixed_minor +
'\n';
}
break;
}
}
}
else
{
pat2 = "^RIPT-Server: iTunesLib/([0-9]+)\.";
matches = egrep(pattern:pat2, string:banner);
if (matches)
{
foreach line (split(matches, keep:FALSE))
{
match = eregmatch(pattern:pat2, string:line);
if (!isnull(match))
{
major = int(match[1]);
if (major < 4) exit(0, "The web server listening on port "+port+" is from iTunes on a 1st generation Apple TV, which is no longer supported.");
else if (major >= 4 && major <= 9)
{
report = '\n Source : ' + line +
'\n';
}
break;
}
}
}
}
if (report)
{
if (report_verbosity > 0) security_hole(port:0, extra:report);
else security_hole(0);
exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2391
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3102
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0841
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2807
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2825
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2870
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2871
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5134
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0879
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0991
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0992
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0993
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0994
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0995
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0996
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0997
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0998
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0999
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1000
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1001
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1002
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1003
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1004
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1005
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1006
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1007
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1008
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1010
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1011
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1019
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1025
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1026
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1037
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1038
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1039
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1040
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1041
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1042
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1043
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1044
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1045
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1046
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1047
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2842
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3950
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3953
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3954
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5125
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5126
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5127
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5128
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5138
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5139
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5140
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5142
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5145
lists.apple.com/archives/security-announce/2013/Sep/msg00008.html
support.apple.com/en-us/HT202815
www.securityfocus.com/archive/1/528762/30/0/threaded