Akamai Download Manager File Downloaded To Arbitrary Location Vulnerability

2008.06.06
Credit: cocoruder
Risk: Medium
Local: No
Remote: No
CVE: N/A
CWE: N/A

Akamai Download Manager File Downloaded To Arbitrary Location Vulnerability by cocoruder(frankruder_at_hotmail&#46;com) http://ruder.cdut.net Summary: A parameter injection vulnerability exists in Akamai Download Manager. By exploiting this vulnerability, the remote attacker can make the users to download arbitrary file, and save it to arbitrary location while they are visiting a vicious web page. It means an attacker who successfully exploits this vulnerability can run arbitrary code on the affected system. Affected Software Versions: Akamai Download Manager ActiveX Control 2.2.3.5 Details: The file "http://dlm.tools.akamai.com/tools/upgrade.html" is a sample that calls this ActiveX Control, its parameter is set as follows: <PARAM name="URL" value="http://dlm.tools.akamai.com/tools_files/Readme.txt"> Then the value of "URL" is set. However, if we inject other characters to "URL", it also could be parsed correctly. For example: <PARAM name="URL" value="http://dlm.tools.akamai.com/tools_files/Readme.txt\x0Areferer=http://ruder.cdut.net"> Since the parameter values set by ActiveX are saved in a temporary file as INI file format, in the above manner the value of "referer" will be changed. In addition, the parameter "target" is used to setting the loacation of the downloaded file, it has following meanings: "DESKTOP" the file will be saved on the desktop "AUTO" the file will be saved in Temporary Internet Files "" ask the user to choose the saving location Normally the value of "target" can only be set as the above three values, any other values will be filtered. Nevertheless, the parameter injection vulnerability can set the value of "target" arbitrarily, if the value is a valid file path, Akamai Download Manager will download the target file directly in it without any interaction with users. As a result, attackers can construct a vicious web page to download a file that could be controled to any location of the user's system. One of the possible ways of attacking is to download the trojan in "C:\Documents and Settings\All Users\Start Menu\Programs\Startup" directory, then it will be executed when next time the user logs in to the system. How to Reproduce: An example exploit is available on: http://ruder.cdut.net/attach/Akamai_DM_Vul/Akamai_DM_Vul_Exploit.html This exploit will download the following file to your "Startup" directory with a new name "calc_run.exe": http://ruder.cdut.net/attach/calc.exe MD5 Hash:E3FCB903305F8EE5551EA66F5C096737 Solution: The fixed version is 2.2.3.7, please update your Akamai Download Manager via the following url: http://dlm.tools.akamai.com/tools/upgrade.html Akamai has released an advisory for this vulnerability which is available on: http://www.securityfocus.com/archive/1/493077/30/0/threaded CVE Information: CVE-2008-1770 Disclosure Timeline: 2008.04.02 Vendor notified via email 2008.04.03 Vendor responded 2008.04.22 The vendor sent me the new edition of the product 2008.04.22 Confirmed the vulnerability had been fixed correctly 2008.05.12 The vendor had released the fixed edition silently, and did not inform me or release public advisory 2008.05.12 Asked them for the reason 2008.05.12 Vendor replied: "Once we are sure that all of our customers have been given the opportunity to upgrade, we will post a public advisory" 2008.05.12 Decided to give the maximum of two weeks to them for pushing the patch 2008.06.02 Sent a warning of the coming independent advisory, and asked the vendor to join us 2008.06.02 Vendor asked for an additional 48 hours for coordinated public disclosure 2008.06.04 Coordinated vulnerability disclosure --EOF--

References:

http://seclists.org/bugtraq/2008/Jun/0052.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top