| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu Jan 5 17:00:12 2006 From: gautam.bipin at gmail.com (Bipin Gautam) Subject: Re: Download Accelerator Plus can be tricked to download malicious file Just n' update: DAP searches for all its mirrors from mirrorsearch.speedbit.com I have no knowledge about HOW the mirrors are gathered. Still waiting for DAP developers to comment on this. regards, -Bipin Gautam http://bipin.tk On 1/4/06, Bipin Gautam <gautam.bipin@...il.com> wrote: > Product(ONLY TESTED ON): Download Accelerator Plus 7.4.0.2 (unregistered) > Test Environment: Winxp Pro sp2 (patch level latest) > Risk Type: Rare exception > Threat Level: High > Vendor website:www.speedbit.com > > POC screenshots: http://img482.imageshack.us/img482/4205/31uk.jpg > http://img425.imageshack.us/img425/4380/15an.jpg > > speedbit.com claims to have 110 million users of DAP world wide and is > one of the popular and best download manager for windows. One of its > biggest strength to download big files in a faster connection at > optimum speed is, it can automatically search for best mirrors and > download different parts of the file form multiple location. > > BUT Download Accelerator Plus(DAP) may switch its download to a un > trusted or malicious website while searching for fastest mirrors for a > particular file under certain conditions. If the ACTUAL, trusted host > providing the file is DOWN or due to network congestions the users may > get and execute a malicious file instead. > > I've included two screenshots which should be self explanatory. Check > out the url's in each screenshot and see from where the file is being > received at the end. > > In the screenshot I'm trying to download 'Windows 2003 sp1' from > download.microsoft.com but DAP automatically chooses to download it > only from ftp.planet.nl as my network was having tooooooooo low > internet bandwidth at that time. > > Further more, on some network/OS there might be rules for MAX > CONNECTION PER HOST and (say)if in the network someone is already > downloading some file from download.microsoft.com the outcome will > surely be a VIRTUAL network congensation for download.microsoft.com > within that DMZ. > > For my test I used another client computer behind the gateway to send > continuous ping ( 17 different instants, fat ping requests ;0) to > download.microsoft.com As a result, for my network > download.microsoft.com was off the radar. So, in my another computer > DAP chooses to download Win2003 sp1 from ftp.planet.nl instead. So, > even after my network gained its full throttle... no-wounder DAP was > still downloading the file from ftp.planet.nl > > My test network setup was a 3 computer PC which was left on default > configuration with Winxp sp2 (patchlevel: latest) > > Changes: This advisory is slightly modified than the one that I > emailed to the vendor about a week back and tried contacting it, but > with no response till now! > > Result: I was receiving the file from an unknown and un-trusted source > which could be infected with a malicious program. > > BUT fyi: I haven't researched on HOW and WHERE 'DAP' queries to get > other possible mirrors for the particular file. > > Conclusion: I insist NOT to use download managers that does the same > while downloading important files. Or either force your download > manager and check whether the file is being downloaded from the > original URL or not. > > Regards, > -Bipin Gautam > -- Bipin Gautam http://bipin.tk Zeroth law of security: The possibility of poking a system from lower privilege is zero unless & until there is possibility of direct, indirect or consequential communication between the two...
Powered by blists - more mailing lists