lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <3d7a6e870806041846i2051aa3bl123532b427953bcd@mail.gmail.com>
Date: Thu, 5 Jun 2008 09:46:22 +0800
From: cocoruder <cocoruder@...il.com>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Akamai Download Manager File Downloaded To Arbitrary Location Vulnerability

Akamai Download Manager File Downloaded To Arbitrary Location Vulnerability

by cocoruder(frankruder@...mail.com)
http://ruder.cdut.net


Summary:

    A parameter injection vulnerability exists in Akamai Download
Manager. By exploiting this vulnerability, the remote attacker can
make the users to download arbitrary file, and save it to arbitrary
location while they are visiting a vicious web page. It means an
attacker who successfully exploits this vulnerability can run
arbitrary code on the affected system.


Affected Software Versions:

    Akamai Download Manager ActiveX Control 2.2.3.5



Details:

    The file "http://dlm.tools.akamai.com/tools/upgrade.html" is a
sample that calls this ActiveX Control, its parameter is set as
follows:

	<PARAM name="URL" value="http://dlm.tools.akamai.com/tools_files/Readme.txt">

    Then the value of "URL" is set.

    However, if we inject other characters to "URL", it also could be
parsed correctly. For example:

	<PARAM name="URL"
value="http://dlm.tools.akamai.com/tools_files/Readme.txt\x0Areferer=http://ruder.cdut.net">

    Since the parameter values set by ActiveX are saved in a temporary
file as INI file format, in the above manner the value of "referer"
will be changed.

    In addition, the parameter "target" is used to setting the
loacation of the downloaded file, it has following meanings:

	"DESKTOP"		 the file will be saved on the desktop
	"AUTO"			 the file will be saved in Temporary Internet Files
	""			 ask the user to choose the saving location

    Normally the value of "target" can only be set as the above three
values, any other values will be filtered.

    Nevertheless, the parameter injection vulnerability can set the
value of "target" arbitrarily, if the value is a valid file path,
Akamai Download Manager will download the target file directly in it
without any interaction with users. As a result, attackers can
construct a vicious web page to download a file that could be
controled to any location of the user's system.

    One of the possible ways of attacking is to download the trojan in
"C:\Documents and Settings\All Users\Start Menu\Programs\Startup"
directory, then it will be executed when next time the user logs in to
the system.



How to Reproduce:

    An example exploit is available on:

    http://ruder.cdut.net/attach/Akamai_DM_Vul/Akamai_DM_Vul_Exploit.html

    This exploit will download the following file to your "Startup"
directory with a new name "calc_run.exe":

    http://ruder.cdut.net/attach/calc.exe

    MD5 Hash:E3FCB903305F8EE5551EA66F5C096737



Solution:

    The fixed version is 2.2.3.7, please update your Akamai Download
Manager via the following url:

    http://dlm.tools.akamai.com/tools/upgrade.html

    Akamai has released an advisory for this vulnerability which is
available on:

    http://www.securityfocus.com/archive/1/493077/30/0/threaded



CVE Information:

    CVE-2008-1770



Disclosure Timeline:

    2008.04.02        Vendor notified via email
    2008.04.03        Vendor responded
    2008.04.22        The vendor sent me the new edition of the product
    2008.04.22        Confirmed the vulnerability had been fixed correctly
    2008.05.12        The vendor had released the fixed edition
silently, and did not inform me or release public advisory
    2008.05.12        Asked them for the reason
    2008.05.12        Vendor replied: "Once we are sure that all of
our customers have been given the opportunity to upgrade, we will post
a public advisory"
    2008.05.12        Decided to give the maximum of two weeks to them
for pushing the patch
    2008.06.02        Sent a warning of the coming independent
advisory, and asked the vendor to join us
    2008.06.02        Vendor asked for an additional 48 hours for
coordinated public disclosure
    2008.06.04        Coordinated vulnerability disclosure



--EOF--

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ