Download Manager
------------------------------------------------------------------------
Akamai Download Manager arbitrary file download & execution
------------------------------------------------------------------------
Yorick Koster, April 2009
------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
Akamai's Download Manager allows attackers to download arbitrary
files onto a user's desktop. Using a so-called "blended
Akamai Technologies Security Advisory 2009-0001
* Akamai ID: 2009-0001
* Date: 2009/23/20
* Product Name: Download Manager
* Affected Versions: < 2.2.4.8
* Fixed Version: 2.2.4.8
* CVE IDs: {TBD}
* CVSS Base Score: (AV:R/AC:H/Au:NR/C:C/I:C/A:C/B:N) 8.0
Akamai Technologies Security Advisory 2008-0001
* Akamai ID: 2008-0002
* Date: 2008/04/20
* Product Name: Download Manager
* Affected Versions: < 2.2.3.6
* Fixed Version: 2.2.3.7
* CVE IDs: CVE-2008-1770
* CVSS Base Score: (AV:R/AC:H/Au:NR/C:C/I:C/A:C/B:N) 8.0
http://labs.idefense.com/intelligence/vulnerabilities/
Apr 30, 2008
I. BACKGROUND
Akamai Download Manager is an integral component of Akamai's global
distribution service. It is used to deliver big files quickly and
reliably to users around world. It has been used by vendors such as
Symantec and Microsoft to provide downloads to the public.
Akamai provides both an ActiveX and a Java based Download Manager. If a
Akamai Download Manager File Downloaded To Arbitrary Location Vulnerability
by cocoruder(frankruder@hotmail.com)
http://ruder.cdut.net
Summary:
A parameter injection vulnerability exists in Akamai Download
Manager. By exploiting this vulnerability, the remote attacker can
======================================================================
Secunia Research 02/02/2009
- Free Download Manager Torrent Parsing Buffer Overflows -
======================================================================
Table of Contents
Affected Software....................................................1
======================================================================
Secunia Research 02/02/2009
- Free Download Manager Remote Control Server Buffer Overflow -
======================================================================
Table of Contents
Affected Software....................................................1
======================================================================
Secunia Research 13/05/2010
- Free Download Manager metalink "name" Directory Traversal -
======================================================================
Table of Contents
Affected Software....................................................1
======================================================================
Secunia Research 13/05/2010
- Free Download Manager Four Buffer Overflow Vulnerabilities -
======================================================================
Table of Contents
Affected Software....................................................1
======================================================================
Secunia Research 30/04/2010
- Internet Download Manager FTP Buffer Overflow Vulnerability -
======================================================================
Table of Contents
Affected Software....................................................1
http://www.nosltd.com/index.php?option=com_content&task=view&id=38&Itemid=26
II. DESCRIPTION
Remote exploitation of an input validation vulnerability in NOS
Microsystems Ltd.'s getPlus Download Manager, as used by Adobe and
potentially other vendors, could allow an attacker to execute arbitrary
code with the privileges of the current user.
The vulnerability exists due to improper validation of the domain used
to download and execute applications from. The vulnerable code always
ZDI-10-077: Adobe Download Manager Atlcom.get_atlcom ActiveX Control Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-077
April 21, 2010
-- CVE ID:
CVE-2010-1278
-- Affected Vendors:
Adobe
Security researcher Jeremy Brown reported that the file naming scheme
used for downloading a file which already exists in the downloads
folder is predictable. If an attacker had local access to a victim's
computer and knew the name of a file the victim intended to open
through the Download Manager, he could use this vulnerability to
place a malicious file in the world-writable directory used to save
temporary downloaded files and cause the browser to choose the
incorrect file when opening it. Since this attack requires local
access to the victim's machine, the severity of this vulnerability
was determined to be low (CVE-2009-3274).
Security researcher Jeremy Brown reported that the file naming scheme
used for downloading a file which already exists in the downloads
folder is predictable. If an attacker had local access to a victim's
computer and knew the name of a file the victim intended to open
through the Download Manager, he could use this vulnerability to
place a malicious file in the world-writable directory used to save
temporary downloaded files and cause the browser to choose the
incorrect file when opening it. Since this attack requires local
access to the victim's machine, the severity of this vulnerability
was determined to be low (CVE-2009-3274).
Security researcher Jeremy Brown reported that the file naming scheme
used for downloading a file which already exists in the downloads
folder is predictable. If an attacker had local access to a victim's
computer and knew the name of a file the victim intended to open
through the Download Manager, he could use this vulnerability to
place a malicious file in the world-writable directory used to save
temporary downloaded files and cause the browser to choose the
incorrect file when opening it. Since this attack requires local
access to the victim's machine, the severity of this vulnerability
was determined to be low (CVE-2009-3274).
A vulnerability has been discovered in Internet Download Manager ,which can be exploited by malicious people to compromise a user's system.
The vulnerability is caused due to the application loading libraries in an insecure manner.
Libraries list called is as follows:
• Schannel.dll
This can be exploited to load arbitrary libraries by tricking a user into e.g. opening a HTML file located on a remote WebDAV or SMB share.
Successful exploitation allows execution of arbitrary code.
The vulnerability is confirmed in Internet Download Manager version 5.18.4 for Microsoft Windows XP Service Pack 3. Other versions may also be affected.
Yorick Koster, April 2009
------------------------------------------------------------------------
See also
------------------------------------------------------------------------
APSB10-08 [2] Security update available for Adobe Download Manager
CVE-2010-0189 [3]
02.23.10 [4] Multiple Vendor NOS Microsystems getPlus Downloader Input
Validation Vulnerability
Aviv Raff On .NET: [5] Skeletons in Adobe's security closet
Things could be more or less silent, lethal or non-lethal... it is
completely up to you. Things cannot get much simpler than this :)
Tested on Windows XP SP3 + Adobe Acrobat 9.1.2 (installed from adobe's
download manager, then updated).
Where: From remote
======================================================================
3) Vendor's Description of Software
"Orbit Downloader, leader of download manager revolution, is devoted
to new generation web (web2.0) downloading, such as video/music/
streaming media from Myspace, YouTube, Imeem, Pandora, Rapidshare,
support RTMP. And to make general downloading easier and faster.".
Product Link: http://www.orbitdownloader.com/
converted strings to floating point numbers. If a user were tricked into
viewing a malicious website, a remote attacker could cause a denial of service
or possibly execute arbitrary code with the privileges of the user invoking the
program. (CVE-2009-1563)
Jeremy Brown discovered that the Firefox Download Manager was vulnerable to
symlink attacks. A local attacker could exploit this to create or overwrite
files with the privileges of the user invoking the program. (CVE-2009-3274)
Paul Stone discovered a flaw in the Firefox form history. If a user were
tricked into viewing a malicious website, a remote attacker could access this
Where: Remote
======================================================================
3) Vendor's Description of Software
"Orbit Downloader, leader of download manager revolution, is devoted
to new generation web (web2.0) downloading, such as
video/music/streaming media from Myspace, YouTube, Imeem, Pandora,
Rapidshare, support RTMP. And to make general downloading easier and
faster.".
the HTTP "referer", a malicious web page can cause files from
arbitrary URLs to be downloaded and executed.
The Red Swoosh client can be installed manually by visiting the
Akamai website. However, more interestingly, it can also be silently
installed by the Akamai Download Manager if a download requests Red
Swoosh should be used. Once installed, the service or application
will run on startup.
The malicious file to be downloaded and executed can potentially be
served by the Red Swoosh network alleviating any bandwidth issues on
converted strings to floating point numbers. If a user were tricked into
viewing a malicious website, a remote attacker could cause a denial of service
or possibly execute arbitrary code with the privileges of the user invoking the
program. (CVE-2009-1563)
Jeremy Brown discovered that the Firefox Download Manager was vulnerable to
symlink attacks. A local attacker could exploit this to create or overwrite
files with the privileges of the user invoking the program. (CVE-2009-3274)
Paul Stone discovered a flaw in the Firefox form history. If a user were
tricked into viewing a malicious website, a remote attacker could access this
* Josh Bressers of Red Hat reported an untrusted search path
vulnerability (CVE-2008-4815).
* Peter Vreugdenhil reported through iDefense that the Download
Manager can trigger a heap corruption via calls to the AcroJS
function (CVE-2008-4817).
Impact
======
Where: Remote
======================================================================
3) Vendor's Description of Software
"KGet is the download manager for KDE".
Product Link:
http://www.kde.org/applications/internet/kget/
======================================================================
Where: Remote
======================================================================
3) Vendor's Description of Software
"KGet is the download manager for KDE".
Product Link:
http://www.kde.org/applications/internet/kget/
======================================================================
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -- Product
JDownloader[1] is an open source download manager for One-Click-
Filehoster like Rapidshare or Megaupload. The Click'n'Load[2] interface
allows external applications and websites to send URLs to the local
running JDownloader. With Click'n'Load2 [3] it is possible to sent
AES-CBC encrypted URLs (for some kind of link 'obfuscation').
The encrypted payload _and_ key are sent with an HTTP-POST submit on
|
