Next Page >>
downloading
------------------------------------------------------------------------
Akamai Download Manager arbitrary file download & execution
------------------------------------------------------------------------
Yorick Koster, April 2009
------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
Akamai's Download Manager allows attackers to download arbitrary
files onto a user's desktop. Using a so-called "blended
Thanks to Rafal Wojtczvk of McAfee for identifying and reporting
these issues.
ESX
---
VMware ESX 3.0.1 Download Patch Bundle ESX-8258730
http://www.vmware.com/support/vi3/doc/esx-8258730-patch.html
md5sum a06d0e36e403b0fe6bc6fbc76220a86d
VMware ESX 3.0.0 Download Patch Bundle ESX-4809553
http://www.vmware.com/support/vi3/doc/esx-4809553-patch.html
entitled Chromium, in 2008. Google Chrome is best known for its fast speed,
simplicity and reliability.
IV. DESCRIPTION
-------------------------
Google Chrome has an inbuilt file downloader[1], just like every other
browser. However, the behavior of this function is different from other
browsers and provides users much more usability and convenience. Chrome
automatically downloads a file from any site that is passed using the
Content-Disposition header value "attachment" (on the contrary, all other
browsers show a save as dialog). There are some mitigations done by Chrome
When the Cisco AnyConnect Secure Mobility Client is deployed from the
VPN headend, an SSL connection is initiated to the VPN headend using
a web browser. After the user logs in, the browser displays a portal
window and when the user clicks the "Start AnyConnect" link, the
process of downloading the Cisco AnyConnect Secure Mobility Client
begins. This action causes the browser to first download a "helper"
application that aids in downloading and executing the actual Cisco
AnyConnect Secure Mobility Client. The helper application is a Java
applet on the Linux and MacOS X platforms, and either a Java applet
on the Windows platform or an ActiveX control if the browser is
Yorick Koster, April 2009
------------------------------------------------------------------------
See also
------------------------------------------------------------------------
APSB10-08 [2] Security update available for Adobe Download Manager
CVE-2010-0189 [3]
02.23.10 [4] Multiple Vendor NOS Microsystems getPlus Downloader Input
Validation Vulnerability
Aviv Raff On .NET: [5] Skeletons in Adobe's security closet
Akamai Download Manager File Downloaded To Arbitrary Location Vulnerability
by cocoruder(frankruder@hotmail.com)
http://ruder.cdut.net
Summary:
A parameter injection vulnerability exists in Akamai Download
Manager. By exploiting this vulnerability, the remote attacker can
Hello Bugtraq!
I want to warn you about File Download and Denial of Service vulnerabilities
in Mozilla Firefox, Internet Explorer, Google Chrome and Opera. Earlier I
already wrote about DoS vulnerabilities in different browsers via different
protocol handlers. And now I'll tell about research concerned with attacks
via protocols http and ftp which I made already in 2008 and published at
30.06.2010.
-----------------------------
Browse to http://www.hp.com and do the following:
Select "Support & Drivers"
In Step 1 select "Download drivers and software (and firmware)"
In Step 2 enter one of the following:
HP LaserJet 4345 Multifunction Printer series
HP Color LaserJet 4730 Multifunction Printer series
HP LaserJet 9040/9050 Multifunction Printer series
Browse to http://www.hp.com and do the following:
Select "Support & Drivers"
In Step 1 select "Download drivers and software (and firmware)"
In Step 2 enter one of the following:
HP LaserJet 4345 Multifunction Printer series
HP Color LaserJet 4730 Multifunction Printer series
HP LaserJet 9040/9050 Multifunction Printer series
Akamai Technologies Security Advisory 2009-0001
* Akamai ID: 2009-0001
* Date: 2009/23/20
* Product Name: Download Manager
* Affected Versions: < 2.2.4.8
* Fixed Version: 2.2.4.8
* CVE IDs: {TBD}
* CVSS Base Score: (AV:R/AC:H/Au:NR/C:C/I:C/A:C/B:N) 8.0
> > case the browser issues multiple requests for the
> > same file.
>
> No, the thing to do here is a one-time, limited
> duration key. When the browser first hits the
> download page using the key, the user is assigned
> an internal session by the file download site, and
> the one-time key is voided. No replay attacks. The
> internal session is used for all subsequent
> requests. And the key is limited in duration
> (maybe a minute), so if the user's browser dies or
Akamai Technologies Security Advisory 2008-0001
* Akamai ID: 2008-0002
* Date: 2008/04/20
* Product Name: Download Manager
* Affected Versions: < 2.2.3.6
* Fixed Version: 2.2.3.7
* CVE IDs: CVE-2008-1770
* CVSS Base Score: (AV:R/AC:H/Au:NR/C:C/I:C/A:C/B:N) 8.0
http://labs.idefense.com/intelligence/vulnerabilities/
Apr 30, 2008
I. BACKGROUND
Akamai Download Manager is an integral component of Akamai's global
distribution service. It is used to deliver big files quickly and
reliably to users around world. It has been used by vendors such as
Symantec and Microsoft to provide downloads to the public.
Akamai provides both an ActiveX and a Java based Download Manager. If a
======================================================================
Secunia Research 13/05/2010
- Free Download Manager metalink "name" Directory Traversal -
======================================================================
Table of Contents
Affected Software....................................................1
I actually DID try to access the .sdb in Ubuntu but that was before I identified the file format of the db as myDB as noted. I do not know of a 'nix based tool for access to the db. If you just want to verify, you can open the .sdb with a text/hex editor and parse out a filename for yourself - it's pretty straight forward. If you want to script the download of all files on a vulnerable server (for testing, of course) then you'll probably need to go ahead and set up a VM.
t
From: Rohit Patnaik [mailto:quanticle@gmail.com]
Sent: Tuesday, December 15, 2009 6:29 PM
To: Thor (Hammer of God)
Cc: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] File Access Vulnerability in Easy File Sharing Web Server
This vulnerability impacts only Linux and HP platforms.
Status and Recommendation:
The most prudent course of action for affected customers is to
download and apply the corrective maintenance. However, updates
are provided only for the following releases: 2.6 and r3
Important: Customers using products that embed an earlier version
of Ingres r3 should upgrade Ingres to the release that is
currently supported (3.0.3/103 on Linux and 3.0.3/211 on UNIX
number of related authentication requests. The user adds the URLs of
trusted Web sites to this zone.
* Internet Zone: for Web sites on the Internet that do not belong to
another zone. This default setting causes Internet Explorer to prompt
the user whenever potentially unsafe content is about to be downloaded.
Web sites that are not mapped into other zones automatically fall into
this zone.
* Restricted Sites Zone: used for Web sites that contain content that
can cause (or have previously caused) problems when downloaded. This
About:
Easy File Sharing Web Server is an extremely popular web-based file sharing application that has been in use for years.
It is a fast, easy to use commercial, standalone "all-in-one" file-sharing web server.
Customers use a built-in interface to point to files they wish to publish via a menu-driven web application (typically full drives or directories). Files can be shared anonymously, or via EFSWS's built-in user management. EFSWS has built-in SSL encryption to prevent logons from being sent in the clear (as well as all other access). Users log in, and are presented with a menu of files that have been published and that are made available for download.
EFSWS uses the MGH Software "myDB" database plug-in to store db information such as file location, user information (password in the clear), files, forum information, etc. A free db parser is available at:
http://www.mghsoft.com/
Please see vendor site and db engine site for more details.
NOTE: The SMA must have all pertinent SMA Service Packs applied
Windows 2000 Update Rollup 1
Customers are advised to download and install the Windows 2000 Update Rollup 1 for Service Pack 4 on SMA v2.1. For more information please refer to the Windows 2000 Update Rollup 1 for Service Pack 4 and Storage Management Appliance v2.1 advisory at the following website: http://h20000.www2.hp.com/bizsupport/TechSupport/DocumentIndex.jsp?contentType=SupportManual&lang=en&cc=us&docIndexId=179111&taskId=101&prodTypeId=12169&prodSeriesId=315667
Windows 2000 Update Rollup 1 for SP4 does not include security updates released after April 30, 2005 starting from MS05-026. It also does not include patches MS04-003 and MS04-028. Please install these patches in addition to Windows 2000 Update Rollup 1 for SP4, if they have not been installed already
RESOLUTION
HP strongly recommends the immediate installation of all security patches that apply to third party software which is integrated with SMA software products supplied by HP, and that patches are applied in accordance with an appropriate patch management policy.
PHP-Nuke v8.1 FINAL
http://phpnuke.org/
./html/mainfile.php starting on line 1574
PHP-Nuke v7.0
download:
http://sourceforge.net/project/showfiles.php?group_id=7511&package_id=7622&release_id=213152
in:
./html/admin.php line 111 in funciton gfx()
and:
./modules/Your_Account/index.php line 489 in funciton gfx()
======================================================================
Secunia Research 19/05/2010
- Orbit Downloader metalink "name" Directory Traversal -
======================================================================
Table of Contents
Affected Software....................................................1
FYI- I tried your example file and by default nothing worked on Windows 7. The "loading and embedded file" says "this file is blocked", The file spawn requires a script prompt with a "automation error" after that, the windows control panel didn't launch at all, and the files required me to save them, etc.
The text from the uri handler did work, but I'm not sure what the ramifications of that are. Oh, the Action Panel did show up.
I agree this isn't an "exploit" but I guess it is somewhat interesting. Of course, downloading random .chm files is akin to downloading any remote content-rendering document, except that .chm won't automatically run from the internet in the first place, even with your rendering code in it that must be accepted by the user to load in the first place.
As such (again, notwithstanding the mild interest around it) I'm confused by the "This was the response I expected" comment because if I read it right, it sounds as if you are being condemning for some reason. Are you saying "this is the response I expected" because it is the correct response and you are aware of what would be required to push out supported hotfixes for low impact issues, or are you saying "this is the response I expected" because you somehow think it SHOULD be hotfixed, but is not, and that is "typical" (as in "irresponsible") or something like that?
It actually brings up a question that I find more interesting than the issue itself, which is "how far is too far?" If MSFT designs a system around identifying files sourced from different zones in an attempt to mitigate risk of end-users downloading unknown content and immediately executing it, how far beyond user-acknowledgment and feature disabling (as even your "bypass" example shows) do you think a vendor is supposed to go (Not YOU, but the royal "you")?
> > neglects to log out, and is using a laptop, and
> > the laptop is stolen (even if turned off), the
> > thief can access the file from the history until
> > the login session times out.
>
> Is the thought that once downloaded, the user is storing the file
> securely on the hard drive? If not, then I think the attacker will simply
> lift the file off the laptop rather than trying to re-download the file
> again.
Well, the user could have deleted the file. But
Note: The SMA must have all pertinent SMA Service Packs applied
Windows 2000 Update Rollup 1
Customers are advised to download and install the Windows 2000 Update Rollup 1 for Service Pack 4 on SMA v2.1. For more information please refer to the Windows 2000 Update Rollup 1 for Service Pack 4 and Storage Management Appliance v2.1 advisory at the following website: http://h20000.www2.hp.com/bizsupport/TechSupport/DocumentIndex.jsp?contentType=SupportManual&lang=en&cc=us&docIndexId=179111&taskId=101&prodTypeId=12169&prodSeriesId=315667
Windows 2000 Update Rollup 1 for SP4 does not include security updates released after April 30, 2005 starting from MS05-026. It also does not include patches MS04-003 and MS04-028. Please install these patches in addition to Windows 2000 Update Rollup 1 for SP4, if they have not been installed already
RESOLUTION
HP strongly recommends the immediate installation of all security patches that apply to third party software which is integrated with SMA software products supplied by HP, and that patches are applied in accordance with an appropriate patch management policy.
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
Orbit Downloader "Download failed" buffer overflow
*Advisory Information*
Title: Orbit Downloader "Download failed" buffer overflow
NOTE: The SMA must have all pertinent SMA Service Packs applied
Windows 2000 Update Rollup 1
Customers are advised to download and install the Windows 2000 Update Rollup 1 for Service Pack 4 on SMA v2.1. For more information please refer to the Windows 2000 Update Rollup 1 for Service Pack 4 and Storage Management Appliance v2.1 advisory at the following website: http://h20000.www2.hp.com/bizsupport/TechSupport/DocumentIndex.jsp?contentType=SupportManual&lang=en&cc=us&docIndexId=179111&taskId=101&prodTypeId=12169&prodSeriesId=315667
Windows 2000 Update Rollup 1 for SP4 does not include security updates released after April 30, 2005 starting from MS05-026. It also does not include patches MS04-003 and MS04-028. Please install these patches in addition to Windows 2000 Update Rollup 1 for SP4, if they have not been installed already
RESOLUTION
HP strongly recommends the immediate installation of all security patches that apply to third party software which is integrated with SMA software products supplied by HP, and that patches are applied in accordance with an appropriate patch management policy.
Cisco Unified Communications Manager software version 4.2(3)SR4b
contains the fix for this vulnerability. Administrators of Cisco
Unified CallManager software version 4.1 systems are encouraged to
upgrade to Cisco Unified Communications Manager software version 4.2
(3)SR4b in order to obtain fixed software. Version 4.2(3)SR4b can be
downloaded at the following link:
http://tools.cisco.com/support/downloads/go/PlatformList.x?sftType=Unified%20Communications%20Manager%20Updates&mdfid=280264388&treeName=Voice%20and%20Unified%20Communications&mdfLevel=Software%20Version/Option&url=null&modelName=Cisco%20Unified%20CallManager%20Version%204.2&isPlatform=N&treeMdfId=278875240&modifmdfid=null&imname=null&hybrid=Y&imst=N
Cisco Unified Communications Manager software version 4.3(2)SR1b
contains the fix for this vulnerability. Version 4.3(2)SR1b can be
Multiple Vulnerabilities found in Rapidleech
1. General Information
Rapidleech is a Web based application supporting file upload and download on
the Internet, especially files from popular sites such as rapidshare.com,
megaupload.com, depositfiles.com.
On March 03, 2009, Bkis has detected several vulnerabilities in the upload
function of Rapidleech. These are highly critical vulnerabilities, allowing
======================================================================
Secunia Research 30/04/2010
- Internet Download Manager FTP Buffer Overflow Vulnerability -
======================================================================
Table of Contents
Affected Software....................................................1
. *Local Intranet Zone: * For content located on an organization's
intranet.
. *Trusted Sites Zone: * For content located on Web sites that are
considered more reputable or trustworthy than other sites on the Internet.
. *Restricted Sites Zone: * For Web sites that contain content that
can cause (or have previously caused) problems when downloaded.
. *Local Machine Zone: * This is an implicit zone for content that
exists on the local computer and it is not directly configurable through
Internet Explorer security options by the user.
Internet Explorer users or Administrators can assign specific websites
Next Page>>
|
