exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Internet Download Manager 6.41 Build 3 Man-In-The-Middle

Internet Download Manager 6.41 Build 3 Man-In-The-Middle
Posted Nov 16, 2022
Authored by M. Akil Gündoğan

Internet Download Manager version 6.41 Build 3 suffers from a man-in-the-middle vulnerability that can enable an attacker to execute code on the victim's system.

tags | exploit
SHA-256 | c91e3d887c068869ed07efa29c9e1304cc683d984cd8274cd1ef8940678521d0

Internet Download Manager 6.41 Build 3 Man-In-The-Middle

Change Mirror Download
# Vulnerability Title: Internet Download Manager v6.41 Build 3 "Remote Code Execution via MITM" Vulnerability
# Date: 15.11.2022
# Author: M. Akil Gündoğan
# Contact: https://twitter.com/akilgundogan
# Vendor Homepage: https://www.internetdownloadmanager.com/
# Software Link: https://mirror2.internetdownloadmanager.com/idman641build3.exe?v=lt&filename=idman641build3.exe
# Version: v.6.41 Build 3
# Tested on: Windows 10 Professional x64
# PoC Video: https://youtu.be/0djlanUbfY4

Vulnerabiliy Description:
---------------------------------------
Some help files are missing in non-English versions of Internet Download Manager. Help files with the extension
".chm" prepared in the language used are downloaded from the internet and run, and displayed to users. This download is
done over HTTP, which is an insecure protocol. An attacker on the local network can spoof traffic with a MITM attack and
replaces ".chm" help files with malicious ".chm" files. IDM runs ".chm" files automatically after downloading.
This allows the attacker to execute code remotely.

It also uses HTTP for checking and downloading updates by IDM. The attacker can send fake updates as if the victim has a new update to the system.

Since we preferred to use Turkish IDM, our target address in the MITM attack was "http://www.internetdownloadmanager.com/languages/tut_tr.chm".

Requirements:
---------------------------------------
The attacker and the victim must be on the same local network.
The victim using the computer must have a user account with administrative privileges on the system. The attacker does not need to have administrator privileges!

Step by step produce:
---------------------------------------
1 - The attacker prepares a malicious CHM file. You can read the article at "https://sevenlayers.com/index.php/316-malicious-chm" for that.
2 - A MITM attack is made against the target using Ettercap or Bettercap.
3 - Let's redirect the domains "internetdownloadmanager.com" and "*.internetdownloadmanager.com" to our attacker machine with DNS spoofing.
4 - A web server is run on the attacking machine and the languages directory is created and the malicious ".chm" file with the
same name (tut_tr.chm / the file according to which language you are using.) is placed in it.
5 - When the victim opens Internet Download Manager and clicks on the "Tutorials" button, the download will start and our malicious ".chm" file will run automatically when it's finished.

Advisories:
---------------------------------------
Developers should stop using insecure HTTP in their update and download modules. In addition, every downloaded file
should not be run automatically, additional warning messages should be displayed for users.

Special thanks: p4rs, ratio, blackcode, zeyd.can and all friends.
---------------------------------------
Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    21 Files
  • 12
    Sep 12th
    40 Files
  • 13
    Sep 13th
    18 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    21 Files
  • 17
    Sep 17th
    51 Files
  • 18
    Sep 18th
    23 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close