exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

akamai-downloadmanager.txt

akamai-downloadmanager.txt
Posted Jun 5, 2008
Authored by cocoruder | Site ruder.cdut.net

A parameter injection vulnerability exists in Akamai Download Manager. By exploiting this vulnerability, the remote attacker can make the users to download arbitrary file, and save it to arbitrary location while they are visiting a vicious web page. It means an attacker who successfully exploits this vulnerability can run arbitrary code on the affected system. Akamai Download Manager ActiveX control version 2.2.3.5 is affected.

tags | advisory, remote, web, arbitrary, activex
advisories | CVE-2008-1770
SHA-256 | 902f16a639acb0caf6e7858f4b2ecb43999eac24dfc531821022e19dc957cfc0

akamai-downloadmanager.txt

Change Mirror Download
Akamai Download Manager File Downloaded To Arbitrary Location Vulnerability

by cocoruder(frankruder@hotmail.com)
http://ruder.cdut.net


Summary:

A parameter injection vulnerability exists in Akamai Download
Manager. By exploiting this vulnerability, the remote attacker can
make the users to download arbitrary file, and save it to arbitrary
location while they are visiting a vicious web page. It means an
attacker who successfully exploits this vulnerability can run
arbitrary code on the affected system.


Affected Software Versions:

Akamai Download Manager ActiveX Control 2.2.3.5



Details:

The file "http://dlm.tools.akamai.com/tools/upgrade.html" is a
sample that calls this ActiveX Control, its parameter is set as
follows:

<PARAM name="URL" value="http://dlm.tools.akamai.com/tools_files/Readme.txt">

Then the value of "URL" is set.

However, if we inject other characters to "URL", it also could be
parsed correctly. For example:

<PARAM name="URL"
value="http://dlm.tools.akamai.com/tools_files/Readme.txt\x0Areferer=http://ruder.cdut.net">

Since the parameter values set by ActiveX are saved in a temporary
file as INI file format, in the above manner the value of "referer"
will be changed.

In addition, the parameter "target" is used to setting the
loacation of the downloaded file, it has following meanings:

"DESKTOP" the file will be saved on the desktop
"AUTO" the file will be saved in Temporary Internet Files
"" ask the user to choose the saving location

Normally the value of "target" can only be set as the above three
values, any other values will be filtered.

Nevertheless, the parameter injection vulnerability can set the
value of "target" arbitrarily, if the value is a valid file path,
Akamai Download Manager will download the target file directly in it
without any interaction with users. As a result, attackers can
construct a vicious web page to download a file that could be
controled to any location of the user's system.

One of the possible ways of attacking is to download the trojan in
"C:\Documents and Settings\All Users\Start Menu\Programs\Startup"
directory, then it will be executed when next time the user logs in to
the system.



How to Reproduce:

An example exploit is available on:

http://ruder.cdut.net/attach/Akamai_DM_Vul/Akamai_DM_Vul_Exploit.html

This exploit will download the following file to your "Startup"
directory with a new name "calc_run.exe":

http://ruder.cdut.net/attach/calc.exe

MD5 Hash:E3FCB903305F8EE5551EA66F5C096737



Solution:

The fixed version is 2.2.3.7, please update your Akamai Download
Manager via the following url:

http://dlm.tools.akamai.com/tools/upgrade.html

Akamai has released an advisory for this vulnerability which is
available on:

http://www.securityfocus.com/archive/1/493077/30/0/threaded



CVE Information:

CVE-2008-1770



Disclosure Timeline:

2008.04.02 Vendor notified via email
2008.04.03 Vendor responded
2008.04.22 The vendor sent me the new edition of the product
2008.04.22 Confirmed the vulnerability had been fixed correctly
2008.05.12 The vendor had released the fixed edition
silently, and did not inform me or release public advisory
2008.05.12 Asked them for the reason
2008.05.12 Vendor replied: "Once we are sure that all of
our customers have been given the opportunity to upgrade, we will post
a public advisory"
2008.05.12 Decided to give the maximum of two weeks to them
for pushing the patch
2008.06.02 Sent a warning of the coming independent
advisory, and asked the vendor to join us
2008.06.02 Vendor asked for an additional 48 hours for
coordinated public disclosure
2008.06.04 Coordinated vulnerability disclosure



--EOF--

Login or Register to add favorites

File Archive:

February 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    16 Files
  • 2
    Feb 2nd
    19 Files
  • 3
    Feb 3rd
    0 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    2 Files
  • 7
    Feb 7th
    10 Files
  • 8
    Feb 8th
    25 Files
  • 9
    Feb 9th
    37 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    17 Files
  • 13
    Feb 13th
    20 Files
  • 14
    Feb 14th
    25 Files
  • 15
    Feb 15th
    15 Files
  • 16
    Feb 16th
    6 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    35 Files
  • 20
    Feb 20th
    25 Files
  • 21
    Feb 21st
    18 Files
  • 22
    Feb 22nd
    15 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    10 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close