Akamai Download Manager File Downloaded To Arbitrary Location Vulnerability

Akamai Download Manager File Downloaded To Arbitrary Location Vulnerability

by cocoruder([email protected])
http://ruder.cdut.net

Summary:

A parameter injection vulnerability exists in Akamai Download

Manager. By exploiting this vulnerability, the remote attacker can
make the users to download arbitrary file, and save it to arbitrary
location while they are visiting a vicious web page. It means an
attacker who successfully exploits this vulnerability can run
arbitrary code on the affected system.

Affected Software Versions:

Akamai Download Manager ActiveX Control 2.2.3.5

Details:

The file "http://dlm.tools.akamai.com/tools/upgrade.html" is a

sample that calls this ActiveX Control, its parameter is set as
follows:

    <PARAM name="URL" value="http://dlm.tools.akamai.com/tools_files/Readme.txt">

Then the value of "URL" is set.

However, if we inject other characters to "URL", it also could be

parsed correctly. For example:

    <PARAM name="URL"

value="http://dlm.tools.akamai.com/tools_files/Readme.txt\x0Areferer=http://ruder.cdut.net">

Since the parameter values set by ActiveX are saved in a temporary

file as INI file format, in the above manner the value of "referer"
will be changed.

In addition, the parameter "target" is used to setting the

loacation of the downloaded file, it has following meanings:

    "DESKTOP"                the file will be saved on the desktop
    "AUTO"                   the file will be saved in Temporary Internet Files
    ""                       ask the user to choose the saving location

Normally the value of "target" can only be set as the above three

values, any other values will be filtered.

Nevertheless, the parameter injection vulnerability can set the

value of "target" arbitrarily, if the value is a valid file path,
Akamai Download Manager will download the target file directly in it
without any interaction with users. As a result, attackers can
construct a vicious web page to download a file that could be
controled to any location of the user's system.

One of the possible ways of attacking is to download the trojan in

"C:\Documents and Settings\All Users\Start Menu\Programs\Startup"
directory, then it will be executed when next time the user logs in to
the system.

How to Reproduce:

An example exploit is available on:

http://ruder.cdut.net/attach/Akamai_DM_Vul/Akamai_DM_Vul_Exploit.html

This exploit will download the following file to your "Startup"

directory with a new name "calc_run.exe":

http://ruder.cdut.net/attach/calc.exe

MD5 Hash:E3FCB903305F8EE5551EA66F5C096737

Solution:

The fixed version is 2.2.3.7, please update your Akamai Download

Manager via the following url:

http://dlm.tools.akamai.com/tools/upgrade.html

Akamai has released an advisory for this vulnerability which is

available on:

http://www.securityfocus.com/archive/1/493077/30/0/threaded

CVE Information:

CVE-2008-1770

Disclosure Timeline:

2008.04.02        Vendor notified via email
2008.04.03        Vendor responded
2008.04.22        The vendor sent me the new edition of the product
2008.04.22        Confirmed the vulnerability had been fixed correctly
2008.05.12        The vendor had released the fixed edition

silently, and did not inform me or release public advisory
2008.05.12 Asked them for the reason
2008.05.12 Vendor replied: "Once we are sure that all of
our customers have been given the opportunity to upgrade, we will post
a public advisory"
2008.05.12 Decided to give the maximum of two weeks to them
for pushing the patch
2008.06.02 Sent a warning of the coming independent
advisory, and asked the vendor to join us
2008.06.02 Vendor asked for an additional 48 hours for
coordinated public disclosure
2008.06.04 Coordinated vulnerability disclosure

–EOF–