{"cve": [{"lastseen": "2017-09-19T13:36:50", "bulletinFamily": "NVD", "description": "A certain ActiveX control in NOS Microsystems getPlus Download Manager (aka DLM or Downloader) 1.5.2.35, as used in Adobe Download Manager, improperly validates requests involving web sites that are not in subdomains, which allows remote attackers to force the download and installation of arbitrary programs via a crafted name for a download site.", "modified": "2017-09-18T21:30:16", "published": "2010-02-23T15:30:00", "id": "CVE-2010-0189", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0189", "title": "CVE-2010-0189", "type": "cve", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2019-01-16T20:10:23", "bulletinFamily": "scanner", "description": "The remote Windows host has a version of Adobe Download Manager\nearlier than 1.6.2.63 installed. Such versions are potentially\naffected by a vulnerability that allows an attacker to download and\ninstall unauthorized software onto a user's system.", "modified": "2018-11-15T00:00:00", "published": "2010-03-01T00:00:00", "id": "ADOBE_DOWNLOAD_MANAGER_APSB10-08.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=44939", "title": "Adobe Download Manager Arbitrary File Download (APSB10-08)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude (\"compat.inc\");\n\nif (description)\n{\n script_id(44939);\n script_version(\"1.13\");\n script_cvs_date(\"Date: 2018/11/15 20:50:26\");\n\n script_cve_id(\"CVE-2010-0189\");\n script_bugtraq_id(38313);\n\n script_name (english:\"Adobe Download Manager Arbitrary File Download (APSB10-08)\");\n script_summary (english:\"Checks the version of getPlusPlus_Adobe.exe\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host has a download manager installed that is prone\nto an arbitrary file download vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host has a version of Adobe Download Manager\nearlier than 1.6.2.63 installed. Such versions are potentially\naffected by a vulnerability that allows an attacker to download and\ninstall unauthorized software onto a user's system.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.adobe.com/support/security/bulletins/apsb10-08.html\");\n script_set_attribute(attribute:\"see_also\", value:\"http://blogs.adobe.com/psirt/2010/02/security_update_released_for_t.html/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/509720/30/0/threaded\");\n script_set_attribute(attribute:\"solution\", value:\n\"Either upgrade to Adobe Download Manager version 1.6.2.63 or uninstall\nthe application.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/02/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/02/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/03/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:download_manager\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\ninclude(\"misc_func.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"audit.inc\");\n\nlist = get_kb_list(\"SMB/Registry/HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Uninstall/*/DisplayName\");\nif (isnull(list)) exit(1, \"The 'SMB/Registry/HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Uninstall' KB items are missing.\");\n\ninstallstring = NULL;\nforeach name (keys(list))\n{\n prod = list[name];\n if (prod && 'Adobe Download Manager' >< prod)\n {\n installstring = ereg_replace(pattern:\"^SMB\\/Registry\\/HKLM\\/(SOFTWARE\\/Microsoft\\/Windows\\/CurrentVersion\\/Uninstall\\/.+)\\/DisplayName$\", replace:\"\\1\", string:name);\n installstring = str_replace(find:\"/\", replace:\"\\\", string:installstring);\n }\n}\nif (isnull(installstring)) exit(0, \"No evidence of Adobe Download Manager was found in the registry.\");\n\n#Connect to the appropriate share\nname = kb_smb_name();\nport = kb_smb_transport();\n#if (!get_port_state(port)) exit(0);\nlogin = kb_smb_login();\npass = kb_smb_password();\ndomain = kb_smb_domain();\n\n#soc = open_sock_tcp(port);\n#if (!soc)\n# exit(1, \"Could not open socket to port \"+port+\".\");\n\n#session_init(socket:soc, hostname:name);\n\nif(!smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');\n\nrc = NetUseAdd(login:login, password:pass, domain:domain, share:\"IPC$\");\nif (rc != 1)\n{\n NetUseDel();\n exit(1, \"Can't connect to the remote registry.\");\n}\n\n# Determine where it's installed.\npath = NULL;\nhklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);\nkey_h = RegOpenKey(handle:hklm, key:installstring, mode:MAXIMUM_ALLOWED);\nif (!isnull(key_h))\n{\n item = RegQueryValue(handle:key_h, item:\"InstallLocation\");\n if (!isnull(item)) path = item[1];\n\n RegCloseKey(handle:key_h);\n}\nRegCloseKey(handle:hklm);\n\nif (isnull(path))\n{\n NetUseDel();\n exit(1, \"The Adobe Download Manager install location could not be found in the registry.\");\n}\nNetUseDel(close:FALSE);\n\n\n# Determine the version from the executable.\nshare = ereg_replace(pattern:\"^([A-Za-z]):.*\", replace:\"\\1$\", string:path);\nexe = ereg_replace(pattern:\"^[A-Za-z]:(.*)\", replace:\"\\1\\getPlusPlus_Adobe.exe\", string:path);\n\nrc = NetUseAdd(login:login, password:pass, domain:domain, share:share);\nif (rc != 1)\n{\n NetUseDel();\n exit(1, \"Can't connect to '\"+share+\"' share.\");\n}\n\nfh = CreateFile(\n file:exe,\n desired_access:GENERIC_READ,\n file_attributes:FILE_ATTRIBUTE_NORMAL,\n share_mode:FILE_SHARE_READ,\n create_disposition:OPEN_EXISTING\n);\n\n# Grab the version number if the file was opened successfully.\nif (isnull(fh))\n{\n NetUseDel();\n exit(0, \"Unable to access Adobe Download Manager executable : \" + exe);\n}\n\nversion = GetProductVersion(handle:fh);\nCloseFile(handle:fh);\nif (isnull(version)) exit(1, \"Failed to get file version of '\"+exe+\"'.\");\n\nversion = ereg_replace(string:version, pattern:',', replace:'.');\n\nver = split(version, sep:'.', keep:FALSE);\nfor (i=0; i<max_index(ver); i++)\n ver[i] = int(ver[i]);\n\nif (\n ver[0] < 1 ||\n (\n ver[0] == 1 &&\n (\n ver[1] < 6 ||\n (\n ver[1] == 6 &&\n (\n ver[2] < 2 ||\n (ver[2] == 2 && ver[3] < 63)\n )\n )\n )\n )\n)\n{\n if (report_verbosity > 0)\n {\n report =\n '\\n' +\n 'Product : Adobe Download Manager\\n' +\n 'Path : ' + path + '\\n' +\n 'Installed version : ' + version + '\\n' +\n 'Fixed version : 1.6.2.63\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port:port);\n exit(0);\n}\nexit(0, \"Adobe Download Manager version \"+version+\" is installed and thus not affected.\");\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "seebug": [{"lastseen": "2017-11-19T18:14:25", "bulletinFamily": "exploit", "description": "CVE-2010-0189\r\n\r\nA vulnerability has been identified in Adobe Download Manager, which could be exploited by remote attackers to compromise a vulnerable system. This issue is caused by an error when processing URLs, which could be exploited by attackers to download and install unauthorized software onto a vulnerable system by tricking a user into following a specially crafted link or visiting a malicious web page.\r\n\r\nNote : The Adobe Download Manager is automatically installed when downloading Adobe Reader for Windows or Adobe Flash Player for Windows from Adobe's website, however, it is designed to remove itself from the computer after use at the next computer restart.\n\nAdobe Download Manager on Windows (prior to February 23, 2010)\nRestart the system or manually uninstall Adobe Download Manager :\r\nhttp://www.adobe.com/support/security/bulletins/apsb10-08.html", "modified": "2010-02-25T00:00:00", "published": "2010-02-25T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-19181", "id": "SSV:19181", "title": "Adobe Download Manager File Download and Execution Vulnerability", "type": "seebug", "sourceData": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": ""}], "securityvulns": [{"lastseen": "2018-08-31T11:10:33", "bulletinFamily": "software", "description": "iDefense Security Advisory 02.23.10\r\nhttp://labs.idefense.com/intelligence/vulnerabilities/\r\nFeb 23, 2010\r\n\r\nI. BACKGROUND\r\n\r\nThe getPlus Downloader is an application download and installation\r\nmanager, distributed in the form of an ActiveX control. This control is\r\nused by Adobe Systems Inc. to install Adobe Reader through the Adobe\r\nwebsite when Internet Explorer is used. Part of the functionality of\r\nthe getPlus Downloader is to download and execute applications from\r\npreconfigured sites; in the case of Adobe, from adobe.com and its\r\nsubdomains. For more information, see the vendor's site found at the\r\nfollowing link.\r\n\r\nhttp://www.nosltd.com/index.php?option=com_content&task=view&id=38&Itemid=26\r\n\r\nII. DESCRIPTION\r\n\r\nRemote exploitation of an input validation vulnerability in NOS\r\nMicrosystems Ltd.'s getPlus Download Manager, as used by Adobe and\r\npotentially other vendors, could allow an attacker to execute arbitrary\r\ncode with the privileges of the current user.\r\n\r\nThe vulnerability exists due to improper validation of the domain used\r\nto download and execute applications from. The vulnerable code always\r\nassumes that the domain being validated is a subdomain, which can lead\r\nto a logic error when comparing the valid domain and the requested\r\ndomain.\r\n\r\nIII. ANALYSIS\r\n\r\nExploitation of this vulnerability results in the execution of arbitrary\r\ncode with the privileges of the user viewing the web page. To exploit\r\nthis vulnerability, a targeted user must load a malicious webpage\r\ncreated by an attacker. An attacker typically accomplishes this via\r\nsocial engineering or injecting content into compromised, trusted\r\nsites. After the user visits the malicious web page, no further user\r\ninteraction is needed.\r\n\r\nIV. DETECTION\r\n\r\niDefense has confirmed the existence of this vulnerability in getPlus\r\nversion 1.5.2.35 as distributed by Adobe. The Adobe Download Manager on\r\nWindows (prior to February 23, 2010) has been confirmed vulnerable by\r\nAdobe.\r\n\r\nV. WORKAROUND\r\n\r\nSetting the killbit for CLSID 'CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7'\r\nwill prevent this control from loading in Internet Explorer.\r\n\r\nVI. VENDOR RESPONSE\r\n\r\nAdobe Systems Inc. has released a solution which addresses this issue.\r\nInformation about downloadable vendor updates can be found by clicking\r\non the URLs shown.\r\nhttp://www.adobe.com/support/security/bulletins/apsb10-08.html\r\n\r\nVII. CVE INFORMATION\r\n\r\nThe Common Vulnerabilities and Exposures (CVE) project has assigned the\r\nname CVE-2010-0189 to this issue. This is a candidate for inclusion in\r\nthe CVE list (http://cve.mitre.org/), which standardizes names for\r\nsecurity problems.\r\n\r\nVIII. DISCLOSURE TIMELINE\r\n\r\n06/09/2009 Initial Vendor Notification\r\n06/09/2009 Initial Vendor Reply\r\n02/23/2010 Coordinated Public Disclosure\r\n\r\nIX. CREDIT\r\n\r\nThis vulnerability was reported to iDefense by Yorick Koster.\r\n\r\nGet paid for vulnerability research\r\nhttp://labs.idefense.com/methodology/vulnerability/vcp.php\r\n\r\nFree tools, research and upcoming events\r\nhttp://labs.idefense.com/\r\n\r\nX. LEGAL NOTICES\r\n\r\nCopyright \u00a9 2010 iDefense, Inc.\r\n\r\nPermission is granted for the redistribution of this alert\r\nelectronically. It may not be edited in any way without the express\r\nwritten consent of iDefense. If you wish to reprint the whole or any\r\npart of this alert in any other medium other than electronically,\r\nplease e-mail customerservice@idefense.com for permission.\r\n\r\nDisclaimer: The information in the advisory is believed to be accurate\r\nat the time of publishing based on currently available information. Use\r\nof the information constitutes acceptance for use in an AS IS condition.\r\n There are no warranties with regard to this information. Neither the\r\nauthor nor the publisher accepts any liability for any direct,\r\nindirect, or consequential loss or damage arising from use of, or\r\nreliance on, this information.", "modified": "2010-02-25T00:00:00", "published": "2010-02-25T00:00:00", "id": "SECURITYVULNS:DOC:23294", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:23294", "title": "iDefense Security Advisory 02.23.10: Multiple Vendor NOS Microsystems getPlus Downloader Input Validation Vulnerability", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:33", "bulletinFamily": "software", "description": "------------------------------------------------------------------------\r\ngetPlus insufficient domain name validation vulnerability\r\n------------------------------------------------------------------------\r\nYorick Koster, April 2009\r\n\r\n------------------------------------------------------------------------\r\nSee also\r\n------------------------------------------------------------------------\r\nAPSB10-08 [2] Security update available for Adobe Download Manager\r\nCVE-2010-0189 [3]\r\n02.23.10 [4] Multiple Vendor NOS Microsystems getPlus Downloader Input\r\nValidation Vulnerability\r\nAviv Raff On .NET: [5] Skeletons in Adobe's security closet\r\n\r\n------------------------------------------------------------------------\r\nTested version\r\n------------------------------------------------------------------------\r\nThese vulnerabilities were tested on Adobe's version of getPlus\r\nversion 1.5.2.35 on Windows XP SP3.\r\n\r\n------------------------------------------------------------------------\r\nFix\r\n------------------------------------------------------------------------\r\nA new version of Adobe Download Manager (version 1.6.2.63) was released\r\nthat resolves this issue.\r\n\r\n------------------------------------------------------------------------\r\nIntroduction\r\n------------------------------------------------------------------------\r\ngetPlus [6] from NOS Microsystems [7] is a download, upload, and\r\ninstallation manager. It contains functions such as an advanced download\r\nbasket, checksum verification, automatic proxy and firewall\r\nverification, stop/pause/restart controls, a customizable GUI, statistic\r\ngathering tools, and incremental downloading.\r\n\r\ngetPlus comes with an ActiveX control for Internet Explorer. Adobe uses\r\ngetPlus to distribute Adobe Reader. Users that have installed Adobe\r\nReader from the Adobe website are likely to have this control installed\r\non their machine. The following example demonstrates how getPlus is\r\nstarted from Internet Explorer:\r\n\r\n<object id="GetActiveX"\r\nclassid="clsid:CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7"\r\ncodebase="http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab#Version=1,5,2,35"\r\ntype="application/x-oleobject" width="1" height="1">\r\n<param name="Service-URL"\r\nvalue="http://get.adobe.com/reader/webservices/dlm/" />\r\n<param name="itemid" value="860;941" />\r\n<param name="language" value="" />\r\n<param name="os" value="" />\r\n</object>\r\n\r\nThe Service-URL parameter specifies the URL from which additional\r\nconfiguration parameters are obtained, including the URL from which the\r\nexecutable can be obtained. The other parameters are appended to this\r\nURL and are used to supply additional information about the product that\r\nhas to be downloaded. The language and os parameters are automatically\r\nset by the ActiveX control if they are not provided. The parameter\r\nitemid is used to specify which product is to be downloaded. Multiple\r\nproducts (multiple downloads) can be supplied using semi colon\r\ncharacters between identifiers.\r\n\r\ngetPlus creates a URL based on the previously supplied parameters and it\r\nwill use this URL to download additional configuration parameters. For\r\nexample\r\nhttp://get.adobe.com/reader/webservices/dlm/?itemid=941&os=XPSP2&langid=en:\r\n\r\nexecute=1\r\nshowdest=0\r\nopenfolder=0\r\nprodname=Smart Checker\r\ndiskspace=75376\r\nchecksum=8f79795f330f1cadcbe0a55400715da3\r\nobject_url=http://ardownload.adobe.com/pub/adobe/acrobat/win/all/sgc15.exe\r\nsignoff_url=\r\ndependson=942\r\nrequired=1\r\nvisible=0\r\nparams=\r\nask_for_destination=0\r\nshow_finish_dialog=0\r\ndecompression_folder_shortcut=0\r\n\r\nThe parameter object_url contains a link to the file that has to be\r\ndownloaded. The checksum parameter is an MD5 hash of the file content.\r\nThe checksum is used to verify the file's integrity. With the\r\nparams parameter, it is possible to supply extra command line parameters\r\nto the executable.\r\n\r\nThe executable files shipped with getPlus are compressed using NOS'\r\nNOSSO technology. When executed, the compressed data is loaded with in\r\na memory segment called .nos.\r\n\r\n------------------------------------------------------------------------\r\nInsufficient domain name validation\r\n------------------------------------------------------------------------\r\nOnce the ActiveX control is installed, attackers might utilize this\r\ncontrol to install malicious software. To prevent this from happening,\r\ngetPlus verifies the URL before downloading and installing software from\r\nthis URL. In case of Adobe's version of getPlus, getPlus validates\r\nif the domain name in the URL ends with .adobe.com. If this is not the\r\ncase getPlus shows a warning message and will refuse to download the\r\nfile from the supplied URL.\r\n\r\nhttp://www.akitasecurity.nl/advisory/AK20090401/001_getplus_URL_not_allowed.png\r\nFigure 1: invalid domain name provided in URL\r\n\r\nThe code responsible for the validation of the domain name is located\r\n(after unpacking) in the .nos segment. A fragment of this assembly code\r\nis listed below:\r\n\r\n.nos:033B9B71 isDomainValid proc near\r\n.nos:033B9B71\r\n.nos:033B9B71 var_4 = dword ptr -4\r\n.nos:033B9B71 arg_0 = dword ptr 4\r\n.nos:033B9B71 arg_4 = dword ptr 8\r\n.nos:033B9B71 arg_8 = byte ptr 0Ch\r\n.nos:033B9B71\r\n.nos:033B9B71 push ecx\r\n.nos:033B9B72 push esi\r\n.nos:033B9B73 push edi\r\n.nos:033B9B74 push [esp+0Ch+arg_0]\r\n.nos:033B9B78 call sub_33C12CC ; strlen\r\n.nos:033B9B7D inc eax\r\n.nos:033B9B7E push eax\r\n.nos:033B9B7F call dword ptr loc_33B22FB+1 ; malloc\r\n.nos:033B9B85 mov esi, eax\r\n.nos:033B9B87 pop ecx\r\n.nos:033B9B88 test esi, esi\r\n.nos:033B9B8A pop ecx\r\n.nos:033B9B8B jz short loc_33B9BFA\r\n.nos:033B9B8D push [esp+0Ch+arg_0]\r\n.nos:033B9B91 mov [esp+10h+var_4], esi\r\n.nos:033B9B95 push (offset loc_33B606B+1)\r\n.nos:033B9B9A push esi\r\n.nos:033B9B9B call dword ptr loc_33B2418+4 ;\r\nwsprintfA\r\n\r\n[...]\r\n\r\nThe assembly code for this function roughly translates to the following\r\nC code:\r\n\r\n01: int isDomainValid(char *szUrl, char *szDomain, int bRemovePort)\r\n02: {\r\n03: size_t cbLen;\r\n04: char *psBuf;\r\n05: char *psTmp;\r\n06: char *psTmp2;\r\n07: \r\n08: cbLen = strlen(szUrl);\r\n09: cbLen++; // wrap possible, not exploitable in real world\r\n10: psBuf = malloc(cbLen);\r\n11: if(psBuf == NULL)\r\n12: {\r\n13: return 0;\r\n14: }\r\n15: \r\n16: wsprintfA(psBuf, "%s", szUrl);\r\n17: \r\n18: if(strlen(psBuf))\r\n19: {\r\n20: psTmp = psBuf;\r\n21: while(*psTmp)\r\n22: {\r\n23: if(*psTmp == '\\')\r\n24: {\r\n25: *psTmp = '/';\r\n26: }\r\n27: psTmp++;\r\n28: }\r\n29: }\r\n30: \r\n31: /* strip protocol from URL */\r\n32: if((psTmp = _mbsstr(psBuf, "://")) == NULL)\r\n33: {\r\n34: if((psTmp = _mbsstr(psBuf, ":\\\\")) == NULL)\r\n35: {\r\n36: free(psBuf);\r\n37: return 0;\r\n38: }\r\n39: }\r\n40: psTmp += 3;\r\n41: \r\n42: /* strip path from URL */\r\n43: if((psTmp2 = _mbschr(psTmp, '/')) == NULL)\r\n44: {\r\n45: free(psBuf);\r\n46: return 0;\r\n47: }\r\n48: psTmp2[0] = '\0';\r\n49: \r\n50: /* remove port number from URL */\r\n51: if(bRemovePort)\r\n52: {\r\n53: psTmp2 = _mbschr(psTmp, ':');\r\n54: if(psTmp2)\r\n55: {\r\n56: psTmp2[0] = '\0';\r\n57: }\r\n58: }\r\n59: \r\n60: /* validate domain name */\r\n61: if(_mbschr(szDomain, '.'))\r\n62: {\r\n63: cbLen = strlen(szDomain);\r\n64: psTmp2 = psTmp - cbLen;\r\n65: cbLen = strlen(psTmp);\r\n66: psTmp2 += cbLen;\r\n67: if(_mbsicmp(psTmp2, szDomain) != 0) // lowercase comparison\r\n68: {\r\n69: free(psBuf);\r\n70: return 0;\r\n71: }\r\n72: \r\n73: if(psTmp != (psTmp2 - 1))\r\n74: {\r\n75: if(psTmp2[-1] != '.')\r\n76: {\r\n77: free(psBuf);\r\n78: return 0;\r\n79: }\r\n80: }\r\n81: \r\n82: /* domain is accepted */\r\n83: return 1;\r\n84: }\r\n85: else\r\n86: {\r\n87: /* unreachable in Adobe's version */\r\n88: }\r\n89: \r\n90: return 0;\r\n91: }\r\n\r\nThe function takes the supplied URL (szUrl) and compares it with a\r\nstatic domain name value (szDomain), in this case adobe.com. It start by\r\nextracting the domain name from the URL (lines 8 up to 59). After this,\r\nit checks whether the domain name ends with the supplied domain name\r\n(adobe.com). If this is the case, the function checks whether the\r\ncharacter before this part of the URL is the dot character (line 75).\r\nThis is done to check that the supplied domain name is a sub domain of\r\nthe static domain name value.\r\n\r\nThe function does not take in account that it is possible that the URL\r\ndoes not point to a sub domain. The function will fail if it receives a\r\nURL such as http://adobe.com/invalid_url/. Specifically, this error\r\nexists on line 73 through 75. The variable psTmp contains a pointer to\r\nthe full domain name. psTmp2 contains a pointer to the last part of the\r\ndomain name. Normally, psTmp2 - 1 points to a dot character, but in case\r\nof http://adobe.com/invalid_url/ it points to the last slash character\r\nof the protocol part of the URL.\r\n\r\nThe dot check is not performed if both psTmp and psTmp2 - 1 point to the\r\nsame string value. This is only possible for URLs that have the domain\r\nname set to ?adobe.com, where ? can be almost any character. For\r\nexample, aadobe.com, badobe.com, et cetera. If the URL\r\nhttp://aadobe.com/ is supplied, psTmp will point to aadobe.com, psTmp2\r\npoints to adobe.com and psTmp2 - 1 points to aadobe.com, thus psTmp ==\r\n(psTmp2 - 1). At the time of writing, (at least) the domain xadobe.com\r\nis still available:\r\n\r\n$ whois xadobe.com\r\n\r\nWhois Server Version 2.0\r\n\r\nDomain names in the .com and .net domains can now be registered\r\nwith many different competing registrars. Go to http://www.internic.net\r\nfor detailed information.\r\n\r\nNo match for "XADOBE.COM".\r\n>>> Last update of whois database: Fri, 10 Apr 2009 10:33:54 EDT <<<\r\n\r\n[...]\r\n\r\nAn attacker can register a domain name such as xadobe.com and use this\r\ndomain to download and execute any arbitrary file using getPlus. For an\r\nattack to be successful, a vulnerable user must be lured into viewing a\r\nmalicious website.\r\n\r\n------------------------------------------------------------------------\r\nReferences\r\n------------------------------------------------------------------------\r\n[1] http://www.akitasecurity.nl/advisory.php?id=AK20090401\r\n[2] http://www.adobe.com/support/security/bulletins/apsb10-08.html\r\n[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0189\r\n[4]\r\nhttp://labs.idefense.com/intelligence/vulnerabilities/display.php?id=856\r\n[5]\r\nhttp://aviv.raffon.net/2010/02/18/SkeletonsInAdobesSecurityCloset.aspx\r\n[6]\r\nhttp://www.nosltd.com/index.php?option=com_content&task=view&id=38&Itemid=26\r\n[7] http://www.nosltd.com/\r\n\r\n------------------------------------------------------------------------\r\n\r\n-- \r\n------------------------------------------------------------------------\r\nAkita Software Security (Kvk 37144957)\r\nhttp://www.akitasecurity.nl/\r\n------------------------------------------------------------------------\r\nKey fingerprint = 5FC0 F50C 8B3A 4A61 7A1F 2BFF 5482 D26E D890 5A65\r\nhttp://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5482D26ED8905A65", "modified": "2010-03-01T00:00:00", "published": "2010-03-01T00:00:00", "id": "SECURITYVULNS:DOC:23297", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:23297", "title": "getPlus insufficient domain name validation vulnerability", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "kaspersky": [{"lastseen": "2019-02-15T12:34:23", "bulletinFamily": "info", "description": "### *Detect date*:\n02/25/2010\n\n### *Severity*:\nCritical\n\n### *Description*:\nImproper request validation at NOS Microsystems getPlus Download Manager was found in Adobe Download Manager. Malicious users can exploit this vulnerability to bypass security and install arbitrary programs via a specially designed download site name.\n\n### *Affected products*:\nAdobe Download Manager versions 1.6.2.60 and earlier\n\n### *Solution*:\nUpdate to latest version\n\n### *Original advisories*:\n[Adobe bulletin](<http://www.adobe.com/support/security/bulletins/apsb12-12.html>) \n\n\n### *Impacts*:\nSB \n\n### *Related products*:\n[Adobe Download Manager](<https://threats.kaspersky.com/en/product/Adobe-Download-Manager/>)\n\n### *CVE-IDS*:\n[CVE-2010-0189](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0189>)", "modified": "2019-02-13T00:00:00", "published": "2010-02-25T00:00:00", "id": "KLA10042", "href": "https://threats.kaspersky.com/en/vulnerability/KLA10042", "title": "\r KLA10042Critical vulnerability in Adobe Download Manager ", "type": "kaspersky", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
