Vulnerabilities > CVE-2006-5856 - Buffer Overflow vulnerability in Adobe Download Manager AOM

047910
CVSS 6.8 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
adobe
nessus

Summary

Stack-based buffer overflow in the Adobe Download Manager before 2.2 allows remote attackers to execute arbitrary code via a long section name in the dm.ini file, which is populated via an AOM file.

Nessus

NASL familyWindows
NASL idADOBE_AOM_BUFFER_OVERFLOW_VULNERABILITY.NASL
descriptionThere is a version Adobe Download Manager installed on the remote Windows host that is vulnerable to a remote buffer overflow attack because the application fails to perform boundary checks while processing AOM files. In order to trigger this issue, an attacker needs to entice a user to visit a website hosting the malicious AOM file or send the AOM file as an email attachment and have the user click on it. Successful exploitation of this issue might result in arbitrary code execution.
last seen2020-06-01
modified2020-06-02
plugin id23779
published2006-12-07
reporterThis script is Copyright (C) 2006-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/23779
titleAdobe Download Manager < 2.2 AOM File Handling Section Name Overflow
code
#
#  (C) Tenable Network Security, Inc.
#



include("compat.inc");

if (description) {
  script_id(23779);
  script_version("1.19");
 script_cvs_date("Date: 2018/11/15 20:50:26");

  script_cve_id("CVE-2006-5856");
  script_bugtraq_id(21453);

  script_name(english:"Adobe Download Manager < 2.2 AOM File Handling Section Name Overflow");
  script_summary(english:"Checks for Adobe Download Manager version < 2.2");

 script_set_attribute(attribute:"synopsis", value:
"The remote Windows host has an application that is prone to a buffer
overflow attack.");
 script_set_attribute(attribute:"description", value:
"There is a version Adobe Download Manager installed on the remote
Windows host that is vulnerable to a remote buffer overflow attack
because the application fails to perform boundary checks while
processing AOM files. In order to trigger this issue, an attacker
needs to entice a user to visit a website hosting the malicious AOM
file or send the AOM file as an email attachment and have the user
click on it. Successful exploitation of this issue might result in
arbitrary code execution.");
 script_set_attribute(attribute:"see_also", value:"https://www.beyondtrust.com/resources/blog/research/");
 script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2006/Dec/121");
 script_set_attribute(attribute:"see_also", value:"https://www.adobe.com/support/security/bulletins/apsb06-19.html" );
 script_set_attribute(attribute:"solution", value:
"Either uninstall the application or upgrade to Adobe Download Manager
version 2.2 or later.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"false");

 script_set_attribute(attribute:"vuln_publication_date", value:"2006/12/06");
 script_set_attribute(attribute:"patch_publication_date", value:"2006/12/05");
 script_set_attribute(attribute:"plugin_publication_date", value:"2006/12/07");

script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/a:adobe:download_manager");
script_end_attributes();


  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");
  script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");

  script_dependencies("smb_hotfixes.nasl");
  script_require_keys("SMB/Registry/Enumerated");
  script_require_ports(139,445);

  exit(0);
}


include("global_settings.inc");
include("smb_func.inc");
include("audit.inc");

function display_dword (dword, nox)
{
 local_var tmp;

 if (isnull(nox) || (nox == FALSE))
   tmp = "0x";
 else
   tmp = "";

 return string (tmp,
               toupper(
                  hexstr(
                    raw_string(
                               (dword >>> 24) & 0xFF,
                               (dword >>> 16) & 0xFF,
                               (dword >>> 8) & 0xFF,
                               dword & 0xFF
                              )
                        )
                      )
               );
}

function compute_version(ver)
{
  local_var version, array, index, i;

  array = split(ver,sep:".",keep:FALSE);
  index = max_index(array)-1;
  for (i = 0 ; i < max_index(array) ; i++){
    version += array[i] * (10**index);
    index--;
  }
  return version;
}

function check_version1(cv,lv)
{
  local_var current_version,result,array, i;

  if (compute_version(ver:cv) < compute_version(ver:lv)) return FALSE;
  else return TRUE;
}


# Connect to the appropriate share.
if (!get_kb_item("SMB/Registry/Enumerated")) exit(0);
name    =  kb_smb_name();
port    =  kb_smb_transport();
#if (!get_port_state(port)) exit(0);
login   =  kb_smb_login();
pass    =  kb_smb_password();
domain  =  kb_smb_domain();

#soc = open_sock_tcp(port);
#if (!soc) exit(0);

#session_init(socket:soc, hostname:name);
if(!smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');

rc = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$");
if (rc != 1) {
  NetUseDel();
  exit(0);
}


# Connect to remote registry.
hklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);
if (isnull(hklm)) {
  NetUseDel();
  exit(0);
}


# Determine where it's installed.
key = "SOFTWARE\Classes\aom\DefaultIcon";
key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);

if (!isnull(key_h)) {
  value = RegQueryValue(handle:key_h, item:NULL);
  if (isnull(value)) exit(0);
  else {
    # nb: the value may appear in quotes.
    exe = ereg_replace(pattern:'"(.+)",[0-9]', replace:"\1", string:value[1]);
  }
  RegCloseKey (handle:key_h);
}
RegCloseKey(handle:hklm);


# If it is...
if (exe) {
  # Determine its version from the executable itself.
  share = ereg_replace(pattern:"([A-Za-z]):.*", replace:"\1$", string:exe);
  exe2 =  ereg_replace(pattern:"[A-Za-z]:(.*)", replace:"\1", string:exe);
  NetUseDel(close:FALSE);

  rc = NetUseAdd(login:login, password:pass, domain:domain, share:share);
  if (rc != 1) {
    NetUseDel();
    exit(0);
  }

  fh = CreateFile(
    file:exe2,
    desired_access:GENERIC_READ,
    file_attributes:FILE_ATTRIBUTE_NORMAL,
    share_mode:FILE_SHARE_READ,
    create_disposition:OPEN_EXISTING
  );

  ver = NULL;
  if (!isnull(fh)) {
    ret = GetFileVersionEx(handle:fh);

    if (!isnull(ret)) children = ret['Children'];
    if (!isnull(children))
    {
      varfileinfo = children['VarFileInfo'];
      if (!isnull(varfileinfo))
      {
        translation =
          (get_word (blob:varfileinfo['Translation'], pos:0) << 16) +
          get_word (blob:varfileinfo['Translation'], pos:2);
        translation = tolower(display_dword(dword:translation, nox:TRUE));
      }
      stringfileinfo = children['StringFileInfo'];
      if (!isnull(stringfileinfo) && !isnull(translation))
      {
        data = stringfileinfo[translation];
        if (!isnull(data)) ver = data['ProductVersion'];
      }
    }
    CloseFile(handle:fh);
  }

  # Check the verion number, if it's available.
  if (!isnull(ver))
  {
    if (!check_version1(cv:ver, lv:"2.2"))
    {
      report = string(
        "Version ", ver, " of Adobe Download Manager is installed as :\n",
        "  ", exe
      );
      security_warning(port:kb_smb_transport(), extra:report);
    }
  }
}


# Clean up.
NetUseDel();