Vulnerabilities > CVE-2008-1602 - Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Orbit Downloader Orbit Downloader 2.6.3/2.6.4
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Stack-based buffer overflow in Orbit downloader 2.6.3 and 2.6.4 allows remote attackers to execute arbitrary code via a long download URL, which is not properly handled during Unicode conversion for a balloon notification after a download has failed.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 2 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Exploit-Db
| description | Orbit Downloader URL Unicode Conversion Overflow. CVE-2008-1602. Local exploit for windows platform |
| id | EDB-ID:18515 |
| last seen | 2016-02-02 |
| modified | 2012-02-23 |
| published | 2012-02-23 |
| reporter | metasploit |
| source | https://www.exploit-db.com/download/18515/ |
| title | Orbit Downloader - URL Unicode Conversion Overflow |
Metasploit
| description | This module exploits a stack-based buffer overflow in Orbit Downloader. The vulnerability is due to Orbit converting a URL ascii string to unicode in an insecure way with MultiByteToWideChar. The vulnerability is exploited with a specially crafted metalink file that should be opened with Orbit through the "File->Add Metalink..." option. |
| id | MSF:EXPLOIT/WINDOWS/FILEFORMAT/ORBIT_DOWNLOAD_FAILED_BOF |
| last seen | 2020-03-23 |
| modified | 2017-09-22 |
| published | 2012-02-21 |
| references | |
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/fileformat/orbit_download_failed_bof.rb |
| title | Orbit Downloader URL Unicode Conversion Overflow |
Packetstorm
| data source | https://packetstormsecurity.com/files/download/110164/orbit_download_failed_bof.rb.txt |
| id | PACKETSTORM:110164 |
| last seen | 2016-12-05 |
| published | 2012-02-24 |
| reporter | Diego Juarez |
| source | https://packetstormsecurity.com/files/110164/Orbit-Downloader-URL-Unicode-Conversion-Overflow.html |
| title | Orbit Downloader URL Unicode Conversion Overflow |
Saint
| bid | 28541 |
| description | Orbit Downloader URL Unicode conversion buffer overflow |
| id | misc_orbitdownloaderver |
| osvdb | 44036 |
| title | orbit_downloader_unicode_conversion |
| type | client |
Seebug
| bulletinFamily | exploit |
| description | BUGTRAQ ID: 28541 CVE(CAN) ID: CVE-2008-1602 Orbit Downloader是用于从视频共享网站下载流媒体的下载管理器。 Orbit downloader没有正确地将URL ASCII字符串转换为Unicode,如果用户从特制的URL下载了文件的话就可能导致执行任意指令。 如果Orbit无法下载文件的话,就会在通知区域弹出气球控制: /----------- .text:004A56D0 sub_4A56D0 proc near ; CODE XREF: sub_42AAC0+321 p .text:004A56D0 ; sub_439610+321 p ... .text:004A56D0 .text:004A56D0 String = word ptr -2000h .text:004A56D0 hDC = dword ptr 4 .text:004A56D0 arg_4 = dword ptr 8 .text:004A56D0 lpRect = dword ptr 0Ch .text:004A56D0 uFormat = dword ptr 10h .text:004A56D0 .text:004A56D0 mov eax, 2000h ; reserve 0x2000 (8192) bytes in the stack .text:004A56D5 call __alloca_probe .text:004A56DA push edi .text:004A56DB mov ecx, 800h .text:004A56E0 xor eax, eax .text:004A56E2 lea edi, [esp+2004h+String] .text:004A56E6 rep stosd .text:004A56E8 mov eax, [esp+2004h+arg_4] .text:004A56EF pop edi .text:004A56F0 mov ecx, [eax+8] .text:004A56F3 mov eax, [eax+4] .text:004A56F6 test eax, eax .text:004A56F8 jnz short loc_4A56FF .text:004A56FA mov eax, ds:?_C@?1??_Nullstr@? basic_string@DU? char_traits@D@std@@V? allocator@D@2@@std@@CAPBDXZ@4DB ; .text:004A56FF .text:004A56FF loc_4A56FF: ; CODE XREF: sub_4A56D0+28 j .text:004A56FF lea edx, [esp+2000h+String] .text:004A5703 push 2000h ; cchWideChar (write up to 16384 bytes to the buffer) .text:004A5708 push edx ; lpWideCharStr .text:004A5709 push ecx ; cchMultiByte .text:004A570A push eax ; lpMultiByteStr .text:004A570B push 0 ; dwFlags .text:004A570D push 0 ; CodePage .text:004A570F call ds:MultiByteToWideChar .text:004A5715 mov ecx, [esp+2000h+uFormat] .text:004A571C mov edx, [esp+2000h+lpRect] .text:004A5723 push ecx ; uFormat .text:004A5724 mov ecx, [esp+2004h+hDC] .text:004A572B push edx ; lpRect .text:004A572C push eax ; nCount .text:004A572D lea eax, [esp+200Ch+String] .text:004A5731 push eax ; lpString .text:004A5732 push ecx ; hDC .text:004A5733 call ds:DrawTextW .text:004A5739 add esp, 2000h .text:004A573F retn .text:004A573F endp ;sub_4A56D0 - -----------/ Win32 API函数 /----------- int MultiByteToWideChar( UINT CodePage, DWORD dwFlags, LPCSTR lpMultiByteStr, int cbMultiByte, LPWSTR lpWideCharStr, int cchWideChar ); - -----------/ 的cchWideChar参数应为lpWideCharStr所说明的WCHAR值缓冲区大小。攻击者可以提供大于4096字节的下载URL,如果下载失败的话MultiByteToWideChar就会在栈上溢出8192字节的缓冲区,并最多写入0x2000 WCHAR(16384字节),覆盖内部结构导致执行任意指令。 OrbitDownloader.com Orbit Downloader 2.6.4 OrbitDownloader.com Orbit Downloader 2.6.3 OrbitDownloader.com ------------------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href=http://dl.orbitdownloader.com/dl/OrbitDownloaderSetup.exe target=_blank>http://dl.orbitdownloader.com/dl/OrbitDownloaderSetup.exe</a> |
| id | SSV:3124 |
| last seen | 2017-11-19 |
| modified | 2008-04-09 |
| published | 2008-04-09 |
| reporter | Root |
| title | Orbit Downloader URL处理栈溢出漏洞 |
References
- http://secunia.com/advisories/29669
- http://securityreason.com/securityalert/3798
- http://www.coresecurity.com/?action=item&id=2211
- http://www.securityfocus.com/archive/1/490458/100/0/threaded
- http://www.securityfocus.com/bid/28541
- http://www.vupen.com/english/advisories/2008/1101
- https://exchange.xforce.ibmcloud.com/vulnerabilities/41649