Vulnerabilities > CVE-2008-1770 - Code Injection vulnerability in Akamai Download Manager 2.0.4.4/2.2.0.0/2.2.1.0

047910
CVSS 9.3 - CRITICAL
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
akamai
CWE-94
critical
nessus
exploit available
NVD
Published: 2008-06-04
Updated: 2018-10-11

Summary

CRLF injection vulnerability in Akamai Download Manager ActiveX control before 2.2.3.6 allows remote attackers to force the download and execution of arbitrary files via a URL parameter containing an encoded LF followed by a malicious target line.

Vulnerable Configurations

Part Description Count
Application
Akamai
4

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Leverage Executable Code in Non-Executable Files
    An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
  • Manipulating User-Controlled Variables
    This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An attacker can override environment variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the attacker can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.

Exploit-Db

descriptionAkamai Download Manager < 2.2.3.7 ActiveX Remote Download Exploit. CVE-2008-1770. Remote exploit for windows platform
fileexploits/windows/remote/5741.html
idEDB-ID:5741
last seen2016-01-31
modified2008-06-04
platformwindows
port
published2008-06-04
reportercocoruder
sourcehttps://www.exploit-db.com/download/5741/
titleAkamai Download Manager < 2.2.3.7 - ActiveX Remote Download Exploit
typeremote

Nessus

NASL familyWindows
NASL idAKAMAI_DLM_ACTIVEX_2_2_3_7.NASL
descriptionThe Windows remote host contains the Download Manager ActiveX control from Akamai, which helps users download content. The version of this ActiveX control on the remote host reportedly is affected by a parameter injection vulnerability that could be exploited to download arbitrary files and place them in arbitrary locations on the affected host, such as the
last seen2020-06-01
modified2020-06-02
plugin id33102
published2008-06-05
reporterThis script is Copyright (C) 2008-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/33102
titleAkamai Download Manager ActiveX Control < 2.2.3.6 Arbitrary File Download
code
#
#  (C) Tenable Network Security, Inc.
#


include("compat.inc");

if (description)
{
  script_id(33102);
  script_version("1.17");
script_cvs_date("Date: 2018/11/15 20:50:26");

  script_cve_id("CVE-2008-1770");
  script_xref(name:"EDB-ID", value:"5741");
  script_xref(name:"Secunia", value:"30537");

  script_name(english:"Akamai Download Manager ActiveX Control < 2.2.3.6 Arbitrary File Download");
  script_summary(english:"Checks version of Download Manager ActiveX control");

 script_set_attribute(attribute:"synopsis", value:
"The remote Windows host has an ActiveX control that allows arbitrary
file downloads." );
 script_set_attribute(attribute:"description", value:
"The Windows remote host contains the Download Manager ActiveX control
from Akamai, which helps users download content.

The version of this ActiveX control on the remote host reportedly is
affected by a parameter injection vulnerability that could be
exploited to download arbitrary files and place them in arbitrary
locations on the affected host, such as the 'Startup' folder used by
Windows.  If an attacker can trick a user on the affected host into
visiting a specially crafted web page, this method could be used to
execute arbitrary code on the affected system subject to the user's
privileges." );
 script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2008/Jun/59" );
 script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/493077/30/0/threaded" );
 script_set_attribute(attribute:"solution", value:
"Upgrade to version 2.2.3.7 or later of the control." );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
 script_cwe_id(94);
 script_set_attribute(attribute:"plugin_publication_date", value: "2008/06/05");
script_set_attribute(attribute:"plugin_type", value:"local");
script_end_attributes();


  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2008-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("smb_hotfixes.nasl");
  script_require_keys("SMB/Registry/Enumerated");
  script_require_ports(139, 445);

  exit(0);
}


include("global_settings.inc");
include("smb_func.inc");
include("smb_activex_func.inc");


if (!get_kb_item("SMB/Registry/Enumerated")) exit(0);


# Locate the file used by the control.
if (activex_init() != ACX_OK) 
  exit(1, "ActiveX initialization failed.");

clsids = make_list("{4871A87A-BFDD-4106-8153-FFDE2BAC2967}",
                   "{FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1}",
                   "{2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B}");

info = NULL;
foreach clsid (clsids)
{
 file = activex_get_filename(clsid:clsid);

 if (file)
 {
   # Check its version.
   ver = activex_get_fileversion(clsid:clsid);

   # Fixed version of DownloadManagerV2.ocx == 2.2.3.7
   if (ver && activex_check_fileversion(clsid:clsid, fix:"2.2.3.7") == TRUE)
    {
      if (report_paranoia > 1 || activex_get_killbit(clsid:clsid) == 0)
       {
        info += '  - ' + clsid + '\n' +
                '    ' + file + ', ' + ver + '\n';

         if (!thorough_tests) break;
       } 
    }
  }
}

activex_end();

if (info)
{
  if (report_verbosity > 0)
  {
    if (report_paranoia > 1)	
    {
      report = string(
        "\n",
     	"Nessus found the following affected control(s) installed :\n",
     	"\n",
    	info,
      	"\n",
        "Note that Nessus did not check whether the kill bit was set for\n",
        "the control(s) because of the Report Paranoia setting in effect\n",
        "when this scan was run.\n"
      );
    }
    else
    {
      report = string(
        "\n",
        "Nessus found the following affected control(s) installed :\n",
        "\n",
        info,
        "\n",
        "Moreover, the kill bit was  not set for the control(s) so they\n",
        "are accessible via Internet Explorer.\n"
      );
    }
    security_hole(port:kb_smb_transport(), extra:report);
  }	  	 
  else security_hole(kb_smb_transport());
}

Seebug

bulletinFamilyexploit
descriptionCVE(CAN) ID: CVE-2008-1770 Akamai下载管理器是用于帮助用户方便下载的客户端软件。 Akamai的ActiveX控件在处理参数数据时存在漏洞,远程攻击者可能利用此漏洞在用户系统的任意地方写入文件。 当用户从http://dlm.tools.akamai.com/tools/upgrade.html 下载安装Akamai下载管理器ActiveX控件时,其参数设置为: &lt;PARAM name=&quot;URL&quot; value=&quot;http://dlm.tools.akamai.com/tools_files/Readme.txt&quot;&gt; 然后设置URL值。但如果向URL注入其他字符的话,也可以正确的解析,例如: &lt;PARAM name=&quot;URL&quot; value=&quot;http://dlm.tools.akamai.com/tools_files/Readme.txt\x0Areferer=http://ruder.cdut.net&quot;&gt; 由于ActiveX所设置的参数值以INI文件格式保存在临时文件中,上述方式会改变referer值。 此外,使用了target参数设置下载文件的位置,含义如下: &quot;DESKTOP&quot; 将文件保存到桌面 &quot;AUTO&quot; 将文件保存到临时Internet文件中 &quot;&quot; 询问用户选择保存位置 正常情况下target值只能设置为以上三个值,其他值会被过滤掉。但如果通过参数注入将该值设置为有效的文件路径的话,就可以任意设置target,Akamai下载管理器会未经用户交互直接将目标文件下载到用户系统的任意位置 Akamai Download Manager < 2.2.3.6 Akamai ------ 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href=http://dlm.tools.akamai.com/tools/upgrade.html target=_blank>http://dlm.tools.akamai.com/tools/upgrade.html</a>
idSSV:3386
last seen2017-11-19
modified2008-06-06
published2008-06-06
reporterRoot
sourcehttps://www.seebug.org/vuldb/ssvid-3386
titleAkamai下载管理器参数注入漏洞

References