Vulnerabilities > CVE-2008-1770 - Code Injection vulnerability in Akamai Download Manager 2.0.4.4/2.2.0.0/2.2.1.0
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
CRLF injection vulnerability in Akamai Download Manager ActiveX control before 2.2.3.6 allows remote attackers to force the download and execution of arbitrary files via a URL parameter containing an encoded LF followed by a malicious target line.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 4 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Leverage Executable Code in Non-Executable Files An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
- Manipulating User-Controlled Variables This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An attacker can override environment variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the attacker can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.
Exploit-Db
description | Akamai Download Manager < 2.2.3.7 ActiveX Remote Download Exploit. CVE-2008-1770. Remote exploit for windows platform |
file | exploits/windows/remote/5741.html |
id | EDB-ID:5741 |
last seen | 2016-01-31 |
modified | 2008-06-04 |
platform | windows |
port | |
published | 2008-06-04 |
reporter | cocoruder |
source | https://www.exploit-db.com/download/5741/ |
title | Akamai Download Manager < 2.2.3.7 - ActiveX Remote Download Exploit |
type | remote |
Nessus
NASL family | Windows |
NASL id | AKAMAI_DLM_ACTIVEX_2_2_3_7.NASL |
description | The Windows remote host contains the Download Manager ActiveX control from Akamai, which helps users download content. The version of this ActiveX control on the remote host reportedly is affected by a parameter injection vulnerability that could be exploited to download arbitrary files and place them in arbitrary locations on the affected host, such as the |
last seen | 2020-06-01 |
modified | 2020-06-02 |
plugin id | 33102 |
published | 2008-06-05 |
reporter | This script is Copyright (C) 2008-2018 and is owned by Tenable, Inc. or an Affiliate thereof. |
source | https://www.tenable.com/plugins/nessus/33102 |
title | Akamai Download Manager ActiveX Control < 2.2.3.6 Arbitrary File Download |
code |
|
Seebug
bulletinFamily | exploit |
description | CVE(CAN) ID: CVE-2008-1770 Akamai下载管理器是用于帮助用户方便下载的客户端软件。 Akamai的ActiveX控件在处理参数数据时存在漏洞,远程攻击者可能利用此漏洞在用户系统的任意地方写入文件。 当用户从http://dlm.tools.akamai.com/tools/upgrade.html 下载安装Akamai下载管理器ActiveX控件时,其参数设置为: <PARAM name="URL" value="http://dlm.tools.akamai.com/tools_files/Readme.txt"> 然后设置URL值。但如果向URL注入其他字符的话,也可以正确的解析,例如: <PARAM name="URL" value="http://dlm.tools.akamai.com/tools_files/Readme.txt\x0Areferer=http://ruder.cdut.net"> 由于ActiveX所设置的参数值以INI文件格式保存在临时文件中,上述方式会改变referer值。 此外,使用了target参数设置下载文件的位置,含义如下: "DESKTOP" 将文件保存到桌面 "AUTO" 将文件保存到临时Internet文件中 "" 询问用户选择保存位置 正常情况下target值只能设置为以上三个值,其他值会被过滤掉。但如果通过参数注入将该值设置为有效的文件路径的话,就可以任意设置target,Akamai下载管理器会未经用户交互直接将目标文件下载到用户系统的任意位置 Akamai Download Manager < 2.2.3.6 Akamai ------ 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href=http://dlm.tools.akamai.com/tools/upgrade.html target=_blank>http://dlm.tools.akamai.com/tools/upgrade.html</a> |
id | SSV:3386 |
last seen | 2017-11-19 |
modified | 2008-06-06 |
published | 2008-06-06 |
reporter | Root |
source | https://www.seebug.org/vuldb/ssvid-3386 |
title | Akamai下载管理器参数注入漏洞 |
References
- http://lists.grok.org.uk/pipermail/full-disclosure/2008-June/062672.html
- http://secunia.com/advisories/30537
- http://www.securityfocus.com/archive/1/493077/100/0/threaded
- http://www.securityfocus.com/archive/1/493142/100/0/threaded
- http://www.securitytracker.com/id?1020194
- http://www.vupen.com/english/advisories/2008/1746/references
- https://exchange.xforce.ibmcloud.com/vulnerabilities/42879
- https://www.exploit-db.com/exploits/5741