OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: SNS Research (vuln-devGREYHACK.COM)
Date: Sun Feb 25 2001 - 23:53:25 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Strumpf Noir Society Advisories
    ! Public release !
    <--#

    -= My Getright Unsupervised File Download Vulnerability =-

    Release date: Monday, February 26, 2001

    Introduction:

    My GetRight is a free, easy to use member of the Getright download
    manager software family for MS Windows. It uses the same method of
    "click monitoring" to take over the downloads from your web browser
    as the other versions of Getright, but offers much more control and
    customization for web sites providing files for downloading.

    My Getright is available from vendor Headlight Software's website:
    http://www.mygetright.com

    Problem:

    My Getright features an option to customize its look while downloading.
    Remote websites can even send the program skins to use during the
    session. There exists a problem in the handling of these skin files
    that might allow for a malicious website operator to stealthy upload
    files to anywhere on a user's system and even overwrite existing ones.

    A customized look during a download can easily be created through the
    use of a .dld file, which holds the skin-data and which should be
    placed in the same directory as the files that are to be downloaded.
    This file uses a Windows .INI format with simple fields containing
    information about graphics locations, download descriptions etc. By
    filling these fields with long strings of random data the client-skin
    will be incorrectly parsed, which will cause the GUI to die permanently
    while the program itself keeps on downloading. Another effect of this
    is that the client will no longer display informative messages of any
    kind. If from this point on a file which is queued already exists on a
    user's harddrive, the latter will be overwritten without question.

    This vulnerability is made worse by the possibility to trick the client
    into a directory traversal through the filepath-field of mentioned
    customization file. Through utilization of a simple "../" a malicious
    website operator can trick the client into (over)writing to any path on
    the user's system.

    Example:

    For this example we've configured the My Getright client to download
    all files to C:\Downloads and have we created a file test.zip in C:\

    First we do a regular download, this will kill the client GUI, yet it
    will download the file test.zip to the designated download directory
    (C:\Downloads):

    http://www.mygetright.com/cgi-bin/makedld.cgi?url=http%3A%2F%2Fwww.jianteq.net%2Fsns%2Ftest%2Ftest.zip&skinurl=http%3A%2F%2Fwww.jianteq.net%2Fsns%2Ftest%2Fdefault.dld&filedesc=test

    Now the client uses our "skin", no messages will be displayed while we
    use below url to overwrite the file in C:\ :

    http://www.mygetright.com/cgi-bin/makedld.cgi?url=http%3A%2F%2Fwww.jianteq.net%2Fsns%2Ftest%2Ftest.zip&skinurl=http%3A%2F%2Fwww.jianteq.net%2Fsns%2Ftest%2Fdefault.dld&filedesc=test&filepath=..%2F

    (..)

    Solution:

    Vendor was notified and has verified the problem. A new version (v 1.0b)
    has been released which fixes both the directory traversal and
    transparant skin problem.

    yadayadayada

    Free sk8! (http://www.freesk8.org)

    SNS Research is rfpolicy (http://www.wiretrip.net/rfp/policy.html)
    compliant, all information is provided on AS IS basis.

    EOF, but Strumpf Noir Society will return!