My Getright Unsupervised File Download Vulnerability

[SNS Research <vuln-dev () greyhack com>]

Strumpf Noir Society Advisories
! Public release !
<--#


-= My Getright Unsupervised File Download Vulnerability =-

Release date: Monday, February 26, 2001


Introduction:

My GetRight is a free, easy to use member of the Getright download
manager software family for MS Windows. It uses the same method of
"click monitoring" to take over the downloads from your web browser
as the other versions of Getright, but offers much more control and
customization for web sites providing files for downloading.

My Getright is available from vendor Headlight Software's website:
http://www.mygetright.com


Problem:

My Getright features an option to customize its look while downloading.
Remote websites can even send the program skins to use during the
session. There exists a problem in the handling of these skin files
that might allow for a malicious website operator to stealthy upload
files to anywhere on a user's system and even overwrite existing ones.

A customized look during a download can easily be created through the
use of a .dld file, which holds the skin-data and which should be
placed in the same directory as the files that are to be downloaded.
This file uses a Windows .INI format with simple fields containing
information about graphics locations, download descriptions etc. By
filling these fields with long strings of random data the client-skin
will be incorrectly parsed, which will cause the GUI to die permanently
while the program itself keeps on downloading. Another effect of this
is that the client will no longer display informative messages of any
kind. If from this point on a file which is queued already exists on a
user's harddrive, the latter will be overwritten without question.

This vulnerability is made worse by the possibility to trick the client
into a directory traversal through the filepath-field of mentioned
customization file. Through utilization of a simple "../" a malicious
website operator can trick the client into (over)writing to any path on
the user's system.


Example:

For this example we've configured the My Getright client to download
all files to C:\Downloads and have we created a file test.zip in C:\

First we do a regular download, this will kill the client GUI, yet it
will download the file test.zip to the designated download directory
(C:\Downloads):

http://www.mygetright.com/cgi-bin/makedld.cgi?url=http%3A%2F%2Fwww.jianteq.net%2Fsns%2Ftest%2Ftest.zip&skinurl=http%3A%2F%2Fwww.jianteq.net%2Fsns%2Ftest%2Fdefault.dld&filedesc=test

Now the client uses our "skin", no messages will be displayed while we
use below url to overwrite the file in C:\ :

http://www.mygetright.com/cgi-bin/makedld.cgi?url=http%3A%2F%2Fwww.jianteq.net%2Fsns%2Ftest%2Ftest.zip&skinurl=http%3A%2F%2Fwww.jianteq.net%2Fsns%2Ftest%2Fdefault.dld&filedesc=test&filepath=..%2F


(..)


Solution:

Vendor was notified and has verified the problem. A new version (v 1.0b)
has been released which fixes both the directory traversal and
transparant skin problem.


yadayadayada

Free sk8! (http://www.freesk8.org)

SNS Research is rfpolicy (http://www.wiretrip.net/rfp/policy.html)
compliant, all information is provided on AS IS basis.

EOF, but Strumpf Noir Society will return!