Re: Download Accelerator Plus can be tricked to download malicious file

[Bipin Gautam <gautam.bipin () gmail com>]

Just n' update:
DAP searches for all its mirrors from mirrorsearch.speedbit.com

I have no knowledge about HOW the mirrors are gathered. Still waiting
for DAP developers to comment on this.

regards,
-Bipin Gautam
http://bipin.tk


On 1/4/06, Bipin Gautam <gautam.bipin () gmail com> wrote:
> Product(ONLY TESTED ON): Download Accelerator Plus 7.4.0.2 (unregistered)
> Test Environment: Winxp Pro sp2 (patch level latest)
> Risk Type: Rare exception
> Threat Level: High
> Vendor website:www.speedbit.com
>
> POC screenshots: http://img482.imageshack.us/img482/4205/31uk.jpg
> http://img425.imageshack.us/img425/4380/15an.jpg
>
> speedbit.com claims to have 110 million users of DAP world wide and is
> one of the popular and best download manager for windows. One of its
> biggest strength to download big files in a faster connection at
> optimum speed is, it can automatically search for best mirrors and
> download different parts of the file form multiple location.
>
> BUT Download Accelerator Plus(DAP) may switch its download to a un
> trusted or malicious website while searching for fastest mirrors for a
> particular file under certain conditions. If the ACTUAL, trusted host
> providing the file is DOWN or due to network congestions the users may
> get and execute a malicious file instead.
>
> I've included two screenshots which should be self explanatory. Check
> out the url's in each screenshot and see from where the file is being
> received at the end.
>
> In the screenshot I'm trying to download 'Windows 2003 sp1' from
> download.microsoft.com but DAP automatically chooses to download it
> only from ftp.planet.nl as my network was having tooooooooo low
> internet bandwidth at that time.
>
> Further more, on some network/OS there might be rules for MAX
> CONNECTION PER HOST and (say)if in the network someone is already
> downloading some file from download.microsoft.com the outcome will
> surely be a VIRTUAL network congensation for download.microsoft.com
> within that DMZ.
>
> For my test I used another client computer behind the gateway to send
> continuous ping ( 17 different instants, fat ping requests ;0) to
> download.microsoft.com As a result, for my network
> download.microsoft.com was off the radar. So, in my another computer
> DAP chooses to download Win2003 sp1 from ftp.planet.nl instead. So,
> even after my network gained its full throttle... no-wounder DAP was
> still downloading the file from ftp.planet.nl
>
> My test network setup was a 3 computer PC which was left on default
> configuration with Winxp sp2 (patchlevel: latest)
>
> Changes: This advisory is slightly modified than the one that I
> emailed to the vendor about a week back and tried contacting it, but
> with no response till now!
>
> Result: I was receiving the file from an unknown and un-trusted source
> which could be infected with a malicious program.
>
> BUT fyi: I haven't researched on HOW and WHERE 'DAP' queries to get
> other possible mirrors for the particular file.
>
> Conclusion: I insist NOT to use download managers that does the same
> while downloading important files. Or either force your download
> manager and check whether the file is being downloaded from the
> original URL or not.
>
> Regards,
> -Bipin Gautam


--

Bipin Gautam
http://bipin.tk

Zeroth law of security: The possibility of poking a system from lower
privilege is zero unless & until there is possibility of direct,
indirect or consequential communication between the two...

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/