Bugtraq mailing list archives
My Getright Unsupervised File Download Vulnerability
From: SNS Research <vuln-dev () greyhack com>
Date: Mon, 26 Feb 2001 06:53:25 +0100
Strumpf Noir Society Advisories ! Public release ! <--# -= My Getright Unsupervised File Download Vulnerability =- Release date: Monday, February 26, 2001 Introduction: My GetRight is a free, easy to use member of the Getright download manager software family for MS Windows. It uses the same method of "click monitoring" to take over the downloads from your web browser as the other versions of Getright, but offers much more control and customization for web sites providing files for downloading. My Getright is available from vendor Headlight Software's website: http://www.mygetright.com Problem: My Getright features an option to customize its look while downloading. Remote websites can even send the program skins to use during the session. There exists a problem in the handling of these skin files that might allow for a malicious website operator to stealthy upload files to anywhere on a user's system and even overwrite existing ones. A customized look during a download can easily be created through the use of a .dld file, which holds the skin-data and which should be placed in the same directory as the files that are to be downloaded. This file uses a Windows .INI format with simple fields containing information about graphics locations, download descriptions etc. By filling these fields with long strings of random data the client-skin will be incorrectly parsed, which will cause the GUI to die permanently while the program itself keeps on downloading. Another effect of this is that the client will no longer display informative messages of any kind. If from this point on a file which is queued already exists on a user's harddrive, the latter will be overwritten without question. This vulnerability is made worse by the possibility to trick the client into a directory traversal through the filepath-field of mentioned customization file. Through utilization of a simple "../" a malicious website operator can trick the client into (over)writing to any path on the user's system. Example: For this example we've configured the My Getright client to download all files to C:\Downloads and have we created a file test.zip in C:\ First we do a regular download, this will kill the client GUI, yet it will download the file test.zip to the designated download directory (C:\Downloads): http://www.mygetright.com/cgi-bin/makedld.cgi?url=http%3A%2F%2Fwww.jianteq.net%2Fsns%2Ftest%2Ftest.zip&skinurl=http%3A%2F%2Fwww.jianteq.net%2Fsns%2Ftest%2Fdefault.dld&filedesc=test Now the client uses our "skin", no messages will be displayed while we use below url to overwrite the file in C:\ : http://www.mygetright.com/cgi-bin/makedld.cgi?url=http%3A%2F%2Fwww.jianteq.net%2Fsns%2Ftest%2Ftest.zip&skinurl=http%3A%2F%2Fwww.jianteq.net%2Fsns%2Ftest%2Fdefault.dld&filedesc=test&filepath=..%2F (..) Solution: Vendor was notified and has verified the problem. A new version (v 1.0b) has been released which fixes both the directory traversal and transparant skin problem. yadayadayada Free sk8! (http://www.freesk8.org) SNS Research is rfpolicy (http://www.wiretrip.net/rfp/policy.html) compliant, all information is provided on AS IS basis. EOF, but Strumpf Noir Society will return!
Current thread:
- My Getright Unsupervised File Download Vulnerability SNS Research (Feb 26)