mailing list archives
Download Accelerator Plus can be tricked to download malicious file
From: Bipin Gautam <gautam.bipin () gmail com>
Date: Wed, 4 Jan 2006 22:11:35 +0545
Product(ONLY TESTED ON): Download Accelerator Plus 126.96.36.199 (unregistered)
Test Environment: Winxp Pro sp2 (patch level latest)
Risk Type: Rare exception
Threat Level: High
POC screenshots: http://img482.imageshack.us/img482/4205/31uk.jpg
speedbit.com claims to have 110 million users of DAP world wide and is
one of the popular and best download manager for windows. One of its
biggest strength to download big files in a faster connection at
optimum speed is, it can automatically search for best mirrors and
download different parts of the file form multiple location.
BUT Download Accelerator Plus(DAP) may switch its download to a un
trusted or malicious website while searching for fastest mirrors for a
particular file under certain conditions. If the ACTUAL, trusted host
providing the file is DOWN or due to network congestions the users may
get and execute a malicious file instead.
I've included two screenshots which should be self explanatory. Check
out the url's in each screenshot and see from where the file is being
received at the end.
In the screenshot I'm trying to download 'Windows 2003 sp1' from
download.microsoft.com but DAP automatically chooses to download it
only from ftp.planet.nl as my network was having tooooooooo low
internet bandwidth at that time.
Further more, on some network/OS there might be rules for MAX
CONNECTION PER HOST and (say)if in the network someone is already
downloading some file from download.microsoft.com the outcome will
surely be a VIRTUAL network congensation for download.microsoft.com
within that DMZ.
For my test I used another client computer behind the gateway to send
continuous ping ( 17 different instants, fat ping requests ;0) to
download.microsoft.com As a result, for my network
download.microsoft.com was off the radar. So, in my another computer
DAP chooses to download Win2003 sp1 from ftp.planet.nl instead. So,
even after my network gained its full throttle... no-wounder DAP was
still downloading the file from ftp.planet.nl
My test network setup was a 3 computer PC which was left on default
configuration with Winxp sp2 (patchlevel: latest)
Changes: This advisory is slightly modified than the one that I
emailed to the vendor about a week back and tried contacting it, but
with no response till now!
Result: I was receiving the file from an unknown and un-trusted source
which could be infected with a malicious program.
BUT fyi: I haven't researched on HOW and WHERE 'DAP' queries to get
other possible mirrors for the particular file.
Conclusion: I insist NOT to use download managers that does the same
while downloading important files. Or either force your download
manager and check whether the file is being downloaded from the
original URL or not.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- Download Accelerator Plus can be tricked to download malicious file Bipin Gautam (Jan 04)