Akamai Download Manager Stack Buffer Overflow Vulnerability
07.22.09BACKGROUND
Akamai Download Manager is an integral component of Akamai's global distribution service. It is used to deliver big files quickly and reliably to users around world. Many software vendors such as Symantec and Microsoft have used it to provide downloads to the public.
Akamai provides both a Java Applet and ActiveX version of Download Manager. If a user uses the ActiveX control once, it will remain installed on the user's computer until manually removed. For More information, please visit following websites:
http://www.akamai.com/html/technology/products/http_downloads.html
http://www.akamai.com/html/solutions/electronic_software_delivery.html
DESCRIPTION
This vulnerability specifically exists in manager.exe when handling Redswoosh downloads. Redswoosh is a peer-to-peer content delivery technology. When a specifically malformed HTTP response is received, a stack buffer overflow will occur.
ANALYSIS
Exploitation allows an attacker to execute arbitrary code in the context of the user viewing a maliciously crafted Web page.
To exploit this vulnerability, an attacker would need to persuade a user to view a malicious Web page. This is usually accomplished by getting the targeted user to click a link.
DETECTION
iDefense has confirmed the existence of this vulnerability within version 2.2.4.3 of Akamai Technologies Inc's Download Manager. All older versions are suspected to be vulnerable.
WORKAROUND
Setting kill-bits for the associated CLSIDs will prevent Akamai Download Manager ActiveX control from being loaded within Internet Explorer, thereby preventing exploitation, which also may prevent Download Manager from working properly.
Version 2.2.4.3 CLSID: 4871A87A-BFDD-4106-8153-FFDE2BAC2967
Version 2.2.2.1 CLSID: 2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B
Version 2.2.0.5 CLSID: FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1
During prior iDefense testing, upgrading to a new version of Akamai Download Mangaer did not automatically uninstall or disable the prior versions, thus leaving the older version still vulnerable. iDefense recommends manually removing older version of Akamai Download Manager.
VENDOR RESPONSE
Akamai Technologies Inc has released a patch which addresses this issue. Information about downloadable vendor updates can be found by clicking on the URLs shown.
http://dlm.tools.akamai.com/tools/upgrade.html
CVE INFORMATION
A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet.
DISCLOSURE TIMELINE
02/10/2009 - Initial Contact
02/10/2009 - Initial response / PoC requested
02/17/2009 - PoC requested
02/19/2009 - PoC sent
03/27/2009 - Fix received for eval
03/31/2009 - Fix Validated to Vendor
07/21/2009 - Disclosure date set
07/22/2009 - Coordinated Public Disclosure
CREDIT
This vulnerability was reported to iDefense by Stephen Fewer of Harmony Security (www.harmonysecurity.com).
Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php
Free tools, research and upcoming events
http://labs.idefense.com/
LEGAL NOTICES
Copyright © 2009 Verisign, Inc.
Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customer service for permission.
Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.