Info

Last Modified

about 1 year ago

Percent Complete

100%

Disclosure

Dec 06, 2006

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Unknown

Keywords

No Keywords

Description

Adobe Download Manager is affected by a remote buffer-overflow vulnerability. An attacker can exploit this issue by crafting a malicious AOM file and enticing a user to view a webpage containing the file. A successful attack may result in arbitrary code execution. This issue affects Adobe Download Manager 2.1 and prior versions.

Classification

Location: Local Access Required, Remote/Network Access Required
Attack Type: Input Manipulation, Race Condition
Impact: Loss of Confidentiality, Loss of Integrity, Loss of Availability
Exploit: Exploit Unknown
Disclosure: OSVDB Verified

Technical

The AdobeDownloadManager.exe are extracting download instructions from AOM files, which are essentially XML with an appended CRC32 in decimal, and committing the instructions to the file "%APPDATA%\dm.ini" for later processing. For instance, opening the following AOM file:

<?aom encoding="UTF-8"?>
<AdobeDownloadManager>
</AOM>
<DownloadRecord>
<url>WelcomeToMyHumbleAdobe</url>
</DownloadRecord>
</AOM>
</AdobeDownloadManager>3871966612

Will generate the following lines in "dm.ini":

[STARTUP]
Status=IncompleteDownload
[WelcomeToMyHumbleAdobe]
StoreID=0
TransactionID=0

When launched, whether or not it is supplied with an AOM file, AdobeDownloadManager.exe reads the entries from "dm.ini" and handles each described download according to its properties. It begins by reading a list of section names into a 400h-byte buffer using GetPrivateProfileStringA, then copies each section name into a 108h-byte stack buffer using strncpy with a length limit equal to the length of the section name string. The result is a relatively straightforward stack buffer overflow, with the only complication being the character restrictions.