Download Accelerator Plus can be tricked to download malicious file

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Download Accelerator Plus can be tricked to download malicious file
From: visitbipin@xxxxxxxxxxx
Date: 4 Jan 2006 17:30:40 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Product(ONLY TESTED ON): Download Accelerator Plus 7.4.0.2 (unregistered)
Test Environment: Winxp Pro sp2 (patch level latest)
Risk Type: Rare exception
Threat Level: High
Vendor website:www.speedbit.com

POC screenshots: http://img482.imageshack.us/img482/4205/31uk.jpg 
http://img425.imageshack.us/img425/4380/15an.jpg


speedbit.com claims to have 110 million users of DAP world wide and is one of 
the popular and best download manager for windows. One of its biggest strength 
to download big files in a faster connection at optimum speed is, it can 
automatically search for best mirrors and download different parts of the file 
form multiple location.

BUT Download Accelerator Plus(DAP) may switch its download to a un trusted or 
malicious website while searching for fastest mirrors for a particular file 
under certain conditions. If the ACTUAL, trusted host providing the file is 
DOWN or due to network congestions the users may get and execute a malicious 
file instead.

I've included two screenshots which should be self explanatory. Check out the 
url?s in each screenshot and see from where the file is being received at the 
end.

In the screenshot I'm trying to download 'Windows 2003 sp1' from 
download.microsoft.com but DAP automatically chooses to download it only from 
ftp.planet.nl as my network was having tooooooooo low internet bandwidth at 
that time. 

Further more, on some network/OS there might be rules for MAX CONNECTION PER 
HOST and (say)if in the network someone is already downloading some file from 
download.microsoft.com the outcome will surely be a VIRTUAL network 
congensation for download.microsoft.com within that DMZ.

For my test I used another client computer behind the gateway to send 
continuous ping ( 17 different instants) to download.microsoft.com As a result, 
for my network download.microsoft.com was off the radar. So, in my another 
computer DAP chooses to download Win2003 sp1 from ftp.planet.nl instead. So, 
even after my network gained its full throttle... no-wounder DAP was still 
downloading the file from ftp.planet.nl 

My test network setup was a 3 computer PC which was left on default 
configuration with Winxp sp2 (patchlevel: latest)

Changes: This advisory is slightly modified than the one that I emailed to the 
vendor about a week back and tried contacting it, but with no response till now!

Result: I was receiving the file from an unknown and un-trusted source which 
could be infected with a malicious program.

BUT fyi: I haven't researched on HOW and WHERE 'DAP' queries to get other 
possible mirrors for the particular file.

Conclusion: I insist NOT to use download managers that does the same while 
downloading important files. Or either force your download manager and check 
whether the file is being downloaded from the original URL or not.

Regards,
-Bipin Gautam

Follow-Ups:
- RE: Download Accelerator Plus can be tricked to download malicious file
  - From: NaPa

Prev by Date: Another WMF exploit workaround
Next by Date: Re: WMF round-up, updates and de-mystification
Previous by thread: Another WMF exploit workaround
Next by thread: RE: Download Accelerator Plus can be tricked to download malicious file
Index(es):
- Date
- Thread