Vulnerability

    My Getright

Affected

    My Getright

Description

    Following  is  based  on  a  Strumpf  Noir Society Advisories.  My
    GetRight is a  free, easy to  use member of  the Getright download
    manager software family for MS  Windows.  It uses the  same method
    of "click  monitoring" to  take over  the downloads  from your web
    browser as the  other versions of  Getright, but offers  much more
    control  and  customization  for  web  sites  providing  files for
    downloading.

    My  Getright  features  an  option  to  customize  its  look while
    downloading.  Remote websites can  even send the program skins  to
    use during the session.  There exists a problem in the handling of
    these skin files that might allow for a malicious website operator
    to stealthy upload files to  anywhere on a user's system  and even
    overwrite existing ones.

    A customized look during a download can easily be created  through
    the use of a .dld file, which holds the skin-data and which should
    be  placed  in  the  same  directory  as  the files that are to be
    downloaded.   This file  uses a  Windows .INI  format with  simple
    fields containing information  about graphics locations,  download
    descriptions etc.   By filling these  fields with long  strings of
    random  data  the  client-skin  will  be incorrectly parsed, which
    will cause  the GUI  to die  permanently while  the program itself
    keeps on downloading.  Another  effect of this is that  the client
    will no longer display informative messages of any kind.  If  from
    this point on a  file which is queued  already exists on a  user's
    harddrive, the latter will be overwritten without question.

    This vulnerability is made worse  by the possibility to trick  the
    client into  a directory  traversal through  the filepath-field of
    mentioned customization  file.   Through utilization  of a  simple
    "../"  a  malicious  website  operator  can  trick the client into
    (over)writing to any path on the user's system.

    For  this  example  we've  configured  the  My  Getright client to
    download all  files to  C:\Downloads and  have we  created a  file
    test.zip in C:\

    First we do a regular download, this will kill the client GUI, yet
    it  will  download  the  file  test.zip to the designated download
    directory (C:\Downloads):

        http://www.mygetright.com/cgi-bin/makedld.cgi?url=http%3A%2F%2Fwww.jianteq.net%2Fsns%2Ftest%2Ftest.zip&skinurl=http%3A%2F%2Fwww.jianteq.net%2Fsns%2Ftest%2Fdefault.dld&filedesc=test

    Now the  client uses  our "skin",  no messages  will be  displayed
    while we use below url to overwrite the file in C:\ :

        http://www.mygetright.com/cgi-bin/makedld.cgi?url=http%3A%2F%2Fwww.jianteq.net%2Fsns%2Ftest%2Ftest.zip&skinurl=http%3A%2F%2Fwww.jianteq.net%2Fsns%2Ftest%2Fdefault.dld&filedesc=test&filepath=..%2F

Solution

    Vendor was notified and has  verified the problem.  A  new version
    (v  1.0b)  has  been  released  which  fixes  both  the  directory
    traversal and transparant skin problem.