Just n' update: DAP searches for all its mirrors from mirrorsearch.speedbit.com
I have no knowledge about HOW the mirrors are gathered. Still waiting for DAP developers to comment on this. regards, -Bipin Gautam http://bipin.tk On 1/4/06, Bipin Gautam <[EMAIL PROTECTED]> wrote: > Product(ONLY TESTED ON): Download Accelerator Plus 7.4.0.2 (unregistered) > Test Environment: Winxp Pro sp2 (patch level latest) > Risk Type: Rare exception > Threat Level: High > Vendor website:www.speedbit.com > > POC screenshots: http://img482.imageshack.us/img482/4205/31uk.jpg > http://img425.imageshack.us/img425/4380/15an.jpg > > speedbit.com claims to have 110 million users of DAP world wide and is > one of the popular and best download manager for windows. One of its > biggest strength to download big files in a faster connection at > optimum speed is, it can automatically search for best mirrors and > download different parts of the file form multiple location. > > BUT Download Accelerator Plus(DAP) may switch its download to a un > trusted or malicious website while searching for fastest mirrors for a > particular file under certain conditions. If the ACTUAL, trusted host > providing the file is DOWN or due to network congestions the users may > get and execute a malicious file instead. > > I've included two screenshots which should be self explanatory. Check > out the url's in each screenshot and see from where the file is being > received at the end. > > In the screenshot I'm trying to download 'Windows 2003 sp1' from > download.microsoft.com but DAP automatically chooses to download it > only from ftp.planet.nl as my network was having tooooooooo low > internet bandwidth at that time. > > Further more, on some network/OS there might be rules for MAX > CONNECTION PER HOST and (say)if in the network someone is already > downloading some file from download.microsoft.com the outcome will > surely be a VIRTUAL network congensation for download.microsoft.com > within that DMZ. > > For my test I used another client computer behind the gateway to send > continuous ping ( 17 different instants, fat ping requests ;0) to > download.microsoft.com As a result, for my network > download.microsoft.com was off the radar. So, in my another computer > DAP chooses to download Win2003 sp1 from ftp.planet.nl instead. So, > even after my network gained its full throttle... no-wounder DAP was > still downloading the file from ftp.planet.nl > > My test network setup was a 3 computer PC which was left on default > configuration with Winxp sp2 (patchlevel: latest) > > Changes: This advisory is slightly modified than the one that I > emailed to the vendor about a week back and tried contacting it, but > with no response till now! > > Result: I was receiving the file from an unknown and un-trusted source > which could be infected with a malicious program. > > BUT fyi: I haven't researched on HOW and WHERE 'DAP' queries to get > other possible mirrors for the particular file. > > Conclusion: I insist NOT to use download managers that does the same > while downloading important files. Or either force your download > manager and check whether the file is being downloaded from the > original URL or not. > > Regards, > -Bipin Gautam > -- Bipin Gautam http://bipin.tk Zeroth law of security: The possibility of poking a system from lower privilege is zero unless & until there is possibility of direct, indirect or consequential communication between the two...
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
