COMMAND
Accelerator Pro
SYSTEMS AFFECTED
Accelerator Pro
PROBLEM
Auriemma Luigi found following. Download Accelerator Pro is one
of the most popoular and downloded software for accelerate the
files dowload. Luigi was testing the last version of DAP (4.3.02)
on all the Microsoft operative systems; these are the "strange
things".
1) Win9x UNICODE
================
If we try to download a file (is the same if it exist or not)
that contain an unicode char in it (%01, %02, ...) the web
browser, where DAP is implemented for the files download, freeze
it; if we go in the DAP window program (that stay in system tray
and DON'T alert the user with a window on top), we can see the
message "Internal Application Error", and the download file is
NOT reported on the download files list. When we close this
alert window, the browser If we retry to download the same file,
the download window open and we will receive the following alert
message:
Microsoft Visual C++ Runtime Library
Runtime Error!
Program C:\Program Files\DAP\DAP.EXE
abnormal program termination
After some seconds DAP kill itself and it DON'T report the
download in its file list.
Instead if we try to download other files with the unicode char in
them, DAP will alert with "Internal Application Error", and ONLY
with 2 dowloads of the same files DAP kill itself. These are some
examples that we can insert in IE or Netscape or in DAP:
1)http://127.0.0.1/%01.zip
2)http://127.0.0.1/test%03.mp3
3)http://host.com/%04test.exe
4)http://host.com/test%01%03%08test.mpg
ONLY SOME of the unicode chars are vulnerable.
2) WinNT/2k long filename
=========================
If we try to insert the following string in our browser, DAP give
the SAME errors as the "Win9x UNICODE" (first internal error, and
after the VisualC++ error with kill):
http://127.0.0.1/aaaaaaa(until we arrive at the end).zip
SOLUTION
Nothing yet.