Center for Software Testing Education & Research

Buffer Overflow Error in Download Accelerator Plus

Summary

We are going to apply an Input Constraint attack to test the search feature of Download Accelerator Plus (DAP) v7.0 (a download manager). The feature under test allows the users to search the Internet for different types of files. It turns out that it does no bounds checking on the length of the input. As a result long input causes buffer overflow and some of the user's data can be lost.

Application Description

Download Accelerator Plus (DAP) accelerates the download speed from FTP and HTTP protocols by simultaneously downloading several file segments from the same or different servers. The application enables the user to pause and resume downloads, and to recover from a dropped Internet connection. (Source: www.speedbit.com).

For this test we will focus on the search function.

This function can be used to search for certain types of files on the Internet - programs, music, movies and games. After performing the search, DAP will open a browser page with the results.

Test Design

This example demonstrates the use of Risk based testing (and more specifically attacks). Sometimes software is developed with the assumption that things that are unlikely to happen should not even be considered. As a result, buffer overflow vulnerabilities might be introduced. One way to test for them is by applying an Input Constraint attack (James Whittaker, How to break Software).

In this example we will perform the test by entering a very long text input in the Song title field of DAP. The application should not allow input that is larger than the corresponding buffer, and our goal is to verify that.

Performing the Test

1. Start the application. Then click on the search icon in the toolbar.
2. Enter many characters in one of the search fields (I used the Song title field for this example but the test will work with the other fields also).



3. Then click “Start Search”.

Results/Relevance

The result is that the application just shuts down without displaying any error message.

The problem can be reproduced while there is a download in progress, which will result in the loss of the file that is being downloaded (see similar tests). First, this behavior can cause inconvenience for the user but the real problem is in the fact that it can result in the loss of data.

The two main purposes of download managers like DAP are to increase the download speed and offer the user the ability to resume a download that has been interrupted. This bug impairs the second functionality.

Similar Tests/Additional Notes

In this test we will reproduce the bug, while there is a download in progress. The goal is to find out if the bug can result in data loss.

Start downloading a large file. Then select Search from the toolbar and enter many characters in the Song title field.

The application shuts down again, and when it is restarted and the download is resumed, it starts downloading from the beginning. The 43% that were already downloaded were lost.

Configuration

Testing SpeedBit's Download Accelerator Plus v7.0 on:

• Microsoft Windows XP, SP1
• 256 MB SD RAM
• ATI Rage 128 Graphics Card
• Intel Pentium III 450 MHz

Created 24 May 2004 for the CSTER

All images and written material ©Copyright Georgi Nikolov 2004

This work is licensed under the Creative Commons Attribution-ShareAlike License.
To view a copy of this license, visit
http://creativecommons.org/licenses/by-sa/2.0/
or send a letter to
Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305,
USA.