Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
From: Andrew G. Tereschenko (secure.bugtraq_at_tag.odessa.ua)
Date: Sat Aug 17 2002 - 18:40:22 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hi reader,

    I would like to inform you about multiple security
    vulnerabilities in Microsoft File Transfer
    Manager (FTM) ActiveX control used for secure file
    delivery to/from Microsoft prior to June 2002.

    All known to me vulnerabilities was reported to Microsoft
    (to FTM Product Manager and Security Team).
    Microsoft is likely to have all of them fixed in FTM version 4.0
    (released June 2002).
    Kill bit settings to prevent use of security infected ActiveX
    is expected to be in latest IE update (August 2002?).

    Microsoft has prepared draft of alert message on 2 Aug 2002.
    But no one FTM user was notified about this security risk up to now.
    I would like to provide this draft message here
    as a vendor view on this problem:

    "Dear Microsoft Customer -
       The Microsoft Security Response Center has learned of a
    security vulnerability affecting a software component
    used only by members of certain Microsoft customer programs.
    You've received this mail because you have registered as a
    member of one of the programs and may have come in contact
     with the component that contains the vulnerability.
    Microsoft believes that only a small number of customers
    actually are at risk, but we do urge you to use the following
    information to ensure that your system is secure.
       The vulnerability could enable an attacker to gain control
    over another user's system. It lies in a software component
    called the File Transfer Manager (FTM), the purpose of which
    is to allow members of Microsoft beta programs, MSDN,
    Microsoft Volume Licensing Services, and a small number of
    other Microsoft programs to download software from certain
    Microsoft sites. The FTM is only distributed through these
     programs, but not every member has installed it.
    Even among customers who have installed it, not all are at risk,
    as only certain old versions used prior to June 2002 contain
    the vulnerability.

       Microsoft recommends that all customers receiving this mail
    determine whether the FTM is installed on their systems and,
    if so, ensure that they have either upgraded to the
    latest version (FTM 4.0) or remove the vulnerable version.
    A web page (http://transfers.one.microsoft.com/ftm/install)
    is available that provides step-by-step instructions for doing this.
    The entire process takes only minutes.

    We at Microsoft sincerely apologize for any inconvenience,
    and look forward to continuing to work with you as a member
    of a Microsoft customer program.

    The Microsoft Security Response Center"

    As for a technical details of this bug
    i would like to provide them to public decouse
    i have a little disagreement on risks identified.

    Risk No1:

    FTM ActiveX control has a buffer overflow during parsing
    input strings passed via script to "Persist" function.
    One of confirmed scenarios is a long (>12Kb) string used
    as "TS=" (TransferSession?) value.

    Taking in account that this control is signed by Microsoft
    and marked as safe for scripting it's possible for
    any website to install it (with a little warning,
    or without any warning in case if user trust MSFT Corp.)
    and exploit this vulnerability via script.

    Distribution for this risk a medium-high, not a
    "small number of customers"

    Risk No2:

    FTM ActiveX control can add any download/upload item in
    list of scheduled items without any user approval
    to/from any folder on user disk.
    This can be done by setting "TGT=" and "TGN=" params
    during call to "Persist" function.

    This can allow to download or upload any file to/from
    user PC in case if third-party server will be able to
    give some limited number of responses just like
    Microsoft webservers does.

    This can be easily done (prior to June 2002)
    by using man-in-the-middle practice by making dumb
    TCP proxy to microsoft servers and pointing to your
    proxy location in "URL=" param in "Persist" calls.
    Currently possible usage of this risk is unconfirmed
    becouse all Microsoft servers was upgraded to 4.0 version
    But it can be possible that algo for AUTHDATA param
    used validation of clients/server is week.

    There was FTM bug in case if server will return
    "EncryptionPercentage: 0" during upload session,
    FTM client will sent file just like it is on disk.
    This bug was fixed prior to 4.0 release about 6 months ago
    but it can show that no strong security review was done
    during coding of this ActiveX.

    I would like to recomend all users to search for TransferMgr.exe
    inside "%SYSTEMROOT%\Downloaded Program Files" and take
    steps advised in http://transfers.one.microsoft.com/ftm/install in case
    if file found.

    Feedback can be directed to the author:

    Andrew G. Tereschenko
    TAG Software Research Lab
    Odessa, Ukraine