Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Andrew G. Tereschenko (secure.bugtraq_at_tag.odessa.ua)
Date: Sat Aug 17 2002 - 18:40:22 CDT
I would like to inform you about multiple security
vulnerabilities in Microsoft File Transfer
Manager (FTM) ActiveX control used for secure file
delivery to/from Microsoft prior to June 2002.
All known to me vulnerabilities was reported to Microsoft
(to FTM Product Manager and Security Team).
Microsoft is likely to have all of them fixed in FTM version 4.0
(released June 2002).
Kill bit settings to prevent use of security infected ActiveX
is expected to be in latest IE update (August 2002?).
Microsoft has prepared draft of alert message on 2 Aug 2002.
But no one FTM user was notified about this security risk up to now.
I would like to provide this draft message here
as a vendor view on this problem:
"Dear Microsoft Customer -
The Microsoft Security Response Center has learned of a
security vulnerability affecting a software component
used only by members of certain Microsoft customer programs.
You've received this mail because you have registered as a
member of one of the programs and may have come in contact
with the component that contains the vulnerability.
Microsoft believes that only a small number of customers
actually are at risk, but we do urge you to use the following
information to ensure that your system is secure.
The vulnerability could enable an attacker to gain control
over another user's system. It lies in a software component
called the File Transfer Manager (FTM), the purpose of which
is to allow members of Microsoft beta programs, MSDN,
Microsoft Volume Licensing Services, and a small number of
other Microsoft programs to download software from certain
Microsoft sites. The FTM is only distributed through these
programs, but not every member has installed it.
Even among customers who have installed it, not all are at risk,
as only certain old versions used prior to June 2002 contain
Microsoft recommends that all customers receiving this mail
determine whether the FTM is installed on their systems and,
if so, ensure that they have either upgraded to the
latest version (FTM 4.0) or remove the vulnerable version.
A web page (http://transfers.one.microsoft.com/ftm/install)
is available that provides step-by-step instructions for doing this.
The entire process takes only minutes.
We at Microsoft sincerely apologize for any inconvenience,
and look forward to continuing to work with you as a member
of a Microsoft customer program.
The Microsoft Security Response Center"
As for a technical details of this bug
i would like to provide them to public decouse
i have a little disagreement on risks identified.
FTM ActiveX control has a buffer overflow during parsing
input strings passed via script to "Persist" function.
One of confirmed scenarios is a long (>12Kb) string used
as "TS=" (TransferSession?) value.
Taking in account that this control is signed by Microsoft
and marked as safe for scripting it's possible for
any website to install it (with a little warning,
or without any warning in case if user trust MSFT Corp.)
and exploit this vulnerability via script.
Distribution for this risk a medium-high, not a
"small number of customers"
FTM ActiveX control can add any download/upload item in
list of scheduled items without any user approval
to/from any folder on user disk.
This can be done by setting "TGT=" and "TGN=" params
during call to "Persist" function.
This can allow to download or upload any file to/from
user PC in case if third-party server will be able to
give some limited number of responses just like
Microsoft webservers does.
This can be easily done (prior to June 2002)
by using man-in-the-middle practice by making dumb
TCP proxy to microsoft servers and pointing to your
proxy location in "URL=" param in "Persist" calls.
Currently possible usage of this risk is unconfirmed
becouse all Microsoft servers was upgraded to 4.0 version
But it can be possible that algo for AUTHDATA param
used validation of clients/server is week.
There was FTM bug in case if server will return
"EncryptionPercentage: 0" during upload session,
FTM client will sent file just like it is on disk.
This bug was fixed prior to 4.0 release about 6 months ago
but it can show that no strong security review was done
during coding of this ActiveX.
I would like to recomend all users to search for TransferMgr.exe
inside "%SYSTEMROOT%\Downloaded Program Files" and take
steps advised in http://transfers.one.microsoft.com/ftm/install in case
if file found.
Feedback can be directed to the author:
-- Andrew G. Tereschenko securetag.odessa.ua TAG Software Research Lab Odessa, Ukraine