TUCoPS :: Windows Apps :: win5645.htm

FTM ActiveX buffer overflow etc.
20th Aug 2002 [SBWID-5645]
COMMAND

	
		Microsoft  File  Transfer  Manager  buffer  overflow,   arbitrary   file
		upload/download
	
	

SYSTEMS AFFECTED

	
		Microsoft File Transfer Manager (FTM)  ActiveX  control  prior  to  June
		2002.
	
	

PROBLEM

	
		Andrew G. Tereschenko [secure@tag.odessa.ua] of  TAG  Software  Research
		Lab says :
		

		Risk No1:
		

		FTM ActiveX control has a buffer overflow during parsing  input  strings
		passed via script to "Persist" function. One of confirmed  scenarios  is
		a long (>12Kb) string used as "TS=" (TransferSession?) value.
		

		Taking in account that this control is signed by  Microsoft  and  marked
		as safe for scripting it's possible for any website to install it  (with
		a little warning, or without any warning in  case  if  user  trust  MSFT
		Corp.) and exploit this vulnerability via script.
		

		Risk No2:
		

		FTM ActiveX  control  can  add  any  download/upload  item  in  list  of
		scheduled items without any user approval to/from  any  folder  on  user
		disk. This can be done by setting "TGT=" and "TGN=" params  during  call
		to "Persist" function.
		

		This can allow to download or upload any file to/from user  PC  in  case
		if third-party server will be  able  to  give  some  limited  number  of
		responses just like Microsoft webservers does.
		

		This can be easily done (prior to June 2002) by using  man-in-the-middle
		practice by making dumb TCP proxy to microsoft servers and  pointing  to
		your proxy location  in  "URL="  param  in  "Persist"  calls.  Currently
		possible usage  of  this  risk  is  unconfirmed  becouse  all  Microsoft
		servers was upgraded to 4.0 version But it can  be  possible  that  algo
		for AUTHDATA param used validation of clients/server is week.
		

		 NOTE: 

		 =====

		

		There was FTM bug in case if server will  return  "EncryptionPercentage:
		0" during upload session, FTM client will sent file just like it  is  on
		disk. This bug was fixed prior to 4.0 release about 6 months ago but  it
		can show that no strong security review was done during coding  of  this
		ActiveX.
	
	

SOLUTION

	
		Search  for  TransferMgr.exe  inside  "%SYSTEMROOT%\Downloaded   Program
		Files" and take  FTM 4.0 or remove the vulnerable version.
		

	

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH