Bugtraq: Multiple security vulnerabilities inside Microsoft File Transfer Manager ActiveX control (<4.0) [buffer overflow, arbitrary file upload/download]

["Andrew G. Tereschenko" <secure.bugtraq () tag odessa ua>]

Hi reader,

I would like to inform you about multiple security
vulnerabilities  in Microsoft File Transfer 
Manager (FTM) ActiveX control used for secure file
delivery to/from Microsoft prior to June 2002.

All known to me vulnerabilities was reported to Microsoft 
(to FTM Product Manager and Security Team).
Microsoft is likely to have all of them fixed in FTM version 4.0 
(released June 2002).
Kill bit settings to prevent use of security infected ActiveX 
is expected to be in latest IE update (August 2002?).

Microsoft has prepared draft of alert message on 2 Aug 2002.
But no one FTM user was notified about this security risk up to now.
I would like to provide this draft message here 
as a vendor view on this problem:

"Dear Microsoft Customer -
   The Microsoft Security Response Center has learned of a
security vulnerability affecting a software component 
used only by members of certain Microsoft customer programs.
You've received this mail because you have registered as a
member of one of the programs and may have come in contact
 with the component that contains the vulnerability.  
Microsoft believes that only a small number of customers 
actually are at risk, but we do urge you to use the following
information to ensure that your system is secure.
 
   The vulnerability could enable an attacker to gain control 
over another user's system.  It lies in a software component
called the File Transfer Manager (FTM), the purpose of which
is to allow members of Microsoft beta programs, MSDN, 
Microsoft Volume Licensing Services, and a small number of 
other Microsoft programs to download software from certain 
Microsoft sites.  The FTM is only distributed through these
 programs, but not every member has installed it.
Even among customers who have installed it, not all are at risk,
as only certain old versions used prior to June 2002 contain 
the vulnerability.  

   Microsoft recommends that all customers receiving this mail 
determine whether the FTM is installed on their systems and,
if so, ensure that they have either upgraded to the 
latest version (FTM 4.0) or remove the vulnerable version.  
A web page (http://transfers.one.microsoft.com/ftm/install) 
is available that provides step-by-step instructions for doing this.  
The entire process takes only minutes. 

We at Microsoft sincerely apologize for any inconvenience, 
and look forward to continuing to work with you as a member
of a Microsoft customer program. 

Regards,
The Microsoft Security Response Center"


As for a technical details of this bug 
i would like to provide them to public decouse 
i have a little disagreement on risks identified.

======================================================
Risk No1:

FTM ActiveX control has a buffer overflow during parsing 
input strings passed via script to "Persist" function.
One of confirmed scenarios is a long (>12Kb) string used
as "TS=" (TransferSession?) value.

Taking in account that this control is signed by Microsoft
and marked as safe for scripting it's possible for 
any website to install it (with a little warning,
or without any warning in case if user trust MSFT Corp.)
and exploit this vulnerability via script.


Distribution for this risk a medium-high, not a 
"small number of customers"


Risk No2:

FTM ActiveX control can add any download/upload item in 
list of scheduled items without any user approval 
to/from any folder on user disk.
This can be done by setting "TGT=" and "TGN=" params
during call to "Persist" function.

This can allow to download or upload any file to/from
user PC in case if third-party server will be able to 
give some limited number of responses just like 
Microsoft webservers does.

This can be easily done (prior to June 2002)
by using man-in-the-middle practice by making dumb 
TCP proxy to microsoft servers and pointing to your 
proxy location in "URL=" param in "Persist" calls.
Currently possible usage of this risk is unconfirmed
becouse all Microsoft servers was upgraded to 4.0 version
But it can be possible that algo for AUTHDATA param 
used validation of clients/server is week.

NOTE: 
There was FTM bug in case if server will return 
"EncryptionPercentage: 0" during upload session,
FTM client will sent file just like it is on disk.
This bug was fixed prior to 4.0 release about 6 months ago
but it can show that no strong security review was done 
during coding of this ActiveX.


I would like to recomend all users to search for TransferMgr.exe
inside "%SYSTEMROOT%\Downloaded Program Files" and take 
steps advised in http://transfers.one.microsoft.com/ftm/install in case 
if file found.

Feedback can be directed to the author:
--
Andrew G. Tereschenko
secure () tag odessa ua
TAG Software Research Lab
Odessa, Ukraine