|
Microsoft File Transfer Manager ActiveX control buffer overflow allows arbitrary
code
Risk
High Date Discovered
08-19-2002
Description
The Microsoft File Transfer Manager (FTM) ActiveX control contains a buffer
overflow vulnerability and allows arbitrary file upload and download. All FTM
versions earlier than 4.0 are at risk.
The Microsoft File Transfer Manager ActiveX control is used to allow beta test
customers and users in other Microsoft customer programs to download files from
specific Microsoft sites.
The buffer overflow vulnerability, which exists in the Persist function, is
exploited when input strings that are passed via script are parsed. This FTM
ActiveX control can also add download or upload files to or from any folder
on disk in its list of scheduled items without user approval. Exploitation could,
potentially, enable an attacker to execute arbitrary code and gain control of
the system. Because this ActiveX control is signed by Microsoft, the control
can be installed without any warnings if a user has chosen to always trust content
from Microsoft.
To find out if the File Transfer Manager Client is installed:
- From a command prompt, change to the %SystemRoot%\Downloaded Program Files\
directory.
- Type TransferMgr.exe and press Enter.
If TransferMgr.exe does not exist, FTM is not installed.
To verify your FTM version:
- From the control menu in the upper-left corner of the FTM Client window,
click About.
Platforms Affected
Windows
Components Affected
Microsoft File Transfer Manager - All versions earlier than 4.0
Recommendations
Upgrade:
Microsoft File Transfer Manager 4.0
Upgrading to Microsoft File Transfer Manager 4.0 eliminates these vulnerabilities.
Workaround:
Disable ActiveX in Internet Explorer
You can prevent an ActiveX control from running in Internet Explorer by setting
the Kill Bit so that the control is never called by Internet Explorer. The
Kill Bit is a specific value for the Compatibility Flag value in the registry.
Note that this is different than revoking the "safe for scripting" option
in an ActiveX control. When the "safe for scripting" option is revoked, Internet
Explorer still calls for the control and then prompts you with a warning message
that the ActiveX control may be unsafe. Depending on the choice you make,
the control may be run. However, after the "Kill Bit" is set for an ActiveX
control, that control is not called by Internet Explorer at all.
To set the Kill Bit so that an ActiveX control is never called by Internet
Explorer:
- Use Registry Editor to view the data value of the Compatibility Flag
of the ActiveX object CLSID in the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\<CLSID
of the ActiveX control>
<CLSID of the ActiveX Control> is the class ID of the appropriate ActiveX
control.
To determine which CLSID corresponds with the ActiveX control that you want
to disable, first remove all of the ActiveX controls that are currently
installed. Then install the control that you want to disable and add the
Kill Bit to its CLSID.
- Change the value of the Compatibility Flag data value to:
Compatibility Flag: 00000400
Warning: Microsoft recommends that you do not undo a kill action
(unkilling) on an ActiveX control. Doing so may create security vulnerabilities.
References
Source: Security Focus.com 5508
URL: http://www.securityfocus.com/bid/5508
Source: Security Focus.com 1/288124
URL: http://online.securityfocus.com/archive/1/288124
Source: Securepoint bugtraq0208/219
URL: http://msgs.securepoint.com/cgi-bin/get/bugtraq0208/219.html
Copyright (c) 2008 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from secure@symantec.com.
Disclaimer
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Symantec, Symantec products, Symantec Security Response, and secure@symantec.com are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.
| 
