Hi reader,

I would like to inform you about multiple security vulnerabilities in Microsoft File Transfer Manager (FTM) ActiveX control used for secure file delivery to/from Microsoft prior to June 2002.

All known to me vulnerabilities was reported to Microsoft (to FTM Product Manager and Security Team). Microsoft is likely to have all of them fixed in FTM version 4.0 (released June 2002). Kill bit settings to prevent use of security infected ActiveX is expected to be in latest IE update (August 2002?).

Microsoft has prepared draft of alert message on 2 Aug 2002. But no one FTM user was notified about this security risk up to now. I would like to provide this draft message here as a vendor view on this problem:

"Dear Microsoft Customer -

The Microsoft Security Response Center has learned of a security vulnerability affecting a software component used only by members of certain Microsoft customer programs. You've received this mail because you have registered as a member of one of the programs and may have come in contact with the component that contains the vulnerability. Microsoft believes that only a small number of customers actually are at risk, but we do urge you to use the following information to ensure that your system is secure.

The vulnerability could enable an attacker to gain control over another user's system. It lies in a software component called the File Transfer Manager (FTM), the purpose of which is to allow members of Microsoft beta programs, MSDN, Microsoft Volume Licensing Services, and a small number of other Microsoft programs to download software from certain Microsoft sites. The FTM is only distributed through these programs, but not every member has installed it. Even among customers who have installed it, not all are at risk, as only certain old versions used prior to June 2002 contain the vulnerability.

Microsoft recommends that all customers receiving this mail determine whether the FTM is installed on their systems and, if so, ensure that they have either upgraded to the latest version (FTM 4.0) or remove the vulnerable version. A web page (http://transfers.one.microsoft.com/ftm/install) is available that provides step-by-step instructions for doing this. The entire process takes only minutes.

We at Microsoft sincerely apologize for any inconvenience, and look forward to continuing to work with you as a member of a Microsoft customer program.

Regards,
The Microsoft Security Response Center"

As for a technical details of this bug
i would like to provide them to public decouse
i have a little disagreement on risks identified.
==========================

Risk No1:

FTM ActiveX control has a buffer overflow during parsing input strings passed via script to "Persist" function. One of confirmed scenarios is a long (>12Kb) string used as "TS=" (TransferSession?) value.

Taking in account that this control is signed by Microsoft and marked as safe for scripting it's possible for any website to install it (with a little warning, or without any warning in case if user trust MSFT Corp.) and exploit this vulnerability via script.

Distribution for this risk a medium-high, not a "small number of customers"

Risk No2:

FTM ActiveX control can add any download/upload item in list of scheduled items without any user approval to/from any folder on user disk. This can be done by setting "TGT=" and "TGN=" params during call to "Persist" function.

This can allow to download or upload any file to/from user PC in case if third-party server will be able to give some limited number of responses just like Microsoft webservers does.

This can be easily done (prior to June 2002) by using man-in-the-middle practice by making dumb TCP proxy to microsoft servers and pointing to your proxy location in "URL=" param in "Persist" calls. Currently possible usage of this risk is unconfirmed becouse all Microsoft servers was upgraded to 4.0 version But it can be possible that algo for AUTHDATA param used validation of clients/server is week.

NOTE:
There was FTM bug in case if server will return "EncryptionPercentage: 0" during upload session, FTM client will sent file just like it is on disk. This bug was fixed prior to 4.0 release about 6 months ago but it can show that no strong security review was done during coding of this ActiveX.

I would like to recomend all users to search for TransferMgr.exe inside "%SYSTEMROOT%\Downloaded Program Files" and take steps advised in http://transfers.one.microsoft.com/ftm/install in case if file found.

Feedback can be directed to the author:

--
Andrew G. Tereschenko
secure@tag.odessa.ua
TAG Software Research Lab
Odessa, Ukraine