Microsoft File Transfer Manager 漏洞

受影響系統:

Microsoft File Transfer Manager

不受影響系統:

Microsoft File Transfer Manager 4.0

描述:

--------------------------------------------------------------------------------

BUGTRAQ ID: 5508

文件傳輸管理程序(File Transfer Manager (FTM))用于Microsoft beta程序測試員,MSDN,Microsoft Volume Licensing服務等從Microsoft站上下載軟件。

文件傳輸管理程序(FTM)的ActiveX控件在處理"Persist"函數時存在問題,遠程攻擊者可以利用這個漏洞進行緩沖區溢出攻擊。

文件傳輸管理程序(FTM)ActiveX控件在解析通過腳本傳遞輸入字符串給"Persist"函數的"TS="參數時存在問題,遠程攻擊者可以提交超過大于12K字節的字符串傳遞給"TS="參數,而導致FTM控件産生緩沖區溢出,可能可以以用戶進程執行任意指令。由于這個控件由Microsoft公司簽字認證,用戶在任意WEB站點上下載使用都會信任的安裝,並只有一些很小的警告信息。攻擊者可以結合這個漏洞,在自己控制站點上提供這個控件對用戶進行攻擊。

<*來源:Andrew G. Tereschenko (secure.bugtraq@tag.odessa.ua)

鏈接:http://marc.theaimsgroup.com/?l=bugtraq&m=102979092423185&w=2

*>

建議:

--------------------------------------------------------------------------------

臨時解決方法:

如果您不能立刻安裝補丁或者升級,NSFOCUS建議您采取以下措施以降低威脅:

* 建議所有用戶在"%SYSTEMROOT%\Downloaded Program Files"目錄中搜索TransferMgr.exe,如果找到這個文件請按照如下站點建議的步驟處理:

http://transfers.one.microsoft.com/ftm/install

廠商補丁:

Microsoft

---------

Microsoft公司將在File Transfer Manager新版本中修正這個漏洞:

http://transfers.one.microsoft.com/ftm/install/HomeIE.asp

 
RFC542 - File Transfer Protocol
  File Transfer Protocol (Aug. 12, 1973) RFC542 NIC 17759Nancy J. Neigus See Also: RFCs 354, 454, 495Bolt Beranek and Newman, Inc.Cambridge, Mass. File Transfer Protocol for the ARPA Network File T...查看完整版>>RFC542 - File Transfer Protocol
 
RFC487 - Free file transfer
  Network Working Group Bob BresslerRequest for Comments #487 BBNNIC #15065 6 April 1973 Free File Transfer In the past several months, many people have commented to me abouttheir difficulty in tran...查看完整版>>RFC487 - Free file transfer
 
RFC354 - File Transfer Protocol
  Network Working Group Abhay BhushanRequest for Comments: 354 MIT-MACNIC: 10596 July 8, 1972Categories D.4, D.5, D.7Obsoletes: RFC264 and 265 THE FILE TRANSFER PROTOCOLI. INTRODUCTION The File Tran...查看完整版>>RFC354 - File Transfer Protocol
 
RFC327 - Data and File Transfer workshop notes
  Network Working Group A. BhushanRequest for Comments: 327 MIT-MACNIC: 9261 April 27, 1972 DATA AND FILE TRANSFER WORKSHOP NOTES On April 14 and 15, 1972, a Data and File Transfer Workshop was held...查看完整版>>RFC327 - Data and File Transfer workshop notes
 
RFC269 - Some Experience with File Transfer
  Network Working Group H. BrodieRequest for Comments #269 UCLA-NMCNIC # 7817 6 December 71Categories: File TransferUpdates: 122, 238, 172Obsoletes: None Some EXPerience with File TransferAt UCLA-NM...查看完整版>>RFC269 - Some Experience with File Transfer