Opened 10 years ago

Closed 10 years ago

#9559 closed Bug report (rejected)

FileZilla 3.8.1 incompatible with EMET

Reported by: notrone2 Owned by:
Priority: high Component: FileZilla Client
Keywords: emet Cc:
Component version: Operating system type: Windows
Operating system version: Windows 7 x64 SP1

Description

Background:
The Enhanced Mitigation Experience Toolkit (EMET) is a utility that helps prevent vulnerabilities in software from being successfully exploited. EMET achieves this goal by using security mitigation technologies. These technologies function as special protections and obstacles that an exploit author must defeat to exploit software vulnerabilities. These security mitigation technologies do not guarantee that vulnerabilities cannot be exploited. However, they work to make exploitation as difficult as possible to perform.

http://support.microsoft.com/kb/2458544

Issue
Since upgrading to 3.8.1, FileZilla is being terminated by EMET as it is triggering the "SimExecFlow" mitigation:

EMET detected SimExecFlow mitigation and will close the application: filezilla.exe

SimExecFlow check failed:
  Application 	: C:\Program Files (x86)\FileZilla FTP Client\filezilla.exe
  User Name 	: asdf
  Session ID 	: 1
  PID 		: 0x1198 (4504)
  TID 		: 0x2428 (9256)
  CodeAddress 	: 0x009D1909
  CodeStackPtr 	: 0x28FDB4
  CalledAddress 	: 0x753F4327
  API name 	: kernel32.VirtualProtect
  StackPtr 	: 0x0028FD98
  FramePtr 	: 0x28FDC0

As EMET is used in enterprise environments where it cannot be disabled by users, this issue prevents FileZilla from functioning. Downgrading to 3.8.0 fixes the issue.

Change History (4)

comment:1 by Tim Kosse, 10 years ago

Priority: blockerhigh
Resolution: worksforme
Status: newclosed

Cannot reproduce using EMET 4.1.5228.513

comment:2 by Todor, 10 years ago

Bug confirmed on EMET 4.0.4913.26122

Application Name: C:\Program Files (x86)\FileZilla FTP Client\filezilla.exe
Execution flow simulation check failed:
  PID          : 0x196C/6508
  TID          : 189C
  CodeAddress  : 009D1909
  CodeStackPtr : 28FDB4
  CalledAddress: 77174327
  API name     : kernel32.VirtualProtect
  StackPtr     : 0028FD98
  FramePtr     : 28FDC0

The workaround is either to delete Filezilla from the list of EMET-protect apps for administrators, or to revert to the previous (but TLS-bug-affected) Filezilla version for non-administrators.

comment:3 by Todor, 10 years ago

Resolution: worksforme
Status: closedreopened

ooops i forgot to reopen the ticket

comment:4 by Tim Kosse, 10 years ago

Resolution: rejected
Status: reopenedclosed

Please update to the most recent version of EMET.

Note: See TracTickets for help on using tickets.