Wednesday, December 22, 2010

Assessing an IIS FTP 7.5 Unauthenticated Denial of Service Vulnerability

Via Microsoft SRD -

There has been some discussion around a publicly posted PoC code that exploits a vulnerability in IIS FTP 7.5, which ships with Windows 7 and Windows Server 2008 R2. Our engineering team is looking into the situation and has made a few preliminary observations that might clear up some confusion. We’ve observed three notable characteristics.

First, this is a Denial of Service vulnerability and remote code execution is unlikely. The vulnerability occurs when the FTP server attempts to encode Telnet IAC (Interpret As Command) character in the FTP response. The IAC character, which is represented as decimal 255 (Hex FF) in the response, needs to be encoded by the addition of another decimal 255 character in the FTP response where we find the presence of the IAC character. Due to an error in this processing, it is possible to get into a state where an attacker could overwrite a portion of the response with a string of 0xFFs even past the end of the heap buffer, resulting in a heap buffer overrun.

In that situation, the only data that a malicious client controls in this overrun is the number of bytes by which the buffer is overrun. It cannot control the data that is overwritten -- the data will always be the IAC character 0xFF. Also, the malicious client does not control the addresses where data is overridden, and the data is always overridden in a sequential manner. The FTP service 7.5 is also protected by Data Execution Prevention (DEP). The combination of these characteristics makes it difficult to successfully execute a heap spray or partial function pointer override attack. Because of the nature of the overrun, the probable result will only be a denial of service and not code execution.

Our second discovery is that this vulnerability only affects IIS FTP Service and leaves the IIS Web Services completely unaffected. Hence a Denial of Service on the FTP service will not affect any of the web services hosted by IIS but only the FTP service.

Third and finally, the IIS FTP Service is not installed by default, and even after installation, it is not enabled by default.


We’ll continue to investigate this issue and, if necessary, we‘ll take appropriate action to help protect customers. This may include providing a security update through the monthly release process or additional guidance to help customers protect themselves.


Vulnerability Note VU#842372
Microsoft IIS FTP server memory corruption vulnerability

Windows 7 IIS7.5 FTPSVC UNAUTH'D Remote DoS PoC

No comments:

Post a Comment