Microsoft Ftp Service Exploit

Today we released MS11-004 to address a vulnerability in the Microsoft FTP service an optional component of Internet Information Services (IIS). In this blog, we would like to cover some additional technical details of this vulnerability.

From Vulnerability Scanner, we found that the Linux machine that we have for test is vulnerable to FTP service. Now, we will use the exploit that can work for us. The command is − use “exploit path” The screen will appear as follows − Then type mfs show options in order to see what parameters you have to set in order to make it. SMB Server Tranfer files to the target machine is particularly useful when we have already had a reverse shell on Windows. Windows does not have convenient commands to download files such as wget in Linux.

First, we want to clarify that the vulnerability lies in the FTP service component of IIS. The FTP service is an optional component of IIS and is not installed by default.

One part that may be confusing is the difference between the FTP service version and the IIS version. For example, the version of FTP service shipped with IIS 7 on Windows Vista and Windows Server 2008 is FTP 6.0, not FTP 7.0. However, you could also install FTP 7.0/7.5 as an optional component on IIS 7 from the Microsoft Download Center. If you are unsure what version of FTP service you are running and if your system is vulnerable; use this procedure to determine if the update is needed for your system.

  • If FTP service is not enabled, the system is not vulnerable.
  • If FTP service is enabled,
    • IIS 6 on Windows Server 2003: Not vulnerable
    • IIS 7 on Windows Vista and Windows Server 2008: By default, IIS 7 uses FTP 6.0, which is not vulnerable. However, if you install FTP 7.0/7.5 for IIS 7 package from Microsoft Download Center, then it is vulnerable.
    • IIS 7.5 on Windows 7 and Windows Server 2008 R2: FTP 7.5 shipped with IIS 7.5 is vulnerable.

Please note there is also a way to automate this process. FTP 6.0 is running with a different service name than FTP 7.0/7.5. Therefore, the idea is to check whether the “ftpsvc” service, the service name of FTP 7.0/7.5, is running or not. In our previous SRD blog Assessing an IIS FTP 7.5 Unauthenticated Denial of Service Vulnerability , we have already talked about the approach. Here we list it again:

220

A user can determine the status of the IIS FTP service by querying it through the command prompt (running as administrator):

  • Press the “Windows”+“R” key
  • Type “cmd.exe” (no quotes)
  • In the command prompt type “sc query ftpsvc” (no quotes)

If the service is not installed then the following will be displayed:

If the service is installed and running then the following will be displayed:

An alternative approach is to scan the file system to detect whether a machine is vulnerable. . If ‘ftpsvc.dll’ does not exist in the %system32%inetsrv directory, then your system is not affected. If you find a file named ‘ftpsvc2.dll’ this indicates that you have FTP 6.0 installed on the system and are also not affected by this vulnerability. The detection logic on Windows Update, Microsoft Update, and WSUS will handle the above scenarios, so that the update is only offered to IIS 7 systems that have FTP 7.0 or FTP 7.5 installed.

Finally, we would like to clarify the exploitability of this issue. We blogged about this issue in December 2010 here, and outlined why we thought remote code execution was unlikely. We said “these characteristics make it difficult to successfully execute a heap spray or partial function pointer override attack. Because of the nature of the overrun, the probable result will only be a denial of service and not code execution.”

Since then additional research has shown that it may be possible for this vulnerability to be exploited if DEP and ASLR protections are bypassed. No exploit has been seen in the wild, and no exploit code has been made publicly available. To sum up the current situation, while it may be possible to achieve code execution, the probable impact for most customers remains denial of service.

Acknowledgement

Thanks to Nazim Lala in the IIS team, the Japan CSS Security Response Team, and Brian Cavenah in the MSRC Engineering team for their work on this.

Chengyun Chu and Mark Wodrich, MSRC Engineering

Severity: High

8 February, 2011

Summary:

  • This vulnerability affects: The IIS FTP service running on Windows Vista, 2008, 7, and 2008 R2
  • How an attacker exploits it: By sending a specially crafted FTP command
  • Impact: In the worst case, an attacker gains complete control of your IIS server
  • What to do: Deploy the appropriate IIS update immediately, or let Windows Automatic Update do it for you

Exposure:

Internet Information Services (IIS) is the popular web and ftp server that ships with all server versions of Windows.

In a security bulletin released today as part of Patch Day, Microsoft describes a serious vulnerability that affects the optional FTP server that comes with the latest versions of IIS. Specifically, the IIS FTP service suffers from a buffer overflow vulnerability involving the way it handles a specially crafted FTP commands (or more specifically, specially encoded characters in an FTP response). By sending such a malformed FTP command, an attacker could exploit this vulnerability to either put your FTP server into a Denial of Service (DoS) state, or to gain complete control of it. An attacker does not have to authenticate to your FTP server to launch this attack.

However, IIS does not install or start the IIS FTP service by default. You are only vulnerable to this attack if you have specifically installed and started this service. That said, many administrators do enable IIS’s FTP service in order to give web administrators an easy way to update their web sites. If you are one of those administrators, you should consider this flaw a serious risk.

Researchers have already publicly released Proof-of-Concept (PoC) exploit code demonstrating the DoS version of this flaw. Whether or not you are using the IIS FTP service, we still recommend you download, test and install this update as soon as you can. Being a critical server update, we highly recommend you test it on non-production servers before pushing it to your real web site.

Solution Path:

Download, test, and deploy the appropriate IIS patches immediately, or let Windows Automatic Update do it for you.

  • For Windows Vista (w/SP1 or SP2)
  • For Windows Vista x64 (w/SP1 or SP2)
  • For Windows Server 2008 (w/SP2)
  • For Windows Server 2008 x64 (w/SP2)
  • For Windows 7
  • For Windows 7 x64
  • For Windows Server R2 2008 x64
  • For Windows Server R2 2008 Itanium

For All WatchGuard Users:

This attack leverages seemingly normal FTP response traffic. You should apply the updates above.

Status:

Microsoft has released patches to fix this vulnerability

Free Ftp Service

References:

This alert was researched and written by Corey Nachreiner, CISSP.

Jd Microsoft Ftp Service (version 5.0) Exploit

What did you think of this alert? Let us know at [email protected].

220 Microsoft Ftp Service

More alerts and articles: Log into the LiveSecurity Archive.

Microsoft Ftp Service Version 5 0

Related Posts