There has been some discussion around a publicly posted PoC code that exploits a vulnerability in IIS FTP 7.5, which ships with Windows 7 and Windows Server 2008 R2. Our engineering team is looking into the situation and has made a few preliminary observations that might clear up some confusion. We’ve observed three notable characteristics.
First, this is a Denial of Service vulnerability and remote code execution is unlikely. The vulnerability occurs when the FTP server attempts to encode Telnet IAC (Interpret As Command) character in the FTP response. The IAC character, which is represented as decimal 255 (Hex FF) in the response, needs to be encoded by the addition of another decimal 255 character in the FTP response where we find the presence of the IAC character. Due to an error in this processing, it is possible to get into a state where an attacker could overwrite a portion of the response with a string of 0xFFs even past the end of the heap buffer, resulting in a heap buffer overrun.
In that situation, the only data that a malicious client controls in this overrun is the number of bytes by which the buffer is overrun. It cannot control the data that is overwritten -- the data will always be the IAC character 0xFF. Also, the malicious client does not control the addresses where data is overridden, and the data is always overridden in a sequential manner. The FTP service 7.5 is also protected by Data Execution Prevention (DEP). The combination of these characteristics makes it difficult to successfully execute a heap spray or partial function pointer override attack. Because of the nature of the overrun, the probable result will only be a denial of service and not code execution.
Our second discovery is that this vulnerability only affects IIS FTP Service and leaves the IIS Web Services completely unaffected. Hence a Denial of Service on the FTP service will not affect any of the web services hosted by IIS but only the FTP service.
Third and finally, the IIS FTP Service is not installed by default, and even after installation, it is not enabled by default. A user can determine the status of the IIS FTP service by querying it through the command prompt (running as administrator):
· Press the “Windows”+“R” key
· Type “cmd.exe” (no quotes)
· In the command prompt type “sc query ftpsvc” (no quotes)
· If the service is not installed then the following will be displayed:
> sc query ftpsvc
[SC] EnumQueryServicesStatus:OpenService FAILED 1060:
The specified service does not exist as an installed service.
· If the service is installed and running then the following will be displayed:
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
We’ll continue to investigate this issue and, if necessary, we‘ll take appropriate action to help protect customers. This may include providing a security update through the monthly release process or additional guidance to help customers protect themselves.
Thanks the MSRC Engineering for the help in looking into this issue.
Nazim Lala, IIS Security Program Manager
*Posting is provided "AS IS" with no warranties, and confers no rights.*