Understanding Versions of the IIS FTP Server

Posted: Sep 03, 2009  6 comments  

Average Rating

Share this Post

It’s been a busy few days on the IIS Security Team.

Earlier this week, a vulnerability was found in the IIS FTP server.  We have been working with security teams across Microsoft to research the issue and formulate a response to best protect our customers.

Unfortunately, this finder chose to release the details of the vulnerability directly to the public instead of bringing it to our attention first.  When this happens, we have competing priorities:  We want to research the issue as thoroughly as we can.  And at the same time, we want to get information out to our customers as soon as possible so that they can protect themselves.

In response to this issue, Microsoft issued Microsoft Security Advisory (975191) on Tuesday.

Earlier today, this same finder released information for a second vulnerability in the IIS FTP server.  Again, the finder chose to release his information directly to the public.  While this new finding is a different issue, the impact, migitations and workarounds are very similar to the first issue; similar enough that both issues are now addressed in the above advisory.

One significant difference is that different versions of FTP are affected in different ways.  This has resulted in some confusion about determining whether a particular server is vulnerable or not.  I will now attempt to clear up some of that confusion.  Note that the primary source of information on the details is the security advisory.  I will not discuss those details here.

I will cover the most straightforward cases first:

  • Windows 2000 includes IIS 5.0, which includes FTP 5.0.  All of the issues in the security apply to this version of the FTP server.
  • Windows XP includes IIS 5.1, which includes FTP 5.1.  All of the issues in the security advisory apply to this version of the FTP server.
  • Windows 7 and Windows 2008 R2 both include IIS 7.5, which includes FTP 7.5.  None of the issues in the security advisory apply to this version of the FTP server.  It is unaffected by both these vulnerabilities.

The confusion arises with Windows 2003, Vista and Windows 2008.  Windows 2003 contains IIS 6.0; Vista and Windows 2008 contain IIS 7.0.  All of these platforms contain a version of FTP that we call FTP 6.0.

Only it’s not quite that simple. 

We did some maintenance to FTP 6.0 between Windows 2003 and Vista.  As a result of this work, the first of this week’s two findings applies only to the older flavor that ships with IIS 6.  The second of this week’s findings apply to FTP 6.0 on all 3 Windows versions.

The version story is even more confusing because we released FTP 7.0 as an add-on component to Vista and Windows 2008 and has also made FTP 7.5 available for these operating system versions.  Both FTP 7.0 and FTP 7.5 are unaffected by this week’s findings described in the above security advisory.  If you are running the FTP server with Vista or Windows 2008 and have not yet upgraded the FTP server, we strongly recommend that you consider upgrading to FTP 7.5.  We offer this upgrade for free.  You can find details here.

If you are running the IIS FTP server on Windows 2003 or earlier, or if you choose to run FTP 6.0 on Vista or Windows 2008, please see the security advisory for the most current information on mitigations and workarounds.

I would like to touch on one other topic on the subject of IIS versions.

The IIS FTP server is hosted in the same process as the IIS Admin Service.  In IIS 6.0 and earlier, all of the IIS services are dependent on this service.  Because both vulnerabilities have the potential to terminate this process, a successful denial of service attack to FTP will also shut down all IIS services, including the web server.

IIS 7.0 has a different architecture and the IIS 7.0 web server is not dependent on the IIS Admin Service.  For this reason, a successful denial of service attack against FTP 6.0 will not affect the IIS 7.0 web server.

Comments

Hi Wade,

Nazim's blog post about this subject got removed where I was having a conversation about the security advisory and these exploits.

(that post contained much useful information about this vuln, where has that gone? Is it because it gave to many details away? Can I repeat the details?)

Still these are not clear to me.

From your post here and Nazims post before and discussion the only versions that are problematic are FTP 5 for Win 2000 where full takeover is possible.

FTP 5.1 for XP & FTP 6 for Win 2003 where a DOS attack is possible as these OS have /GS buffer overflow protection in the OS. And there is no effect for 2008 running FTP 6.00001 (lets call it. come on were is the version numbering. :) ) & 2008 running FTP 7 and 7.5 are unaffected.

Why then does the second revision of this security advisory state that Windows 2008 and vista are affected? In teh summary it says that IIS& is vuln to a DOS attack vector. You and Nazim have both said that is not the case! This is very confusing before in revision one it said 2008 and vista are not affected (only the related knowledge base article said it was but I presumed that was a typo) and this was confirmed by you and Nazim now it says they are?! Why is this? It makes no sense is is more confusing to your customers. Even in the detail it is confusing points 3) and 4) of the FAQ there are different. point 3 says that IIS7 (i.e Vista and 2008) are affected with a DOS and point 4 (and others) says the detail of the DOS is only for Windows 2003.

The advisory also doesn't mention authenticated users and just the anonymous account. It really should mention this. It implies in the workaround that if you remove the anonymous write access you will be safe from what I understand this is not the case (or wasn't as per Nazims blog post that no longer exists)

Please make the advisory clear. Third time lucky. :)

If I am speaking out of line here and want these issue to be discussed privately please let me know.

Sep 04 2009 by Rovastar

Rovastar,

I believe that Nazim took is blog down temporarily to make some corrections.  It was not taken down because it revealed too much.  He wanted to make it more accurate.  Also, anything that Nazim or I say in our blogs is public information and you may feel free it.

To answer your specific questions:

FTP 5, with both IIS 5.0 and 5.1 (on Windows 2000 and Windows XP respectively), have a known vulnerability that can result in remote code execution in the context of the local system account.  The only known way to achieve this requires that the attacker has the ability to create directories on the server machine in a location that is reachable through the FTP server.

FTP 5 and 6 are vulnerable to a denial of service attack if the attacker has read access through the FTP server.  This is true of all platforms for these versions (IIS 5.0, 5.1, 6.0 and 7.0, running on Windows 2000, Windows XP, Windows 2003 Server, Vista and Windows 2008 Server.)  The first version of the advisory did not list FTP 6 on Vista and Windows 2008 Server as vulnerable to this because the original vulnerability did not affect them.  The second vulnerability, which was disclosed to us on Thursday last week, added FTP 6 on Vista and Windows 2008 Server to the matrix.

FTP 7.0 and FTP 7.5 are a completely different code base and are unaffected by any of the known vulnerabilities.

The critical factor is whether the attacker can read through FTP or create directories.  It does not matter whether the attacker is logged in as anonymous or with a Windows user account.  The reason to call out anonymous versus authenticated is only to help administrators evaluate the risk to their servers.

I hope that this helps to clarify.

-Wade

Sep 08 2009 by wadeh

Thanks that clarifies things more.

Now there are 2 vulns it makes sense with the confusion.

I still think there should be more public information on the advisory for the windows users.

As said before not all ftp accounts are 100% trusted. In a typical hosting environment you will allow clients/customers ftp access to there site. Obviously you will give them FTP write access. And I do not know the hundred or thousands of ftp customers and can vouch for them 100%.

In the real world I cannot imagine many servers willingly having anon access and write access but I can see many cases for write access to auth users. And also these auth users will have create dir access too.

The advisory doesn't mention users write access at all and only mentions anon access. Surely the advisory should mention all types. The admin shouldn't have to dig through blogs to find this information. Not to mention that it implies you will be safe if you disable anon access this plainly is not the case.

You don't help admin evaluate the risk here you misled them. I would read that advisory and think I am not stupid enough to have anon write access therefore it does not apply to me. I have reviewed many advisories before for rollout in large web/hosting environments and tbh I would think that is ok if you do not have anon access enabled/non-write access for it.

Sep 09 2009 by Rovastar

<a href="http://www.liderchat.net" title="Chat, Sohbet" target="_blank">Chat</a>

<a href="http://www.liderchat.net" title="Chat, Sohbet" target="_blank">Sohbet</a>

<a href="http://www.mircbul.net" title="mirc, mirc indir" target="_blank">mirc</a>

<a href="http://www.mircbul.net" title="mirc, mirc indir" target="_blank">mirc indir</a>

<a href="http://www.ozlusohbet.net" title="Sohbet" target="_blank">Sohbet odalari</a>

<a href="http://www.dostyakasi.com" title="Edebiyat Forum" target="_blank">Edebiyat</a>

Sep 14 2009 by Chat

Submit a Comment

  • Plain text is accepted.
  • URLs starting with http:// are converted to links.