[Updated] IIS FTP server vulnerabilities for FTP 5.x and FTP 6
There have been two recently publicly disclosed vulnerabilities for FTP 5, FTP 5.1 and FTP 6. Wade has gone through great detail to explain what platforms are affected by each vulnerability in his blog post. Microsoft has released and refreshed an advisory that covers the details, mitigations and workarounds for the vulnerability. The Microsoft Security Research and Defense team has a blog about the exploit details for the original vulnerability. Here is the summary including both vulnerabilities:
-
Affected platforms: Windows Server 2000, Windows XP and Windows Server 2003, Windows Vista (FTP 6 only), Windows Server 2008 (FTP 6 only).
-
Non-affected platforms: Windows 7, Windows Server 2008 R2.
-
Windows Server 2008 and Windows Vista ships with FTP 6 by default and is affected by only one of the two disclosed vulnerabilites.
-
The vulnerabilities does not affect FTP 7 or FTP 7.5 that ships out-of-band fro Windows Vista or Windows Server 2008.
-
Windows 7 and Windows Server 2008 R2 are entirely unaffected because they contain FTP 7.5.
-
The newer vulnerability is a Denial of Service issue across all affected platforms and is caused by stack exhaustion.
-
The first vulnerability is a Remote Code Execution Vulnerability for Windows 2000 and a Denial of Service for all other platforms and is caused by a stack buffer overflow.
-
Both exploits were not responsibly disclosed to Microsoft. Microsoft has released an advisory to assist customers while an update is being engineered.
-
The stack exhaustion PoC exploit uses anonymous user with read permissions to trigger the overflow. The vulnerability is not constrained to anonymous users, and authenticated users can exploit it as well, though this will be auditable.
-
The stack buffer overflow PoC exploit uses anonymous user with write permissions to trigger the overflow. The vulnerability is not constrained to anonymous users, and authenticated users can exploit it as well, though this will be auditable.
-
Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008 are protected from code execution by /GS and no public PoC exploit has yet bypassed this.
-
Windows Server 2000 is not protected by /GS and the exploit hence results in code execution on that platform under LocalSystem context.
-
The advisory has workarounds to protect customers with varied impact on FTP functionality.
-
The Microsoft Security Research & Defense blog has information about detecting attacks for the first vulnerability that can be used for intrusion prevention. I will update this post with information on the second vulnerability when available.