Executive Summary

Summary
Title Microsoft IIS FTP server memory corruption vulnerability
Informations
Name VU#842372 First vendor Publication 2010-12-22
Vendor VU-CERT Last vendor Modification 2010-12-23
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score 10 Attack Range Network
Cvss Impact Score 10 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#842372

Microsoft IIS FTP server memory corruption vulnerability

Overview

Microsoft IIS FTP server 7.5 is affected by a pre-authentication memory corruption vulnerability.

I. Description

A specifically crafted request sent to the IIS FTP service can result in memory corruption causing the service to crash. A denial-of-service exploit has been released to the public. IIS 7.5.7600.16385 on Windows 7 is reported to be affected. Other versions may also be affected. Additional details are available on Microsoft's Security Research & Defense blog.

II. Impact

An attacker can cause a denial of service. Depending on the specifics of the vulnerability, an attacker could potentially execute arbitrary code.

III. Solution

We are currently unaware of a practical solution to this problem.

Restrict Access
Appropriate firewall rules should be implemented to restrict access to trusted sources. Customers of IPS vendors should request updated signatures for this vulnerability and block related traffic.

Vendor Information

VendorStatusDate NotifiedDate Updated
Microsoft CorporationAffected2010-12-22

References

http://blogs.technet.com/b/srd/archive/2010/12/22/assessing-an-iis-ftp-7-5-unauthenticated-denial-of-service-vulnerability.aspx
http://secunia.com/advisories/42713
http://www.exploit-db.com/exploits/15803/

Credit

This vulnerability was reported to the public by Matthew Bergin via Exploit-DB.

This document was written by Jared Allar.

Other Information

Date Public:2010-12-21
Date First Published:2010-12-22
Date Last Updated:2010-12-23
CERT Advisory: 
CVE-ID(s): 
NVD-ID(s): 
US-CERT Technical Alerts: 
Severity Metric:1.77
Document Revision:10

Original Source

Url : http://www.kb.cert.org/vuls/id/842372

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-119 Failure to Constrain Operations within the Bounds of a Memory Buffer

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:12370
 
Oval ID: oval:org.mitre.oval:def:12370
Title: IIS FTP Service Heap Buffer Overrun Vulnerability
Description: Heap-based buffer overflow in the TELNET_STREAM_CONTEXT::OnSendData function in ftpsvc.dll in Microsoft FTP Service 7.0 and 7.5 for Internet Information Services (IIS) 7.0, and IIS 7.5, allows remote attackers to execute arbitrary code or cause a denial of service (daemon crash) via a crafted FTP command, aka "IIS FTP Service Heap Buffer Overrun Vulnerability." NOTE: some of these details are obtained from third party information.
Family: windows Class: vulnerability
Reference(s): CVE-2010-3972
Version: 10
Platform(s): Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Product(s): Microsoft FTP Service 7.0
Microsoft FTP Service 7.5
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1

OpenVAS Exploits

Date Description
2011-02-09 Name : Internet Information Services (IIS) FTP Service Remote Code Execution Vulnera...
File : nvt/secpod_ms11-004.nasl
2010-12-27 Name : Microsoft Windows IIS FTP Server DOS Vulnerability
File : nvt/gb_ms_iis_ftpd_dos_vuln.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
70167 Microsoft IIS FTP Server Telnet IAC Character Handling Overflow

Microsoft Internet Information Services (IIS) is prone to an overflow condition. The 'TELNET_STREAM_CONTEXT::OnSendData' function in the FTP protocol handler (ftpsvc.dll) fails to properly sanitize user-supplied input resulting in a heap-based overflow. With a specially crafted overly long FTP request, a remote attacker can potentially execute arbitrary code.

Snort® IPS/IDS

Date Description
2014-01-10 Microsoft Windows 7 IIS7.5 FTPSVC buffer overflow attempt
RuleID : 18243 - Revision : 11 - Type : SERVER-IIS

Nessus® Vulnerability Scanner

Date Description
2011-02-11 Name : The FTP service running on the remote host has a memory corruption vulnerabil...
File : iis_ftp7_heap_overflow.nasl - Type : ACT_ATTACK
2011-02-08 Name : The FTP service running on the remote host has a memory corruption vulnerabil...
File : smb_nt_ms11-004.nasl - Type : ACT_GATHER_INFO