Executive Summary

Summary
Title Microsoft IIS FTP server memory corruption vulnerability
Informations
NameVU#842372First vendor Publication2010-12-22
VendorVU-CERTLast vendor Modification2010-12-23
Severity (Vendor) N/ARevisionM

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score10Attack RangeNetwork
Cvss Impact Score10Attack ComplexityLow
Cvss Expoit Score10AuthenticationNone Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#842372

Microsoft IIS FTP server memory corruption vulnerability

Overview

Microsoft IIS FTP server 7.5 is affected by a pre-authentication memory corruption vulnerability.

I. Description

A specifically crafted request sent to the IIS FTP service can result in memory corruption causing the service to crash. A denial-of-service exploit has been released to the public. IIS 7.5.7600.16385 on Windows 7 is reported to be affected. Other versions may also be affected. Additional details are available on Microsoft's Security Research & Defense blog.

II. Impact

An attacker can cause a denial of service. Depending on the specifics of the vulnerability, an attacker could potentially execute arbitrary code.

III. Solution

We are currently unaware of a practical solution to this problem.

Restrict Access
Appropriate firewall rules should be implemented to restrict access to trusted sources. Customers of IPS vendors should request updated signatures for this vulnerability and block related traffic.

Vendor Information

VendorStatusDate NotifiedDate Updated
Microsoft CorporationAffected2010-12-22

References

http//blogs.technet.com/b/srd/archive/2010/12/22/assessing-an-iis-ftp-7-5-un...
http://secunia.com/advisories/42713
http://www.exploit-db.com/exploits/15803/

Credit

This vulnerability was reported to the public by Matthew Bergin via Exploit-DB.

This document was written by Jared Allar.

Other Information

Date Public:2010-12-21
Date First Published:2010-12-22
Date Last Updated:2010-12-23
CERT Advisory:
CVE-ID(s):
NVD-ID(s):
US-CERT Technical Alerts:
Severity Metric:1.77
Document Revision:10

Original Source

Url : http://www.kb.cert.org/vuls/id/842372

CWE : Common Weakness Enumeration

idName
CWE-119Failure to Constrain Operations within the Bounds of a Memory Buffer

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:12370
 
Oval ID: oval:org.mitre.oval:def:12370
Title: IIS FTP Service Heap Buffer Overrun Vulnerability
Description: Heap-based buffer overflow in the TELNET_STREAM_CONTEXT::OnSendData function in ftpsvc.dll in Microsoft FTP Service 7.0 and 7.5 for Internet Information Services (IIS) 7.0, and IIS 7.5, allows remote attackers to execute arbitrary code or cause a denial of service (daemon crash) via a crafted FTP command, aka "IIS FTP Service Heap Buffer Overrun Vulnerability." NOTE: some of these details are obtained from third party information.
Family: windows Class: vulnerability
Reference(s): CVE-2010-3972
Version: 10
Platform(s): Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Product(s): Microsoft FTP Service 7.0
Microsoft FTP Service 7.5
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application1

OpenVAS Exploits

DateDescription
2011-02-09Name : Internet Information Services (IIS) FTP Service Remote Code Execution Vulnera...
File : nvt/secpod_ms11-004.nasl
2010-12-27Name : Microsoft Windows IIS FTP Server DOS Vulnerability
File : nvt/gb_ms_iis_ftpd_dos_vuln.nasl

Open Source Vulnerability Database (OSVDB)

idDescription
70167Microsoft IIS FTP Server Telnet IAC Character Handling Overflow

Snort® IPS/IDS

DateDescription
2014-01-10Microsoft Windows 7 IIS7.5 FTPSVC buffer overflow attempt
RuleID : 18243 - Revision : 6 - Type : SERVER-IIS

Metasploit Database

idDescription
2010-12-21 Microsoft IIS FTP Server Encoded Response Overflow Trigger

Nessus® Vulnerability Scanner

DateDescription
2011-02-11Name : The FTP service running on the remote host has a memory corruption vulnerabil...
File : iis_ftp7_heap_overflow.nasl - Type : ACT_ATTACK
2011-02-08Name : The FTP service running on the remote host has a memory corruption vulnerabil...
File : smb_nt_ms11-004.nasl - Type : ACT_GATHER_INFO