Microsoft Investigating IIS FTP 7.5 Unauthenticated DoS Security Vulnerability

Microsoft denied that details and Proof of Concept code available in the wild for an IIS FTP 7.5 vulnerability indicate that exploits can lead to remote code execution.

Instead, the company explained that even in the eventuality of a successful exploit the most that an attacker can hope to achieve is Denial of Service.

IIS FTP 7.5 is included by default in both Windows 7 and Windows Server 2008 R2, and the software giant did confirm the security flaw itself, but underlined that remote code execution is highly unlikely.

“The vulnerability occurs when the FTP server attempts to encode Telnet IAC (Interpret As Command) character in the FTP response,” revealed Nazim Lala, IIS Security Program Manager.

“The IAC character, which is represented as decimal 255 (Hex FF) in the response, needs to be encoded by the addition of another decimal 255 character in the FTP response where we find the presence of the IAC character.

“Due to an error in this processing, it is possible to get into a state where an attacker could overwrite a portion of the response with a string of 0xFFs even past the end of the heap buffer, resulting in a heap buffer overrun.”

Lala explained that an attacker leveraging this vulnerability in an exploit will not be able to control the data that is being overwritten.

At the same time, the destination address where the data is overwritten is also not under the control of a potential attacker, which would also need to bypass an additional security mitigation: Data Execution Prevention (DEP).

“Our second discovery is that this vulnerability only affects IIS FTP Service and leaves the IIS Web Services completely unaffected. Hence a Denial of Service on the FTP service will not affect any of the web services hosted by IIS but only the FTP service,” Lala added.

“Third and finally, the IIS FTP Service is not installed by default, and even after installation, it is not enabled by default.”

The promise from Microsoft is that the investigation of this issue will continue and that a security update will be provided to patch the vulnerability if necessary.