Microsoft Ftp Service Exploit

Posted on admin
Microsoft Ftp Service Exploit Average ratng: 4,5/5 2407 votes

Severity: High 8 February, 2011 Summary: This vulnerability affects: The IIS FTP service running on Windows Vista, 2008, 7, and 2008 R2 How an attacker exploits it: By sending a specially crafted FTP command Impact: In the worst case, an attacker gains complete control of your IIS server What to do: Deploy the appropriate IIS []. # Exploit Title: Microsoft IIS 5.0/6.0 FTP Server (Stack Exhaustion) Denial of Service [GUI VERSION]. # Exploit Author: D35m0nd142.

  1. Microsoft Windows 10 Ftp Service
-->

Overview

The <authentication> element specifies the authentication settings for FTP sites. The authentication settings are configured at the site-level only, although FTP <authorization> settings can be configured per URL.

There are four different forms of authentication that can be configured for an FTP site:

  • Anonymous authentication: This form of authentication allows access to an FTP site without a user account on your server or domain, and is most often used for public FTP sites. Typically, users will log in by using a user name of ftp or anonymous, and most users will use their e-mail address as a password, although this is not required.
  • Basic authentication: This form of authentication requires a valid user account on your server or domain before users can log in.

    Note: Due to the design of File Transfer Protocol (FTP), user names and passwords are transmitted over FTP in plain text, making them vulnerable to network discovery. It is therefore recommended that you use Basic authentication with SSL.

  • Client Certificate authentication: This form of authentication uses client certificates to authenticate FTP clients.
  • Custom authentication: This form of authentication uses custom authentication providers to validate user names and passwords. FTP 7.0 and FTP 7.5 ship with two custom authentication providers:

    • ASP.NET Membership authentication: This uses an ASP.NET membership database to validate user names and passwords. For more information, see the Configuring FTP with .NET Membership Authentication topic on Microsoft's IIS.NET Web site.
    • IIS Manager authentication: This uses the IIS Manager configuration to validate user names and passwords. For more information, see the Configure FTP with IIS 7.0 Manager Authentication topic Microsoft's IIS.NET Web site.

    The main advantage of using custom authentication providers is that user accounts do not have to be created on your server or domain. This improves your network's security.

Compatibility

VersionNotes
IIS 10.0The <authentication> element was not modified in IIS 10.0.
IIS 8.5The <authentication> element was not modified in IIS 8.5.
IIS 8.0The <authentication> element was not modified in IIS 8.0.
IIS 7.5The <authentication> element of the <security> element ships as a feature of IIS 7.5.
IIS 7.0The <authentication> element of the <security> element was introduced in FTP 7.0, which was a separate download for IIS 7.0.
IIS 6.0The <ftpServer> element and its child elements replace the IIS 6.0 FTP settings that were located in the LM/MSFTPSVC metabase path.

Note

The FTP 7.0 and FTP 7.5 services shipped out-of-band for IIS 7.0, which required downloading and installing the modules from the following URL:

With Windows 7 and Windows Server 2008 R2, the FTP 7.5 service ships as a feature for IIS 7.5, so downloading the FTP service is no longer necessary.

Setup

To support FTP publishing for your Web server, you must install the FTP service. To do so, use the following steps.

Windows Server 2012 or Windows Server 2012 R2

  1. On the taskbar, click Server Manager.
  2. In Server Manager, click the Manage menu, and then click Add Roles and Features.
  3. In the Add Roles and Features wizard, click Next. Select the installation type and click Next. Select the destination server and click Next.
  4. On the Server Roles page, expand Web Server (IIS), and then select FTP Server.

    Note

    To support ASP.Membership authentication or IIS Manager authentication for the FTP service, you will need to select FTP Extensibility , in addition to FTP Service .
    .

  5. Click Next, and then on the Select features page, click Next again.
  6. On the Confirm installation selections page, click Install.
  7. On the Results page, click Close.

Windows 8 or Windows 8.1

  1. On the Start screen, move the pointer all the way to the lower left corner, right-click the Start button, and then click Control Panel.
  2. In Control Panel, click Programs and Features, and then click Turn Windows features on or off.
  3. Expand Internet Information Services, and then select FTP Server.

    Note

    To support ASP.Membership authentication or IIS Manager authentication for the FTP service, you will also need to select FTP Extensibility .

  4. Click OK.
  5. Click Close.

Windows Server 2008 R2

  1. On the taskbar, click Start, point to Administrative Tools, and then click Server Manager.
  2. In the Server Manager hierarchy pane, expand Roles, and then click Web Server (IIS).
  3. In the Web Server (IIS) pane, scroll to the Role Services section, and then click Add Role Services.
  4. On the Select Role Services page of the Add Role Services Wizard, expand FTP Server.
  5. Select FTP Service.

    Note

    To support ASP.Membership authentication or IIS Manager authentication for the FTP service, you will also need to select FTP Extensibility .

  6. Click Next.
  7. On the Confirm Installation Selections page, click Install.
  8. On the Results page, click Close.

Windows 7

  1. On the taskbar, click Start, and then click Control Panel.
  2. In Control Panel, click Programs and Features, and then click Turn Windows Features on or off.
  3. Expand Internet Information Services, and then FTP Server.
  4. Select FTP Service.

    Note

    To support ASP.Membership authentication or IIS Manager authentication for the FTP service, you will also need to select FTP Extensibility .

  5. Click OK.

Windows Server 2008 or Windows Vista

  1. Download the installation package from the following URL:

  2. Follow the instructions in the following walkthrough to install the FTP service:

How To

How to enable or disable Anonymous authentication for an FTP site

  1. Open Internet Information Services (IIS) Manager:

    • If you are using Windows Server 2012 or Windows Server 2012 R2:

      • On the taskbar, click Server Manager, click Tools, and then click Internet Information Services (IIS) Manager.
    • If you are using Windows 8 or Windows 8.1:

      • Hold down the Windows key, press the letter X, and then click Control Panel.
      • Click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
    • If you are using Windows Server 2008 or Windows Server 2008 R2:

      • On the taskbar, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
    • If you are using Windows Vista or Windows 7:

      • On the taskbar, click Start, and then click Control Panel.
      • Double-click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
  2. In the Connections pane, expand the server name, expand the Sites node, and then click the name of the site.
  3. In the site's Home pane, double-click the FTP Authentication feature.
  4. On the FTP Authentication page, select Anonymous Authentication.
  5. In the Actions pane, click Enable to enable Anonymous authentication or click Disable to disable Anonymous authentication.

How to use the FTP Site Wizard to Create an FTP Site with Anonymous Read Access

  1. Open Internet Information Services (IIS) Manager:

    • If you are using Windows Server 2012 or Windows Server 2012 R2:

      • On the taskbar, click Server Manager, click Tools, and then click Internet Information Services (IIS) Manager.
    • If you are using Windows 8 or Windows 8.1:

      • Hold down the Windows key, press the letter X, and then click Control Panel.
      • Click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
    • If you are using Windows Server 2008 or Windows Server 2008 R2:

      • On the taskbar, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
    • If you are using Windows Vista or Windows 7:

      • On the taskbar, click Start, and then click Control Panel.
      • Double-click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
  2. In the Connections pane, click the Sites node in the tree.
  3. Right-click the Sites node in the tree and click Add FTP Site, or click Add FTP Site in the Actions pane.
  4. When the Add FTP Site wizard appears:

    • Enter 'My New FTP Site' in the FTP site name box.
    • For the Physical path box, you can use one of the following options to specify your content directory:

      • Click the ellipsis (...) button, and then navigate to the folder that contains the content for your FTP site.
      • Type in the path to your content folder in the box. Note that if you choose to type the path, you can use environment variables in your paths. For example, you can use '%SystemDrive%inetpubftproot' for your content directory.
    • When you have completed these items, click Next.
  5. On the second page of the Add FTP Site wizard:

    • Choose an IP address for your FTP site from the IP Address drop-down, or choose to accept the default selection of 'All Unassigned.'
    • Enter the TCP/IP port for the FTP site in the Port box. By default, FTP sites and clients use port 21. (Note: To specify Implicit FTPS, you need to use port 990.)
    • To use an FTP virtual host name, select the box for Enable Virtual Host Names, then enter the virtual host name in the Virtual Host box.
    • For the SSL options, choose one of the following options:

      • Select No SSL to disable the SSL options.
      • Select Allow SSL to allow FTP clients to optionally use FTP over SSL when they connect with the FTP server.
      • Select Require SSL to allow FTP clients to always use FTP over SSL when they connect with the FTP server.
      • If you choose Allow SSL or Require SSL, choose a certificate from the SSL Certificate drop-down menu.
    • When you have completed these items, click Next.
  6. On the next page of the wizard:

    • Select Anonymous for the Authentication settings.
    • For the Authorization settings, choose 'Anonymous users' from the Allow access to drop-down.
    • Select Read for the Permissions option.
    • When you have completed these items, click Finish.

How to enable or disable Basic authentication for an FTP site

  1. Open Internet Information Services (IIS) Manager:

    • If you are using Windows Server 2012 or Windows Server 2012 R2:

      • On the taskbar, click Server Manager, click Tools, and then click Internet Information Services (IIS) Manager.
    • If you are using Windows 8 or Windows 8.1:

      • Hold down the Windows key, press the letter X, and then click Control Panel.
      • Click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
    • If you are using Windows Server 2008 or Windows Server 2008 R2:

      • On the taskbar, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
    • If you are using Windows Vista or Windows 7:

      • On the taskbar, click Start, and then click Control Panel.
      • Double-click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
  2. In the Connections pane, expand the server name, expand the Sites node, and then click the name of the site.
  3. In the site's Home pane, double-click the FTP Authentication feature.
  4. On the FTP Authentication page, select Basic Authentication.
  5. In the Actions pane, click Enable to enable Basic authentication or click Disable to disable Basic authentication.

How to use the FTP Site Wizard to Create an FTP Site with Basic authentication and Read/Write Access

  1. Open Internet Information Services (IIS) Manager:

    • If you are using Windows Server 2012 or Windows Server 2012 R2:

      • On the taskbar, click Server Manager, click Tools, and then click Internet Information Services (IIS) Manager.
    • If you are using Windows 8 or Windows 8.1:

      • Hold down the Windows key, press the letter X, and then click Control Panel.
      • Click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
    • If you are using Windows Server 2008 or Windows Server 2008 R2:

      • On the taskbar, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
    • If you are using Windows Vista or Windows 7:

      • On the taskbar, click Start, and then click Control Panel.
      • Double-click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
  2. In the Connections pane, click the Sites node in the tree.
  3. Right-click the Sites node in the tree and click Add FTP Site, or click Add FTP Site in the Actions pane.
  4. When the Add FTP Site wizard appears:

    • Enter 'My New FTP Site' in the FTP site name box.
    • For the Physical path box, you can use one of the following options to specify your content directory:

      • Click the ellipsis (...) button, and then navigate to the folder that contains the content for your FTP site.
      • Type in the path to your content folder in the box. Note that if you choose to type the path, you can use environment variables in your paths. For example, you can use '%SystemDrive%inetpubftproot' for your content directory.
    • When you have completed these items, click Next.
  5. On the second page of the Add FTP Site wizard:

    • Choose an IP address for your FTP site from the IP Address drop-down, or choose to accept the default selection of 'All Unassigned.'
    • Enter the TCP/IP port for the FTP site in the Port box. By default, FTP sites and clients use port 21. (Note: To specify Implicit FTPS, you need to use port 990.)
    • To use an FTP virtual host name, select the box for Enable Virtual Host Names, then enter the virtual host name in the Virtual Host box.
    • For the SSL options, choose one of the following options:

      • Select No SSL to disable the SSL options.
      • Select Allow SSL to allow FTP clients to optionally use FTP over SSL when they connect with the FTP server.
      • Select Require SSL to allow FTP clients to always use FTP over SSL when they connect with the FTP server.
      • If you choose Allow SSL or Require SSL, choose a certificate from the SSL Certificate drop-down menu.
    • When you have completed these items, click Next.
  6. On the next page of the wizard:

    • Select Basic for the Authentication settings.
    • For the Authorization settings, choose 'Specified users' from the Allow access to drop-down, and enter an account name in the box below the drop-down menu.
    • Select Read and Write for the Permissions option.
    • When you have completed these items, click Finish.

Configuration

Attributes

None.

Child Elements

ElementDescription
anonymousAuthenticationOptional element.
Specifies the Anonymous authentication settings for FTP sites.
basicAuthenticationOptional element.
Specifies the Basic authentication settings for FTP sites.
clientCertAuthenticationOptional element.
Specifies the Client Certificate authentication settings for FTP sites.
customAuthenticationOptional element.
Specifies the Custom authentication settings for FTP sites.
Note: Custom authentication is implemented through custom authentication providers.

Configuration Sample

The following configuration sample disables Anonymous authentication and enables Basic authentication by default.

Sample Code

The following code samples disable Anonymous authentication and enable Basic authentication by default.

Microsoft ftp service

AppCmd.exe

Note

You must be sure to set the commit parameter to apphost when you use AppCmd.exe to configure these settings. This commits the configuration settings to the appropriate location section in the ApplicationHost.config file.

C#

VB.NET

JavaScript

VBScript

Today we released MS11-004 to address a vulnerability in the Microsoft FTP service an optional component of Internet Information Services (IIS). In this blog, we would like to cover some additional technical details of this vulnerability.

First, we want to clarify that the vulnerability lies in the FTP service component of IIS. The FTP service is an optional component of IIS and is not installed by default.

Microsoft Windows 10 Ftp Service

One part that may be confusing is the difference between the FTP service version and the IIS version. For example, the version of FTP service shipped with IIS 7 on Windows Vista and Windows Server 2008 is FTP 6.0, not FTP 7.0. However, you could also install FTP 7.0/7.5 as an optional component on IIS 7 from the Microsoft Download Center. If you are unsure what version of FTP service you are running and if your system is vulnerable; use this procedure to determine if the update is needed for your system.

  • If FTP service is not enabled, the system is not vulnerable.
  • If FTP service is enabled,
    • IIS 6 on Windows Server 2003: Not vulnerable
    • IIS 7 on Windows Vista and Windows Server 2008: By default, IIS 7 uses FTP 6.0, which is not vulnerable. However, if you install FTP 7.0/7.5 for IIS 7 package from Microsoft Download Center, then it is vulnerable.
    • IIS 7.5 on Windows 7 and Windows Server 2008 R2: FTP 7.5 shipped with IIS 7.5 is vulnerable.

Please note there is also a way to automate this process. FTP 6.0 is running with a different service name than FTP 7.0/7.5. Therefore, the idea is to check whether the “ftpsvc” service, the service name of FTP 7.0/7.5, is running or not. In our previous SRD blog Assessing an IIS FTP 7.5 Unauthenticated Denial of Service Vulnerability , we have already talked about the approach. Here we list it again:

A user can determine the status of the IIS FTP service by querying it through the command prompt (running as administrator):

  • Press the “Windows”+“R” key
  • Type “cmd.exe” (no quotes)
  • In the command prompt type “sc query ftpsvc” (no quotes)

If the service is not installed then the following will be displayed:

If the service is installed and running then the following will be displayed:

An alternative approach is to scan the file system to detect whether a machine is vulnerable. . If ‘ftpsvc.dll’ does not exist in the %system32%inetsrv directory, then your system is not affected. If you find a file named ‘ftpsvc2.dll’ this indicates that you have FTP 6.0 installed on the system and are also not affected by this vulnerability. The detection logic on Windows Update, Microsoft Update, and WSUS will handle the above scenarios, so that the update is only offered to IIS 7 systems that have FTP 7.0 or FTP 7.5 installed.

Finally, we would like to clarify the exploitability of this issue. We blogged about this issue in December 2010 here, and outlined why we thought remote code execution was unlikely. We said “these characteristics make it difficult to successfully execute a heap spray or partial function pointer override attack. Because of the nature of the overrun, the probable result will only be a denial of service and not code execution.”

Since then additional research has shown that it may be possible for this vulnerability to be exploited if DEP and ASLR protections are bypassed. No exploit has been seen in the wild, and no exploit code has been made publicly available. To sum up the current situation, while it may be possible to achieve code execution, the probable impact for most customers remains denial of service.

Acknowledgement

Thanks to Nazim Lala in the IIS team, the Japan CSS Security Response Team, and Brian Cavenah in the MSRC Engineering team for their work on this.

Chengyun Chu and Mark Wodrich, MSRC Engineering