- A vulnerability has been found in Microsoft IIS 7.5 (Web Server) and classified as critical. This vulnerability affects some unknown processing of the component FTP Server. The manipulation as part of a Telnet IAC Character leads to a denial of service vulnerability (Heap-based).
- This module exploits multiple vulnerabilities found in Open&Compact FTP server. The software contains an authentication bypass vulnerability and a arbitrary file upload vulnerability that allows a remote attacker to write arbitrary files to the file system as long as there is.
Today we released MS11-004 to address a vulnerability in the Microsoft FTP service an optional component of Internet Information Services (IIS). In this blog, we would like to cover some additional technical details of this vulnerability.
First, we want to clarify that the vulnerability lies in the FTP service component of IIS. The FTP service is an optional component of IIS and is not installed by default.
Less than a week after the publication of exploit code for a critical vulnerability in the FTP Service in Microsoft Internet Information Services (IIS), attackers are now launching in-the-wild.
One part that may be confusing is the difference between the FTP service version and the IIS version. For example, the version of FTP service shipped with IIS 7 on Windows Vista and Windows Server 2008 is FTP 6.0, not FTP 7.0. However, you could also install FTP 7.0/7.5 as an optional component on IIS 7 from the Microsoft Download Center. If you are unsure what version of FTP service you are running and if your system is vulnerable; use this procedure to determine if the update is needed for your system.
- If FTP service is not enabled, the system is not vulnerable.
- If FTP service is enabled,
- IIS 6 on Windows Server 2003: Not vulnerable
- IIS 7 on Windows Vista and Windows Server 2008: By default, IIS 7 uses FTP 6.0, which is not vulnerable. However, if you install FTP 7.0/7.5 for IIS 7 package from Microsoft Download Center, then it is vulnerable.
- IIS 7.5 on Windows 7 and Windows Server 2008 R2: FTP 7.5 shipped with IIS 7.5 is vulnerable.
Please note there is also a way to automate this process. FTP 6.0 is running with a different service name than FTP 7.0/7.5. Therefore, the idea is to check whether the 'ftpsvc' service, the service name of FTP 7.0/7.5, is running or not. In our previous SRD blog Assessing an IIS FTP 7.5 Unauthenticated Denial of Service Vulnerability , we have already talked about the approach. Here we list it again:
A user can determine the status of the IIS FTP service by querying it through the command prompt (running as administrator):
- Press the 'Windows'+'R' key
- Type 'cmd.exe' (no quotes)
- In the command prompt type 'sc query ftpsvc' (no quotes)
If the service is not installed then the following will be displayed:
If the service is installed and running then the following will be displayed:
An alternative approach is to scan the file system to detect whether a machine is vulnerable. . If ‘ftpsvc.dll' does not exist in the %system32%inetsrv directory, then your system is not affected. If you find a file named ‘ftpsvc2.dll' this indicates that you have FTP 6.0 installed on the system and are also not affected by this vulnerability. The detection logic on Windows Update, Microsoft Update, and WSUS will handle the above scenarios, so that the update is only offered to IIS 7 systems that have FTP 7.0 or FTP 7.5 installed.
Finally, we would like to clarify the exploitability of this issue. We blogged about this issue in December 2010 here, and outlined why we thought remote code execution was unlikely. We said 'these characteristics make it difficult to successfully execute a heap spray or partial function pointer override attack. Because of the nature of the overrun, the probable result will only be a denial of service and not code execution.'
Since then additional research has shown that it may be possible for this vulnerability to be exploited if DEP and ASLR protections are bypassed. No exploit has been seen in the wild, and no exploit code has been made publicly available. To sum up the current situation, while it may be possible to achieve code execution, the probable impact for most customers remains denial of service.
Acknowledgement
Thanks to Nazim Lala in the IIS team, the Japan CSS Security Response Team, and Brian Cavenah in the MSRC Engineering team for their work on this.
Chengyun Chu and Mark Wodrich, MSRC Engineering
Severity: High 8 February, 2011 Summary: This vulnerability affects: The IIS FTP service running on Windows Vista, 2008, 7, and 2008 R2 How an attacker exploits it: By sending a specially crafted FTP command Impact: In the worst case, an attacker gains complete control of your IIS server What to do: Deploy the appropriate IIS [].
The best posible result is TERE BINA TERE BINA DIL NAHI LAGDA BY RAHAT FATHE ALI KHAN that has been uploaded by AZ5JUTT786 and Tere Bina Song| Tezz| Ajay Devgan & Kangna Ranaut| Rahat Fateh Ali Khan probably the last item we have been found. You can download best quality Tere Bina Dil Nahi Lagda mp3 incuding 320kbps. Tere Bina Song| Tezz| Ajay Devgan & Kangna Ranaut| Rahat Fateh Ali Khan - mp3 by VENUS MOVIES Bitrate 128kbps|| Frequency 44100 Hz You are searching for Tere Bina Dil Nahi Lagda mp3 songs download. We have found total 14 songs. Soniye dil nahi lagda tere bina female mp3 download. Tere Bina Dil Nahi Lagda free mp3 download, Tere Bina Dil Nahi Lagda free mp3 download 320kbps, Tere Bina Dil Nahi Lagda free mp3 download mp3lio, Tere Bina Dil Nahi Lagda song download mp3, Tere Bina Dil Nahi Lagda mp3 song free download, Tere Bina Dil Nahi Lagda audio download, Tere Bina Dil Nahi Lagda mp3 download skull,Tere Bina Dil Nahi Lagda free mp3 download lyrics.
FTP is a service that is commonly used in Web Servers from Webmasters for accessing the files remotely.So it is almost impossible not to find this service in one of our clients systems during an engagement.
For that reason we will try to cover in this article a scenario of a possible attack against the FTP Server.
The first thing that we need to do is of course to identify which systems are running the FTP service (for the needs of this tutorial I have put only one system). We can do a simple scan with Nmap in order to find the open ports.
220 Microsoft Ftp Service Exploit Metasploit
We can see that the FTP port is open. Now the next logical step that we have to do is to identify which version the FTP application is running by using a method which called FTP banner grabbing.
Of course we can use the Nmap for the discovery of the remote operating system and the service fingerprinting but in this tutorial we will not take advantage of that.
Banner Grabbing is a technique that someone can use in order to extract information from application banners.For example if the remote host is a web server,we can try to connect through telnet.The banner results will give us an indication about the operating system and the type of the web server (Apache or IIS).
Command: telnet target_IP 80
220 Microsoft Ftp Service
In order to do a banner grabbing in the FTP service we will just try to connect through our console to the FTP server.
FTP Banner Grabbing
From the above image we can see that the version is 1.3.1 and the operating system is Debian.There are many things that we can do from here.First we can try to find if there is any public exploit for the ProFTPD 1.3.1 version.If there is then we can launch it against the FTP Service.
If there is not any public exploit for the specific version then we can try to find a valid username and password by using a dictionary attack.We can use any tool like THC Hydra for this job but in this article we will see how it could be achieved through metasploit.
Metasploit Framework has a specific module for attacking FTP servers.So we will search on the metasploit for the module ftp_login.
Now that we have found the FTP scanner it is time to configure it.Of course we will need some good wordlists for the usernames and the passwords.If we don't have then there is no problem because metasploit has a folder with various wordlists.Here we will use the wordlists that contains Unix usernames and passwords.
We are setting the scanner according to the following image and we type run in order to the scanner to start:
FTP Scanner Settings
The scanner has discovered 3 valid login credentials as you can see from the next 3 images.
Discovery of the service username/password
So now we have three valid logins to choose in order to connect to the FTP server.Lets try the last one which is the user as username and user as password.
Login with a valid account on the FTP server
We can see that we have successfully managed to login to the FTP server.Now we can execute the command ls -lat to the server in order to display the list with the current directories and subdirectories and the permissions that we have on the directories.
There are two directories that are important here.The SSH because it may contain private SSH keys and the bash_history because it keeps a history of all the commands that the user has run.For example you can find information about user ID,passwords,confidential file names,locations,server names and shared folders.
We will download the bash_history file to our computer with the command get as you see it in the image below:
Download the file to our computer
Except of the console for the connection to the FTP server we can use also our browser.We will try to login with the same credentials user/user
After some searching in the directories we have found a directory which contained the following:
Directory of usernames
We can see that there are 4 folders.A folder named user, a folder named service and a folder named msfadmin.
Microsoft Ftp Service
Microsoft Office Ftp
This is an indication that another account exists under the username msfadmin which probably is an administrator's account and has more privileges.The reason that we assumed that is because the folders names are the same with the usernames that we have discovered previously.
The previous accounts had passwords same with the usernames.So we will try to login with the following credentials:
Username: msfadmin
Password: msfadmin
The image above is showing that our try to login with the username/password msfadmin was successful.If the password was different then we could have tried another dictionary attack against the FTP server in order to find and the password.
So we have managed to login to the FTP server with an administrator's account.
Conclusions
There are some conclusions that we can make regarding this scenario.First of all the banner grabbing allow us to discover valuable information about the FTP server and the target operating system.This means that if the administrator had changed the FTP banner then it would be much harder for us to disclose these information.
Microsoft Ftp Service Exploit Free
In addition we have noticed the weak credentials of the 3 accounts that we discovered.Also the administrator's account password is the same with the username.This account policy is unacceptable in most of the companies and probably you will not meet something similar.However even large organizations are suffering from weak passwords so eventually it can happen.It is important for that reason to have a good password policy.
On the other hand if a malicious user was trying brute force or dictionary attacks (like this scenario) against the FTP server then it would probably flooded the log files.A security solution that would block the IP address after 3 unsuccessful logins would be the most effective.