Microsoft Security Bulletin (MS98-006)

[aleph1 () DFW NET (Aleph One)]

---------- Forwarded message ----------
Date: Fri, 24 Jul 1998 11:28:23 -0700
From: Microsoft Product Security Response Team <secure () MICROSOFT COM>
To: MICROSOFT_SECURITY () ANNOUNCE MICROSOFT COM
Subject: Microsoft Security Bulletin (MS98-006)

Microsoft Security Bulletin (MS98-006)

------------------------------------------------------------------------

Potential Denial-of-Service in IIS FTP Server due to Passive Connections

Last Revision: July 23, 1998

Summary
=======
Microsoft was recently alerted to an issue with the way the Microsoft(r)
Internet Information Server processes passive FTP connection requests.
Certain uses of multiple passive FTP connections may result in errors,
degrade system performance, and create denial of service situations for both
the FTP service and the WWW service running on the same machine.

This issue involves a denial of service vulnerability that potentially can
be used by someone with malicious intent to cause disruption of service. It
cannot be used to crash the FTP server, or any other service running on the
targeted system.

The purpose of this bulletin is to inform Microsoft customers of this issue,
its applicability to Microsoft products, and the availability of
countermeasures Microsoft has developed to further secure its customers.

Issue
=====
When multiple passive connections are made to a single FTP server via the
PASV FTP command, it is possible to use up all available system threads for
servicing clients. Once this happens, requests for additional connections
will fail as discussed above, and will continue to fail until a client
thread is again available.  Further, the FTP and WWW services on a machine
share a common thread pool, so exhausting the FTP thread pool also will
cause connection requests for the WWW service to fail.

This vulnerability does not affect other services running on the same
system, nor does it cause the FTP or WWW service to crash. Once the passive
connections time out, the system performance will return to normal.

Server Administrators will see the following error in the System Event Log:
   FTP Server could not create a client worker thread for user
   at host 'IPAddress'. The connection to this user is terminated.
   The data is the error.

Clients accessing either the WWW or FTP services might see messages such as
the either of the following:
 - Connection closed by remote host
 - The FTP session was terminated

Affected Software Versions
==========================
 - Microsoft Internet Information Server 2.0, 3.0, 4.0

What Microsoft is Doing
=======================
Microsoft has produced an update for Microsoft Internet Information Server
versions 2.0, 3.0 and 4.0.

Intel Platforms
---------------
IIS 4.0:
   ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/security/
   ftp-fix/ftpfix4i.exe

IIS 3.0 and IIS 2.0:
   ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/security/
   ftp-fix/ftpfix3i.exe

Alpha Platforms
---------------
IIS 4.0:
   ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/security/
   ftp-fix/ftpfix4a.exe

IIS 3.0 and IIS 2.0:
   ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/security/
   ftp-fix/ftpfix3a.exe

NOTE: Each of the above URLs above is one path; they have been wrapped for
readability.

What customers should do
========================
Microsoft recommends that customers hosting FTP sites with Microsoft
Internet Information Server install the update listed above. Customers who
do not use the FTP functionality of IIS do not need to install this update,
as this problem only occurs on systems running the FTP service.

NOTE: Consider running the WWW and FTP services on separate servers to
further decrease the possibility of attacks against the multiple services.

NOTE: Although this fix makes it significantly more difficult to mount a
denial of service attack against an FTP server, and limits the potential
impact and severity of such an attack, it does not make an attack
impossible. Malicious use of the PASV FTP command could still exhaust server
resources and have a limited effect on the operation of the FTP server.
Clients that use passive mode connections to connect to the FTP server may
be denied service and clients that are uploading information to the FTP
server may be denied service. If this happens, there will be many event log
entries of the type shown below. The event log entries will give the user
name of the attacker and the IP address that originated the attack. Using
this information, the FTP server administrator could choose to deny access
to the attacker, or take other appropriate actions.

Event Log Entries:
 - Passive connect from user %1 at host %2 timed out.
 - File received from user %1 at host %2 timed out.

If you are seeing a large number of either of these events, you may be
experiencing an attack.

More Information
================
Please see the following references for more information related to this
issue.

 - Microsoft Security Bulletin 98-006, Potential Denial-of-Service in
   IIS FTP Server due to Passive Connections (the web-posted version
   of this bulletin),
   http://www.microsoft.com/security/bulletins/ms98-006.htm
 - Microsoft Knowledge Base (KB) article Q189262, FTP Passive Mode May
   Terminate Session,
   http://support.microsoft.com/support/kb/articles/q189/2/62.asp
 - Microsoft Knowledge Base (KB) article Q181743, Error Message 426
   Trying to Retrieve File from FTP Server,
   http://support.microsoft.com/support/kb/articles/q181/7/43.asp

Revisions
=========
 - July 23, 1998: Bulletin Created

For additional security-related information about Microsoft products, please
visit http://www.microsoft.com/security

------------------------------------------------------------------------
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS"
WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER
EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS
SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN
IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR
LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE
FOREGOING LIMITATION MAY NOT APPLY.

(c) 1998 Microsoft and/or its suppliers. All rights reserved.
For Terms of Use see http://support.microsoft.com/support/misc/cpyright.asp.

          =====================================================
You have received  this e-mail bulletin as a result  of your registration
to  the   Microsoft  Product  Security  Notification   Service.  You  may
unsubscribe from this e-mail notification  service at any time by sending
an  e-mail  to  MICROSOFT_SECURITY-SIGNOFF-REQUEST () ANNOUNCE MICROSOFT COM
The subject line and message body are not used in processing the request,
and can be anything you like.

For  more  information on  the  Microsoft  Security Notification  Service
please    visit    http://www.microsoft.com/security/bulletin.htm.    For
security-related information  about Microsoft products, please  visit the
Microsoft Security Advisor web site at http://www.microsoft.com/security.