after Brazil´s indepence day, I´m back to work! It´s good to relax one day more after weekend. 🙂
today I was reading about Microsoft FTP server service vulnerability pointed by a friend of mine (Kaio Rafael, thanks!). He provided me a link from ZD Net. After reading it, I went direct to the source for more details.
According to Microsoft´s security advisory these two vulnerability´s affects the following Windows OS, in summary:
Windows 2000, XP, 2003 Vista and 2008.
The non-affected softwares section have only:
Windows 7 and Windows 2008 R2.
One of them allow remote code execution and the other causes system DoS (Denial of Service).
The risk for IIS 5.1 (Windows XP) and IIS 6.0 (Windows 2003) be successed exploited by the first vulnerability is reduced, because a /GS protection that comes built-in for those versions.
Besides the detailed Microsoft security advisory, I also recommend read Security Research & Defense blog post about the issue.
However, I did not start this blog post to repeat what is said already. What cames to my attention when I was testing the vulnerability with an exploit published on milw0rm web site was the fact that none of the links mentioned above, informed the behaviour when Microsoft FTP Service brokes down by DoS attack. You start to think: "Hey, what are you talking about? Do you know DoS means: no service will be available??"
Yes, I do know. But, IIS Admin Service is configured by default to recover when a fail occurs.
Fig 01 – Windows Server 2003 IIS Admin Service Properties page
"OK, what´s the point?!"
The point is if the System Administrator don´t check System event viewer regularly, he won´t be able to know if his FTP Server is/was under DoS attack! The event is registered as an Error under Service Control Manager source.
This is an alert for those admins who doesn´t do a event check on their servers. As Metallica uses to say "…sleep with one eye open…"
Hope this was useful! Till next post!!