Signature Detail

FTP: Microsoft FTP Service STAT Globbing Denial of Service

This signature detects denial-of-service (DoS) attempts against Microsoft FTP Service in Microsoft IIS 4.0 and 5.0. Attackers who have previously established an FTP session can send glob charaters within a maliciously crafted status request to crash the server.

Extended Description

A vulnerability has been identified in the way Microsoft Internet Information Server's FTP service handles certain requests for transfer status. The condition is present when a request is made for the FTP transfer status is made via the STAT command. A client issuing this command with a large number of file globbing characters as the argument may cause the service to crash. On IIS 4.0 servers, the service must be manually restarted. On IIS 5.0 and 5.1 servers, the service will restart itself automatically. A number of Cisco products are affected by this vulnerability, although this issue is not present in the Cisco products themselves.

Affected Products

• Cisco Building Broadband Service Manager (BBSM) 4.0.1
• Cisco Building Broadband Service Manager (BBSM) 4.2.0
• Cisco Building Broadband Service Manager (BBSM) 4.3.0
• Cisco Building Broadband Service Manager (BBSM) 4.4.0
• Cisco Building Broadband Service Manager (BBSM) 4.5.0
• Cisco Building Broadband Service Manager (BBSM) 5.0.0
• Cisco Building Broadband Service Manager (BBSM) 5.1.0
• Cisco Call Manager 3.0.0
• Cisco Call Manager 3.1.0
• Cisco Call Manager 3.2.0
• Cisco Unity Server 2.0.0
• Cisco Unity Server 2.1.0
• Cisco Unity Server 2.2.0
• Cisco Unity Server 2.3.0
• Cisco Unity Server 2.4.0
• Microsoft IIS 4.0
• Microsoft IIS 5.0
• Microsoft IIS 5.1
• Microsoft IIS Far East Edition 5.0

References

• BugTraq: 4482
• CERT: CA-2002-09
• CVE: CVE-2002-0073
• URL: http://www.microsoft.com/technet/security/bulletin/MS02-018.mspx
• URL: http://packetstormsecurity.org/advisories/microsoft/ms02-018