Windows 7 And 2008 R2 Iis Ftp Telnet Iac Remote Dos Poc
|
|
|
||||||||||
Description:
The vulnerability occurs when the FTP server attempts to encode Telnet IAC (Interpret As Command) character in the FTP response. The IAC character, which is represented as decimal 255 (Hex FF) in the response, needs to be encoded by the addition of another decimal 255 character in the FTP response where we find the presence of the IAC character. Due to an error in this processing, it is possible to get into a state where an attacker could overwrite a portion of the response with a string of 0xFFs even past the end of the heap buffer, resulting in a heap buffer overrun. In that situation, the only data that a malicious client controls in this overrun is the number of bytes by which the buffer is overrun. It cannot control the data that is overwritten -- the data will always be the IAC character 0xFF.
The malicious code, however, didn't control the addresses where data is overridden. This plus the fact that the FTP service 7.5 was also protected by Data Execution Prevention (DEP) meant that the attack would only be a denial of service and not code execution.
This vulnerability was discovered by Matthew Bergin and this video was posted by wowzataz.
The malicious code, however, didn't control the addresses where data is overridden. This plus the fact that the FTP service 7.5 was also protected by Data Execution Prevention (DEP) meant that the attack would only be a denial of service and not code execution.
This vulnerability was discovered by Matthew Bergin and this video was posted by wowzataz.