Telnet offers users the capability of running programs remotely and facilitates remote administration. The Telnet protocol defines a set of protocol commands that are used for following two purposes:
- To represent standard control functions that need to be sent between a terminal and host, such as the command to interrupt a process
- To enable protocol communication between the Telnet client and server software.
Protocol commands are sent in the normal data communication stream over the Telnet session¿s TCP connection. Each is represented by a byte value from 240 to 254, and is preceded by the Interpret As Command (IAC) command, byte value 255, which tells the recipient that the next byte in the stream is a command and not data.
A Denial of Service (DoS) vulnerability has been reported in Microsoft IIS FTP server 7.5 which occurs when the FTP server attempts to encode Telnet IAC (Interpret As Command) character in the FTP response. The IAC character, which is represented as decimal 255 (Hex FF) in the response, needs to be encoded by the addition of another decimal 255 character in the FTP response where the IAC character is present. Due to an error in this processing, it is possible to get into a state where an attacker could overwrite a portion of the response with a string of 0xFFs even past the end of the heap buffer, resulting in a heap buffer overrun. In that situation, the only data that a malicious client controls in this overrun is the number of bytes by which the buffer is overrun. It cannot control the data that is overwritten -- the data will always be the IAC character 0xFF.
Successful exploitation of this vulnerability could cause Denial of Service (DoS) making the service unresponsive. It should be noted here that exploitation of this vulnerability on the FTP service will not affect any of the web services hosted by IIS but only the FTP service.
Note: POC is available on the Internet.
The information provided herein is on "as is" basis, without warranty of any kind.