Microsoft denied that details and Proof of Concept code available in the wild for an IIS FTP 7.5, which ships with Windows 7 and Windows Server 2008 R2, vulnerability indicate that exploits can lead to remote code execution.
Here’s what Microsoft said “The vulnerability occurs when the FTP server attempts to encode Telnet IAC (Interpret As Command) character in the FTP response.
The IAC character, which’s represented as decimal 255 (Hex FF) in the response, needs to be encoded by the addition of another decimal 255 character in the FTP response where we find the presence of IAC character.
Due to an error in this processing, it’s possible to get into a state where an attacker could overwrite a portion of the response with a string of 0xFFs even past the end of the heap buffer, resulting in a heap buffer overrun,” said Nazim Lala.
Lala explained that an attacker leveraging this vulnerability in an exploit willn’t be able to control the data that’s being overwritten. At the same time, the destination address where the data is overwritten is alson’t under the control of a potential attacker, which would also need to bypass an additional security mitigation: Data Execution Prevention (DEP).
Our second discovery is that “this vulnerability only affects IIS FTP Service and leaves the IIS Web Services completely unaffected. Hence a Denial of Service on the FTP service willn’t affect any of the web services hosted by IIS but only the FTP service”.
“Finally, the IIS FTP Service isn’t installed by default, and even after installation, it’s not enabled by default,” added Lala.
Microsoft promise that the investigation will continue and that a security update will be provided to patch the vulnerability if necessary.