RE: plugging old IIS FTP holes

From: Lee Evans (lee_at_vital.co.uk)
Date: 07/21/03

  • Next message: Levinson, Karl: "RE: plugging old IIS FTP holes" 
    To: <shahar@cellmate.co.il>, <focus-ms@securityfocus.com>
Date: Mon, 21 Jul 2003 15:51:27 +0100

    Hi,

    My apologies. It appears it isnt possible to change the version banner of
    the IIS5 FTP service using the ISM. I should have checked this before I
    posted, but I naively assumed this was one of the options you can change -
    the reality is only the welcome and exit messages are configurable.

    Apparently it is possible however using a hex editor and editing a couple of
    system files - a google search should return relevant information.

    Incidentally, IIS6 on Windows Server 2003 reports "Microsoft FTP Service",
    but no version number. There is an option to configure the banner, but this
    is appended to the above, as opposed to replacing it (even this isnt
    possible on IIS5). I guess MS don't want us stripping their corporate name
    from our public services.

    Regards
    Lee 

    -- 
Lee Evans
> -----Original Message-----
> From: Shahar Mesika_M [mailto:shahar@cellmate.co.il] 
> Sent: 21 July 2003 16:37
> To: 'Lee Evans'
> Subject: RE: plugging old IIS FTP holes
> 
> 
> 
> Hello Lee,
> can you post more details about:
> 
> If you want to stop nessus reporting this, use the Internet 
> Services Manager to change the banner of the FTP service.
> 
> How it can be done?
> 
> Thanks
> 
> 
> -----Original Message-----
> From: Lee Evans [mailto:lee@vital.co.uk]
> Sent: Monday, July 21, 2003 4:11 PM
> To: 'Douglas Schlenker'; focus-ms@securityfocus.com
> Subject: RE: plugging old IIS FTP holes
> 
> 
> Note the nessus information:
> 
> " *** Warning : we could not verify this vulnerability.
>   *** Nessus solely relied on the banner of this server"
> 
> 
> The patch in question is superseeded by / included in SP3. 
> You don't need to apply the separate patch, you are already 
> protected against the vulnerability.
> 
> If you want to stop nessus reporting this, use the Internet 
> Services Manager to change the banner of the FTP service.
> 
> Regards
> Lee
> --
> Lee Evans
> http://www.leevans.org
> 
> > -----Original Message-----
> > From: Douglas Schlenker [mailto:Douglas.Schlenker@RoyalRoads.ca]
> > Sent: 19 July 2003 00:02
> > To: focus-ms@securityfocus.com
> > Subject: plugging old IIS FTP holes
> >
> >
> > Hi there,
> >
> > I just finished running a Nessus scan against a new server I'm 
> > bringing up. One of the "high" risk factor warning I received was 
> > this:
> >
> > It may be possible to make the remote FTP server crash
> > by sending the command 'STAT *?AAA...AAA.
> > An attacker may use this flaw to prevent your site from 
> distributing 
> > files
> > *** Warning : we could not verify this vulnerability.
> > *** Nessus solely relied on the banner of this server 
> Solution : Apply 
> > the relevant hotfix from Microsoft 
> > See:http://www.microsoft.com/technet/security/bulletin/ms02-018.asp
> >
> > I went to Microsofts website and downloaded the appropriate patch. 
> > When I went to install it, the installation failed because 
> the patch 
> > will not install on a server that has a newer Service Pack than SP2.
> >
> > Any ideas how I can fix this hole without applying the 
> patch? (Or, is 
> > there an alternate patch for SP3 users?)
> >
> > Sincerely,
> >
> > Douglas Schlenker
> >
> >
> > --------------------------------------------------------------
> > ---------------
> > --------------------------------------------------------------
> > ----------------
> >
> >
> 
> 
> --------------------------------------------------------------
> --------------
> -
> --------------------------------------------------------------
> --------------
> --
> 
> 
-----------------------------------------------------------------------------
------------------------------------------------------------------------------
  • Next message: Levinson, Karl: "RE: plugging old IIS FTP holes"

    Relevant Pages

    • RE: plugging old IIS FTP holes
      ... Has anyone been successful in removing the "Microsoft FTP Service" part ... The patch in question is superseeded by / included in SP3. ... to change the banner of the FTP service. ...
      (Focus-Microsoft)
    • Microsoft FTP Service STAT Globbing DoS
      ... Microsoft FTP Daemon STAT Globbing Bug ... As for a deadline on releasing a patch or making a public ... Notification of Security Vulnerability ... I am not sure yet where we are with the next IIS rollup ...
      (Bugtraq)
    • Re: MPE FTP transfer into HFS namespace
      ... 220-Welcome to the IT Resource Center ftp server ... : unpackp FTPHDJ5A,autopat ... information provided via HP ESC, including but not limited to, the ... Note that this may take several minutes on a large patch. ...
      (comp.sys.hp.mpe)
    • Re: Turning off the FTP Banner
      ... Most hackers aiming their tools at FTP sites don't bother to check the ... banner, and just fire off the hack-du-jour. ... A targetted hacker, who cares what system you're running, can determine ...
      (microsoft.public.inetserver.iis.security)
    • Re: HP3000 & FTP
      ... I believe patch FTPHD71A has been superseded by FTPHD75A, ... FTP Client supports blanks in file names with "quote" ... * To join/leave the list, search archives, change list settings, * ...
      (comp.sys.hp.mpe)