• Article

Security Bulletin

Microsoft Security Bulletin MS98-006 - Important

Potential Denial-of-Service in IIS FTP Server due to Passive Connections

Published: July 23, 1998 | Updated: March 10, 2003

Version: 2.0

Patch Availability Information Updated: March 10, 2003

Last Revision: July 23, 1998

Summary

Microsoft was recently alerted to an issue with the way the Microsoft® Windows NT Server's Internet Information Server (IIS) processes passive FTP connection requests. Certain situations using multiple passive FTP connections may result in errors, problems with system performance, as well as denial of service situations for both the FTP service and the WWW service running on the same computer.

This issue involves a denial of service vulnerability. Potentially, someone with malicious intent could cause a disruption of service. It cannot be used to crash the FTP server, or any other service running on the targeted system.

The purpose of this bulletin is to inform Microsoft customers of this issue, its applicability to Microsoft products, and the availability of countermeasures that Microsoft has developed to further secure its customers.

Issue

When multiple passive connections are made to a single FTP server through the PASV FTP command, it is possible to use up all available system threads for servicing clients. Once this happens, requests for additional connections will fail as discussed above, and will continue to fail until a client thread is again available. Further, the FTP and WWW services on a computer share a common thread pool, and exhausting the FTP thread pool will also cause a failure in connection requests for the WWW service.

This vulnerability does not affect other services running on the same system, nor does it cause the FTP or WWW service to crash. Once the passive connections time out, the system performance returns to normal.

Server Administrators will see the following error in the System Event Log:

  • FTP Server could not create a client worker thread for user at host 'IPAddress'. The connection to this user is terminated. The data is the error.

Clients accessing either the WWW or FTP services might see either of the following two messages:

  • Connection closed by remote host
  • The FTP session was terminated

Affected Software Versions

  • Microsoft Windows NT Server's IIS 2.0, 3.0, 4.0

Vulnerability Identifier: CVE-1999-1148

What Microsoft is Doing

Microsoft has produced an update for Windows NT Server's IIS versions 2.0, 3.0, and 4.0.

Intel Platforms

Windows NT Server's IIS 4.0:

https:

Windows NT Server's IIS 3.0 and IIS 2.0:

</https:>https:

Alpha Platforms

Windows NT Server's IIS 4.0:

</https:>https:

Windows NT Server's IIS 3.0 and IIS 2.0:

</https:>https:

Note   Each of the above URLs is one path; they have been wrapped for readability.

What Customers Should Do

Microsoft recommends that customers hosting FTP sites with Windows NT Server's IIS install the update provided. Customers who do not use the FTP functionality of IIS do not need to install this update, since the problem only occurs on systems running the FTP service.

Note    Consider running the WWW and FTP services on separate servers to further decrease the possibility of attacks against the multiple services.

Note Although this fix makes it significantly more difficult to mount a denial of service attack against an FTP server, and limits the potential impact and severity of such an attack, it does not make an attack impossible. Malicious use of the PASV FTP command could still exhaust server resources and could have a limited effect on the operation of the FTP server. Clients that use passive mode connections to connect to the FTP server may be denied service and clients that are uploading information to the FTP server may be denied service. If this denial happens, there will be many event log entries of the type shown below. The event log entries will give the user name of the attacker and the Internet Protocol (IP) address that originated the attack. Using this information, the FTP server administrator could choose to deny access to the attacker, or take other appropriate actions.

Event Log Entries:

  1. Passive connect from user %1 at host %2 timed out.
  2. File received from user %1 at host %2 timed out.

If you are seeing a large number of either of these events, you may be experiencing an attack.

More Information

Please see the following references for more information related to this issue.

  • Microsoft Security Bulletin 98-006, Potential Denial-of-Service in IIS FTP Server due to Passive Connections (the Web posted version of this bulletin), https://www.microsoft.com/technet/security/bulletin/ms98-006.mspx
  • Microsoft Knowledge Base (KB) article 189262, FTP Passive Mode May Terminate Session, </https:>https:
  • Microsoft Knowledge Base (KB) article 181743, Error Message 426 Trying to Retrieve File from FTP Server, </https:>https:

Revisions

  • July 23, 1998: Bulletin Created
  • V2.0 (March 10, 2003): Introduced versioning and updated patch availability information

For additional security-related information about Microsoft products, please visit https://www.microsoft.com/technet/security

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Built at 2014-04-18T13:49:36Z-07:00 </https:>