• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Microsoft IIS FTP NO ACCESS Read/Delete File Vulnerability

Severity: MODERATE

Description:

IIS 4.0 FTP servers which have installed a specific post SP5 FTP hotfix are vulnerable to an exploit whereby FTP clients may download. and/or delete files (on the FTP server) that have been specifically marked as 'No Access' (via NTFS file or directory permissions). Web browser FTP clients may be able to view and/or download these files, while specially crafted requests from non-browser based FTP clients may be able to delete these files.

This vulnerability only affects IIS 4.0 servers running NT 4.0 SP5 with a specific post SP5 hotfix for an FTP get error as described in <http://support.microsoft.com/support/kb/articles/Q237/9/87.ASP >. Microsoft states there are no negative ramifications to applying this hotfix to SP4 or SP5 hosts who have not installed the previously referenced FTP hotfix.

To see if you are vulnerable, check the file version for Ftpsvc.dll. Versions 0718 through 0722 are thought to be vulnerable, although Microsoft documentation is unclear as to whether the vulnerable versions start with 0718 or 0719. Version 0724 represents the version installed by the latest hotfix.

The hotfix designed to correct this problem was not released in time for the upcoming NT 4.0 Service Pack 6. Service Pack 6 contains the "buggy" hotfix and will be vulnerable to this error when it is released. It will be necessary to install the corresponding hotfix after installing Service Pack 6, regardless of whether or not the Service Pack 5 installation was vulnerable.

Affected Products:

• Cisco Building Broadband Service Manager 5.0.0
• Cisco Call Manager 1.0.0
• Cisco Call Manager 2.0.0
• Cisco Call Manager 3.0.0
• Cisco ICS 7750 0.0.0
• Cisco IP/VC 3540 Video Rate Matching Module 0.0.0
• Cisco Unity Server 2.0.0
• Cisco Unity Server 2.2.0
• Cisco Unity Server 2.3.0
• Cisco Unity Server 2.4.0
• Cisco uOne 1.0.0
• Cisco uOne 2.0.0
• Cisco uOne 3.0.0
• Cisco uOne 4.0.0
• Microsoft BackOffice 4.0.0
• Microsoft BackOffice 4.5.0
• Microsoft Commercial Internet System 2.5.0
• Microsoft IIS 4.0.0
• Microsoft Windows NT 4.0 Option Pack

References:

• Microsoft: Combined FTP and Domain Restriction Security Patch for IIS 4.0
• Microsoft: FTP GET Does Not Work Correctly on UNC Virtual Directories
• Microsoft: Files on an FTP Server Can Be Improperly Accessed
• Microsoft: Frequently Asked Questions: Microsoft Security Bulletin (MS99-039)

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.