IIS 4.0: FTP "Bounce" Attack and CERT Advisory CA-97.27 (185378)
The information in this article applies to:
- Microsoft Internet Information Server 4.0
This article was previously published under Q185378 We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site: SUMMARY
The CERT ( http://www.Cert.org) Advisory CA-97.27 warns of an FTP security
attack called the "Bounce" attack. This involves misuse of the Port
command to maliciously open a connection to a port on the File Transfer
Protocol (FTP) server.
The FTP Server service in Microsoft Internet Information Server version
4.0 (IIS) is not susceptible to this attack.
MORE INFORMATION
The FTP server in IIS 4.0 disallows third-party data transfers. This is
done via a modification to the implementation of the Port command. When
the FTP server receives a Port command, the specified IP address must
match the client's source IP address for the control channel.
The FTP server in IIS 4.0 also has another level of protection:
disallowing the Port command from specifying reserved ports (those less
than 1024) except Port 20 (the default data port). By default, any client
attempt to issue a Port command with (port < 1024 and port != 20) causes
the Port command to fail.
| Modification Type: | Minor | Last Reviewed: | 6/23/2005 |
|---|
| Keywords: | kbinfo KB185378 |
|---|
|