CVE-2002-0073 in IIS
Summary
by MITRE
The FTP service in Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows attackers who have established an FTP session to cause a denial of service via a specially crafted status request containing glob characters.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 09/23/2025
The vulnerability described in CVE-2002-0073 represents a significant denial of service flaw within Microsoft Internet Information Server versions 4.0, 5.0, and 5.1 FTP services. This issue specifically targets the handling of status requests that contain glob characters, which are special wildcard characters used in file system operations. The vulnerability exists at the protocol level where the FTP service fails to properly validate and process these glob patterns, creating an exploitable condition that can be leveraged by remote attackers to disrupt service availability.
The technical flaw manifests when an authenticated or unauthenticated FTP session is established with the vulnerable IIS servers. Attackers can craft malicious status requests that include glob characters such as asterisks, question marks, or other wildcard patterns that the FTP service processes without proper input sanitization. When the server attempts to interpret these malformed requests, the parsing routine becomes overwhelmed or enters an infinite loop, causing the FTP service to crash or become unresponsive. This behavior stems from insufficient bounds checking and input validation within the FTP protocol implementation, particularly in how the service handles file listing and status commands that should be straightforward operations but become resource-intensive when malformed glob patterns are introduced.
The operational impact of this vulnerability extends beyond simple service disruption to potentially compromise the entire server availability and integrity. Since the FTP service is often a critical component in web server infrastructure, a successful exploitation can lead to complete denial of service for all FTP-related operations, affecting legitimate users and potentially creating opportunities for further attacks. The vulnerability affects systems where FTP services are enabled and accessible to attackers, making it particularly dangerous in environments where these services are exposed to the internet without proper network segmentation or access controls. The attack can be executed remotely without requiring special privileges beyond establishing an initial FTP connection, making it a particularly attractive target for automated exploitation tools and malicious actors seeking to disrupt services.
Mitigation strategies for this vulnerability should focus on immediate patching of affected IIS versions, as Microsoft released security updates specifically addressing this flaw. Organizations should implement network segmentation to limit access to FTP services and consider disabling FTP functionality where it is not strictly required. Additionally, implementing proper input validation and monitoring for unusual status request patterns can help detect and prevent exploitation attempts. The vulnerability aligns with CWE-129, which describes improper validation of length of input buffers, and can be mapped to ATT&CK technique T1499.004, which covers network disruption through resource exhaustion. Network administrators should also consider implementing intrusion detection systems that can identify and block malformed FTP requests containing glob characters, providing an additional layer of defense against this specific attack vector.