This issue involves a denial of service vulnerability that potentially can be used by someone with malicious intent to cause disruption of service. It cannot be used to crash the FTP server, or any other service running on the targeted system.

When multiple passive connections are made to a single FTP server via the PASV FTP command, it is possible to use up all available system threads for servicing clients. Once this happens, requests for additional connections will fail as discussed above, and will continue to fail until a client thread is again available. Further, the FTP and WWW services on a machine share a common thread pool, so exhausting the FTP thread pool also will cause connection requests for the WWW service to fail.

This vulnerability does not affect other services running on the same system, nor does it cause the FTP or WWW service to crash. Once the passive connections time out, the system performance will return to normal.

Server Administrators will see the following error in the System Event Log:

	   FTP Server could not create a client worker thread for user
	   at host 'IPAddress'. The connection to this user is terminated.
	   The data is the error.
	

Clients accessing either the WWW or FTP services might see messages such as the either of the following:

	 - Connection closed by remote host
	 - The FTP session was terminated
	

Fix for this problem

Fixes are avaiable at ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/security/iis3-ftpfix/ for IIS3,