Title: Microsoft IIS FTPd NLST Remote Buffer Overflow Vulnerability
Severity: CRITICAL
Description:
Microsoft Internet Information Service (IIS) is a webserver available for Microsoft Windows.
The application is prone to a remote stack-based buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data. The vulnerability occurs when handling specially crafted input to the application's FTP server. A 'NLST' (NAME LIST) command issued on a specially named directory can trigger this issue. An attacker can create such a directory if the FTP server is configured to allow write access to anonymous or other user accounts.
The attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.
This issue affects the following:
IIS 5.0
IIS 5.1
IIS 6.0 (denial of service only)
IIS 7.0 (denial of service only)
Note that Microsoft IIS 7.0 with FTP Service 7.5 is not affected.
Other versions may also be affected.
NOTE: This issue cannot be exploited to execute arbitrary code on IIS 6.0 or 7.0.
NOTE (September 1, 2009): This issue can be exploited to execute arbitrary code with SYSTEM-level privileges on IIS 5.0.
NOTE (September 2, 2009): Some reports indicate that this issue could result in a crash even if an attacker doesn't have sufficient permissions to create a directory on the server. This occurs as long as an arbitrary directory whose name starts with the character(s) specified in the 'NLST' command resides on the server. The 'NLST' command would contain an excessive amount of string data along the character(s) associated with the directory name. It's also possible to trigger a crash by simply supplying a '*' character along with the string values in the 'NLST' command.
UPDATE (September 8, 2009); This issue may be related to a vulnerability reported in 1999 affecting IIS 3 and IIS 4. We will update this BID as more details emerge.
Affected Products:
- Microsoft IIS 5.0
- Microsoft IIS 5.1
- Microsoft IIS 6.0
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server
- Microsoft Windows Server 2003 Datacenter Edition
- Microsoft Windows Server 2003 Datacenter Edition Itanium
- Microsoft Windows Server 2003 Enterprise Edition
- Microsoft Windows Server 2003 Enterprise Edition Itanium
- Microsoft Windows Server 2003 Standard Edition
- Microsoft Windows Server 2003 Web Edition
- Microsoft Windows XP 64-bit Edition
- Microsoft Windows XP 64-bit Edition SP1
- Microsoft Windows XP Professional
- Microsoft Windows XP Professional SP1
References:
- Guido Landi (listskeamera.org): Re: [Full-disclosure] Microsoft Internet Information Server ftpd zeroday
- Kingcope: isowarez.pdf
- Microsoft: Microsoft IIS Homepage
- Microsoft: Microsoft Security Advisory (975191) Vulnerability in Internet Information Servi
- Microsoft: Microsoft Security Advisory 975191 Revised
- Microsoft: Microsoft Security Bulletin MS09-053
- Microsoft Security Research & Defense: New vulnerability in IIS5 and IIS6
- Microsoft Security Response Center: Microsoft Security Advisory 975191 Released
- Offensive Security: Microsoft IIS FTP 5.0 Remote SYSTEM Exploit
- US-CERT: Vulnerability Note VU#276653 Microsoft Internet Information Server (IIS) FTP ser
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
