September 1st, 2009

Microsoft confirms IIS zero-day flaw; Exploit code published

Posted by Ryan Naraine @ 7:48 pm

Categories: Arbitrary Code Execution, Browsers, Complex Attacks, Data theft, Exploit code, Hackers, Locally Running Web Servers, Microsoft, Passwords, Patch Watch, Pen testing, Responsible disclosure, Viruses and Worms, Vulnerability research, Windows Vista

Tags: Vulnerability, Exploit Code, Microsoft Corp., Zero-day Bug, Microsoft IIS Server, Security, Ryan Naraine

Microsoft late Tuesday confirmed the publication of exploit code for a serious code execution vulnerability in the File Transfer Protocol (FTP) Service in Microsoft Internet Information Services (IIS) 5.0, 5.1, and 6.0.

A security advisory from Redmond warned that the vulnerability could allow remote code execution on affected systems running the FTP service and connected to the Internet.

“While we have seen detailed exploit code published on the Internet for this vulnerability, we are not currently aware of active attacks that use this exploit code,” a Microsoft spokesman said in an e-mail.

From Microsoft’s advisory:

An attacker with write access in the FTP service could use this vulnerability to cause a stack-based overrun and execute arbitrary code in the context of the local system.In configurations of IIS where the anonymous user has write access, the attacker need not be authenticated.

The Microsoft Security Research & Defense blog offers more details:

The vulnerability is a stack overflow in the FTP service when listing a long, specially-crafted directory name. To be vulnerable, an FTP server would need to grant untrusted users access to log into and create that long, specially-drafted directory. If an attacker were able to successfully exploit this vulnerability, they could execute code in the context of LocalSystem, the service under which the FTP service runs.

Configurations at risk

The vulnerable code is in IIS 5.0 (Windows 2000), IIS 5.1 (Windows XP) and IIS 6.0 (Windows Server 2003). IIS 7.0 (Windows Vista, Windows Server 2008) is not vulnerable. IIS 6 is at reduced risk because it was built with /GS which help protect the service from exploits by deliberately terminating itself when the overflow is detected before attacker’s code runs. We have not seen exploit code for this vulnerability that is able to bypass the /GS protection.

Also, remember that only servers that allow untrusted users to log on and create arbitrary directories are vulnerable.

In the absence of a patch, Microsoft recommends that administrators prevent untrusted users from having write access to the FTP service. The advisory contains instructions to:

• Turn off the FTP service if you do not need it
• Prevent creation of new directories using NTFS ACLs
• Prevent anonymous users from writing via IIS settings

A video demonstrating the exploit is available here.  More details here.