September 4th, 2009

Microsoft FTP in IIS vulnerability now under attack

Posted by Ryan Naraine @ 9:49 am

Categories: Arbitrary Code Execution, Browsers, Complex Attacks, Denial of Service (DoS), Exploit code, Hackers, Locally Running Web Servers, Microsoft, Patch Watch, Pen testing, Responsible disclosure, Vulnerability research, Windows Vista, Zero-day attacks

Tags: Microsoft Windows Server, Vulnerability, Microsoft Corp., FTP, Microsoft IIS Server, Attack, File Transfer Protocol 7.5, Microsoft Windows, Operating Systems, Servers

Less than a week after the publication of exploit code for a critical vulnerability in the FTP Service in Microsoft Internet Information Services (IIS), attackers are now launching in-the-wild attacks against Windows users.

The attacks, described as “limited,” target businesses running IIS 5.0, 5.1, and 6.0.   Microsoft has updated its security advisory to warn of the new attacks and availability of proof-of-concept code targeting Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008.

[ SEE: Microsoft confirms IIS zero-day flaw; Exploit code published ]

From the MSRC blog:

Additionally, a new proof of concept published allowing for Denial of Service (DoS) attacks on Windows XP and Windows Server 2003 with read access to the File Transfer Protocol (FTP) service. This does not require Write access.  Also, a new POC allowing DoS was disclosed this afternoon that affects the version of FTP 6 which shipped with Windows Vista and Windows Server 2008.  Customers should be aware that the Download Center has FTP 7.5 available for Windows Vista and Windows Server 2008. FTP 7.5 is not vulnerable to any of these exploits.

Earlier this week, Microsoft issued an advisory to confirm the severity of this vulnerability, which allows remote code execution on affected systems running the FTP service and connected to the Internet.

[ SEE: Patch Tuesday heads-up: Five 'critical' bulletins on tap ]

The vulnerability, disclosed as zero-day by a hacker named “Kingcope,” is a stack overflow in the FTP service when listing a long, specially-crafted directory name. To be vulnerable, an FTP server would need to grant untrusted users access to log into and create that long, specially-drafted directory. If an attacker were able to successfully exploit this vulnerability, they could execute code in the context of LocalSystem, the service under which the FTP service runs.

Microsoft confirmed the vulnerable code is in IIS 5.0 (Windows 2000), IIS 5.1 (Windows XP) and IIS 6.0 (Windows Server 2003).  IIS 7.0 (Windows Vista, Windows Server 2008) is not vulnerable.

In the absence of a patch, Microsoft recommends that administrators prevent untrusted users from having write access to the FTP service. The advisory contains instructions to:

• Turn off the FTP service if you do not need it.
• Prevent creation of new directories using NTFS ACLs.
• Prevent anonymous users from writing via IIS service.

Next Tuesday, Microsoft plans to ship five “critical” bulletins with fixes for code execution holes affecting the Windows operating system.  It is not yet clear if a fix for this FTP in IIS vulnerability will be included in this patch batch.