Vulnerabilities (plural) in MS IIS FTP Service 5.0, 5.1. 6.0, 7.0
Last Updated: 2011-01-24 23:50:32 UTC
by Adrien de Beaupre (Version: 1)
Microsoft has published an advisory on multiple vulnerabilities in the Microsoft FTP services bundled with IIS 5.0, IIS 5.1, IIS 6.0 or IIS 7.0. At this time arbitrary remote code execution only works against IIS 5.0 running on Windows 2000 fully patched. On more recent versions a DoS condition occurs. If you are still running an Internet accessible FTP service you may want to take this opportunity to rethink running it under IIS. For internal instances I might monitor them very closely. One mitigation is to NOT allow anonymous connections (as indicated in the POC circulating on the Internet). Unless the attacker is able to obtain a valid username for the system and modify the exploit... and then DoS can still occur, but complete compromise of the system will not. The DoS takes out all inetinfo processes, including www. There is currently no patch available for these vulnerabilities. The exploit code is available. Take the appropriate precautions.
If you must allow FTP, disable anonymous access. If you must allow anonymous access, modify the NTFS permissions to disable write access. If you must allow write access, disable creation of directories. You will still be vulnerable to the DoS in any case.
The following CVEs are assigned:
|CVE-2009-3023 (RCE on IIS 5.0 and DoS on IIS 5.1 and IIS 6.0)
CVE-2009-2521 (DoS on IIS 5.0, IIS 5.1, IIS 6.0, and IIS 7.0)
The advisory is here: http://www.microsoft.com/technet/security/advisory/975191.mspx
Adrien de Beaupré