X
Tech
Home Tech Security

Microsoft confirms IIS zero-day flaw; Exploit code published

Microsoft late Tuesday confirmed the publication of exploit code for a serious code execution vulnerability in the FTP Service in Microsoft Internet Information Services (IIS) 5.0, 5.1, and 6.0.
Written by Ryan Naraine, Contributor

Microsoft late Tuesday confirmed the publication of exploit code for a serious code execution vulnerability in the File Transfer Protocol (FTP) Service in Microsoft Internet Information Services (IIS) 5.0, 5.1, and 6.0.

A security advisory from Redmond warned that the vulnerability could allow remote code execution on affected systems running the FTP service and connected to the Internet.

"While we have seen detailed exploit code published on the Internet for this vulnerability, we are not currently aware of active attacks that use this exploit code," a Microsoft spokesman said in an e-mail.

From Microsoft's advisory:

An attacker with write access in the FTP service could use this vulnerability to cause a stack-based overrun and execute arbitrary code in the context of the local system.In configurations of IIS where the anonymous user has write access, the attacker need not be authenticated.

The Microsoft Security Research & Defense blog offers more details:

The vulnerability is a stack overflow in the FTP service when listing a long, specially-crafted directory name. To be vulnerable, an FTP server would need to grant untrusted users access to log into and create that long, specially-drafted directory. If an attacker were able to successfully exploit this vulnerability, they could execute code in the context of LocalSystem, the service under which the FTP service runs.

Configurations at risk

The vulnerable code is in IIS 5.0 (Windows 2000), IIS 5.1 (Windows XP) and IIS 6.0 (Windows Server 2003). IIS 7.0 (Windows Vista, Windows Server 2008) is not vulnerable. IIS 6 is at reduced risk because it was built with /GS which help protect the service from exploits by deliberately terminating itself when the overflow is detected before attacker’s code runs. We have not seen exploit code for this vulnerability that is able to bypass the /GS protection.

Also, remember that only servers that allow untrusted users to log on and create arbitrary directories are vulnerable.

In the absence of a patch, Microsoft recommends that administrators prevent untrusted users from having write access to the FTP service. The advisory contains instructions to:

  • Turn off the FTP service if you do not need it
  • Prevent creation of new directories using NTFS ACLs
  • Prevent anonymous users from writing via IIS settings

A video demonstrating the exploit is available here.  More details here.

Editorial standards
Show Comments

Related

Anker Solix X1

Not into the Tesla Powerwall? You can now buy the Anker Solix X1

windows-11-laptop

Microsoft is now showing ads in Windows 11's Start menu. Here's how to block them

Placeholder product image alt text

The best AI image generators to try right now