ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Microsoft confirms IIS zero-day flaw; Exploit code published

By | September 1, 2009, 7:48pm PDT

Summary: Microsoft late Tuesday confirmed the publication of exploit code for a serious code execution vulnerability in the FTP Service in Microsoft Internet Information Services (IIS) 5.0, 5.1, and 6.0.

Microsoft late Tuesday confirmed the publication of exploit code for a serious code execution vulnerability in the File Transfer Protocol (FTP) Service in Microsoft Internet Information Services (IIS) 5.0, 5.1, and 6.0.

A security advisory from Redmond warned that the vulnerability could allow remote code execution on affected systems running the FTP service and connected to the Internet.

“While we have seen detailed exploit code published on the Internet for this vulnerability, we are not currently aware of active attacks that use this exploit code,” a Microsoft spokesman said in an e-mail.

From Microsoft’s advisory:

An attacker with write access in the FTP service could use this vulnerability to cause a stack-based overrun and execute arbitrary code in the context of the local system.In configurations of IIS where the anonymous user has write access, the attacker need not be authenticated.

The Microsoft Security Research & Defense blog offers more details:

The vulnerability is a stack overflow in the FTP service when listing a long, specially-crafted directory name. To be vulnerable, an FTP server would need to grant untrusted users access to log into and create that long, specially-drafted directory. If an attacker were able to successfully exploit this vulnerability, they could execute code in the context of LocalSystem, the service under which the FTP service runs.

Configurations at risk

The vulnerable code is in IIS 5.0 (Windows 2000), IIS 5.1 (Windows XP) and IIS 6.0 (Windows Server 2003). IIS 7.0 (Windows Vista, Windows Server 2008) is not vulnerable. IIS 6 is at reduced risk because it was built with /GS which help protect the service from exploits by deliberately terminating itself when the overflow is detected before attacker’s code runs. We have not seen exploit code for this vulnerability that is able to bypass the /GS protection.

Also, remember that only servers that allow untrusted users to log on and create arbitrary directories are vulnerable.

In the absence of a patch, Microsoft recommends that administrators prevent untrusted users from having write access to the FTP service. The advisory contains instructions to:

  • Turn off the FTP service if you do not need it
  • Prevent creation of new directories using NTFS ACLs
  • Prevent anonymous users from writing via IIS settings

A video demonstrating the exploit is available here.  More details here.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Vulnerability, Exploit Code, Microsoft Corp., Zero-day Bug, Microsoft IIS Server, Security, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

16
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Microsoft confirms IIS zero-day flaw; Exploit code published
birumut Updated - 29th Apr 2011
Great!!! thanks for sharing this information to us!
seslisohbet seslichat
View in thread
0 Votes
+ -
Can I summarize?
NonZealot 1st Sep 2009
First you need to not only install IIS, you
also need to install the FTP functionality in
IIS. Got it.

Also, remember that only servers that allow
untrusted users to log on and create arbitrary
directories are vulnerable.

Then you have to configure your FTP server to
allow anyone to login without entering a
password and then give them write permission.

IIS 6 is at reduced risk because it was
built with /GS which help protect the service
from exploits by deliberately terminating
itself when the overflow is detected before
attacker?s code runs. We have not seen exploit
code for this vulnerability that is able to
bypass the /GS protection.

Got it. So while there is a buffer overflow
flaw in IIS 6, if you ever try to take
advantage of it, FTP restarts itself before
your attack code has a chance to run. And IIS5
was replaced 6 years ago.

While we have seen detailed exploit code
published on the Internet for this
vulnerability, we are not currently aware of
active attacks that use this exploit code

No kidding. And if you do get hit by this, run,
don't walk, to your HR department and have them
fire your entire IT staff.
0 Votes
+ -
Don't be so hasty
Michael Kelly 2nd Sep 2009
It could very well be that the IT staff has been begging for upgrades for years but upper management refused to see its value and would not put it in the budget. That happens far more often than simple IT incompetence.
0 Votes
+ -
not being hasty
diane wilson 2nd Sep 2009
The IT staff may be begging for upgrades, but not configuring FTP with anonymous writes isn't something that requires an upgrade.

One of the downsides of virtualization is that those old servers are no longer constrained by the life of the hardware they started out on. But learning to keep those systems as secure as possible is just good IT practice.

But if wishes were horses, then yes, IIS 7 is a huge improvement, and lots of shops are moving to server 2008, which runs IIS 7.
0 Votes
+ -
RE: Microsoft confirms IIS zero-day flaw; Exploit code published
Samic 1st Sep 2009
"In the absence of a patch, Microsoft recommends that administrators prevent untrusted users from having write access to the FTP service."

oh I don't know.... aren't those recommendations common sense of basic security?
0 Votes
+ -
IIS 5.0 is ancient news.
IE9 2nd Sep 2009
Nobody uses that anymore.
IIS 6.0 is still commonly used but rarely with any FTP services open.

All in all it does not appear to be causing many major upsets.
0 Votes
+ -
RE: Microsoft confirms IIS zero-day flaw; Exploit code published
Loverock Davidson 2nd Sep 2009
No active attacks? Then there is no risk! Besides, its only older versions of IIS and pretty much everyone has upgraded to IIS 7, not to mention no one uses FTP anymore. This flaw is very minor, if you even want to call it that.
0 Votes
+ -
Microsoft dominates the world.
kevingolde Updated - 2nd Sep 2009
No worries, even though Bill Gates once said he "is really annoyed by the
incredible pain we put everyone through in computing"
0 Votes
+ -
Which is why
Loverock Davidson 2nd Sep 2009
he did the right thing and changed the world of computing for the better, and is trying to help the world with healthcare. That Bill Gates is a visionary.
0 Votes
+ -
which is why
kevingolde 2nd Sep 2009
Bill Gates for President! He will be an improvement and will bring us to
world domination just like his company!
0 Votes
+ -
you first
pgit 2nd Sep 2009
roll up your sleeve and take all the shots Billy will hand you.. but wait... you're already an autistic, mumbling shell...

never mind
0 Votes
+ -
here's a clue
kevingolde Updated - 3rd Sep 2009
don't take it so serious. I was baiting the Loverock shell. I do not run IIS.
I use Apache on linux and MacOSX. I actually read ZDNet for news, and
am sick of the petty pro-MS/anti-Linux and vice versa comments on the
forums.
0 Votes
+ -
Exploit is a minor flaw?
zdnet-registraion 3rd Sep 2009
"An attacker with write access in the FTP service could use this vulnerability to cause a stack-based overrun and execute arbitrary code in the context of the local system.In configurations of IIS where the anonymous user has write access, the attacker need not be authenticated."
====

Minor flaw? God's wounds, what are you talking about? You are the reason people release the exploits they discover.

No one uses FTP? Really? If you don't know anyone that uses FTP, then you really aren't in the computer industry. That statement alone tells me that you are some marketing troll that really doesn't know technology.
0 Votes
+ -
Reality check
honeymonster 3rd Sep 2009
Of course people use FTP. The ultimate consequences of this bug are quite severe (pwnage). But to get there many requirements has to be met:

1) The server has to be a Windows 2000 Server or it has to be a non-updated Windows XP. The later version, IIS6, is also somewhat vulnerable, but not to pwnage ; only to denial-of service (because the anti-exploit mechanisms actually work). IIS7 is not vulnerable at all.

2) FTP has to be installed, enabled and reachable through the firewall.

3) Anonymous access to FTP has to be granted.

4) Rights to create new directories through FTP has to be granted to the anonynmous account.

Basically you will have to allowed the world to create any directory on your server through FTP. If you did that in 2000 and have not upgraded the server since, you may very well be vulnerable.

This bug is most effective in the media. It will stack up to nothing on the Internet because extremely few servers will have all the right parameters set.

0 Votes
+ -
Exploit is irrelevant - old news
gllincoln 3rd Sep 2009
Based on the linked stories to this article, one would think IIS was reeling into total collapse.

For instance the Gartner recommendation that everyone drop IIS (dated 2001). The good part about that article being linked is that reminds us all how incompetent and unreliable Gartner's published recommendations and opinions have proven to be over the years.

Also reminds folks to not be a headline reader on ZDNET, if you look at the teasers, you would never know that the recommendation linked to the current article is actually 8 years old.

However, in response to the rather harsh criticism of one reader by another?

Yes FTP is still in active use in the corporate world however if the system administrator is at all competent and needs to provide an unauthenticated upload resource, then this whole exploit article and topic is a non-story and a non-issue.

Certain people are haters who channel their angst towards Microsoft - taking them seriously is as flawed a concept, as taking the kool-aid drinking evangelistas seriously.

The Microsoft Server platform is as secure as the administrator configures it to be, with a few true vulnerabilities that do slip thru being quickly addressed. One can say the same thing about the Linux server platform and its equally valid.

What causes me to respond here is that people need to take responsibility for their servers and to make the effort to secure the configurations to the level that the environment requires.

Those who are eager to slam Microsoft (or Linux) because an inexperienced or plain incompetent administrator *can* open the door for exploitation and/or abuse of the system resources, are voices of destruction for the rest of us who want faster/better/more capable/more powerful backend software so we don't have to keep adding more hardware to compensate for the hideous bloatware code it takes to babysit a server who has a moron at the wheel.

Most of the exploits that get publicized are (a) preventable by common-sense security practices (b) a consequence of offering optional ways to allow the intended user more power and more utility in the appropriate circumstances.

In this instance - if you are going to allow anonymous uploads, then it's common sense sa 101 stuff that it is you, the administrator's duty, to insure that the anonymous user is placed/redirected into a sandbox to play.

If you insist that Microsoft (or the Linux community) protect you from yourself - the sad thing is... if you demand this loud enough, they will do it. The downside is that you can forget about innovation and empowerment. Costs will go up, benefits will go down, and the large majority will pay a large price for a few idiots who should have stuck to delivering Pizza's and flipping burgers but their uncle or high school football buddy owns or manages etc. etc.

My plea is that we don't make the speed limit 15 mph on the superhighway because a few people don't know how to steer a vessel; make those with the vessels accept responsibility for the conduct of their designated captains.
0 Votes
+ -
irelevant yes; flaw yes
zdnet-registraion 3rd Sep 2009
I agree with what you are saying and the irrelevant part. But that doesn't cover the person who said it was a "minor flaw" if at all.

I don't care what platform any FTP server is running on. If you can execute arbitrary commands on it as a privileged user it is broken. That is not a minor flaw. And administrators shouldn't have to careful configure things for it not to happen. That part of it should be idiot/administrator-proof.

This is not some sort of feature that an administrator accidentally turned on not understanding the consequences. I'm fine not making the speed limit 15 mph because we restrict features to power users to protect the stupid. But this isn't in the same category.

If it isn't a huge story, sure point taken. Let's not apologize for whatever company the flaw is from.
0 Votes
+ -
RE: Microsoft confirms IIS zero-day flaw; Exploit code published
birumut Updated - 29th Apr 2011
Great!!! thanks for sharing this information to us!
seslisohbet seslichat

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix