Microsoft IIS 5/6 FTP 0Day released

Published: 2009-08-31
Last Updated: 2009-09-02 03:04:22 UTC
by Pedro Bueno (Version: 2)
2 comment(s)

 

We are aware of a new 0-day exploit that was posted on Milw0rm today.

According the exploit, it was suppose to work on both IIS 5.0 and 6.0, on the FTP module.

Also according it, it affects IIS 6.0 with stack cookie protection.

The latest on this is that HDMoore is porting it to the MetaSploit framework.

We will update this diary with more info as we get it.

UPDATE4: Microsoft released its advisory on IIS vulnerability and 0day. Seems that IIS 5.0, 5.1 and 6.0 are affected, running on WIndows 2000, XP and 2003. Read more here:  http://www.microsoft.com/technet/security/advisory/975191.mspx

UPDATE3: SourceFire Blog about it

UPDATE2: US-CERT released an advisory on it: https://www.kb.cert.org/vuls/id/276653

UPDATE: Emerging Threats have released a signature for the milw0rm IIS-FTP
exploit. It's available in the signature tarballs and a history is available in CVS:
http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_IISFTP
Wiki: http://doc.emergingthreats.net/bin/view/Main/2009828

---------------------------------------------------------------

Handler on Duty: Pedro Bueno (pbueno /%%/ isc. sans. org)

Twitter: http://twitter.com/besecure

2 comment(s)

Comments

it requires an account or anon to be enabled on the target, which somewhat limits the scope of this otherwise damaging bug.
MS released Security Advisory 975191 on the issue:
http://www.microsoft.com/technet/security/advisory/975191.mspx
See also http://blogs.technet.com/msrc/archive/2009/09/01/microsoft-security-advisory-975191-released.aspx and http://blogs.technet.com/srd/archive/2009/09/01/new-vulnerability-in-iis5-and-iis6.aspx for additional informations from MS.

Diary Archives