Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Vulnerabilities (plural) in MS IIS FTP Service 5.0, 5.1. 6.0, 7.0 - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Vulnerabilities (plural) in MS IIS FTP Service 5.0, 5.1. 6.0, 7.0

Microsoft has published an advisory on multiple vulnerabilities in the Microsoft FTP services bundled with IIS 5.0, IIS 5.1, IIS 6.0 or IIS 7.0. At this time arbitrary remote code execution only works against IIS 5.0 running on Windows 2000 fully patched. On more recent versions a DoS condition occurs. If you are still running an Internet accessible FTP service you may want to take this opportunity to rethink running it under IIS. For internal instances I might monitor them very closely. One mitigation is to NOT allow anonymous connections (as indicated in the POC circulating on the Internet). Unless the attacker is able to obtain a valid username for the system and modify the exploit... and then DoS can still occur, but complete compromise of the system will not. The DoS takes out all inetinfo processes, including www. There is currently no patch available for these vulnerabilities. The exploit code is available. Take the appropriate precautions.

If you must allow FTP, disable anonymous access. If you must allow anonymous access, modify the NTFS permissions to disable write access. If you must allow write access, disable creation of directories. You will still be vulnerable to the DoS in any case.

The following CVEs are assigned:

  CVE-2009-3023 (RCE on IIS 5.0 and DoS on IIS 5.1 and IIS 6.0) 
CVE-2009-2521 (DoS on IIS 5.0, IIS 5.1, IIS 6.0, and IIS 7.0)

The advisory is here:

Adrien de Beaupré Inc.

Adrien de Beaupre

353 Posts
ISC Handler
Jan 24th 2011

Sign Up for Free or Log In to start participating in the conversation!