Recent figures put Microsoft IIS as the second most popular web server on the internet, second only to the Apache HTTP Server. It is therefore of no surprise that following the Apache site breach on 28th September ’09, it was now the turn of Microsoft’s IIS to be in the news.
On Tuesday 1st September 2009, Microsoft issued a security advisory for a serious code execution vulnerability within the File Transfer Protocol (FTP) service of IIS 5.0, 5.1 and 6.0. This advisory warned that a stack overflow vulnerability in the FTP service enables attackers to remotely execute malicious code on internet connected systems running the FTP service.
In practice, an attacker requires write access to the FTP service to cause a stack-based overrun, and to deliver a payload. Obviously, IIS setups that grant write access privileges to anonymous users are mostly at risk… with attackers not requiring authentication, no cracking of passwords is required… making the process as plain sailing and as easy as ABC!!
Needless to say, authorized users can also trigger the stack-based buffer overflow and attack a system using the same technique.
It transpires that the stack overflow is caused by creating a (long) specially-crafted directory name. This enables the execution of arbitrary code in the context of LocalSystem, the service under which the FTP service runs. Despite the fact that no active attacks seem to have been reported at time of writing, all code and instructions on how to run this exploit are freely available over the web. This exponentially increases the risk of an exploit occurring as more and more users gain insight on the nitty-gritty of this exploit technique!
Configurations at risk are the following:
|IIS Version||Platform||Risk Level|
|5.1||Windows 2000, Windows XP||High|
|6.0||Windows 2000, Windows Server 2003||Reduced risk in view of built-in /GS protection that automatically terminates IIS when some overflows are detected|
Windows Vista, Windows Server 2008 running IIS 7.0 are not affected by this issue.
Until a fully-tested security fix is released, it is recommended that IT Pros:
- Disable anonymous write privileges on FTP servers. It is also recommended that the FTP service is turned off when not in use
- Use NTFS Associating Access Control Lists (ACL) to block the unauthorized creation of new directories
For more information on this exploit visit:
- Microsoft’s Security Research and Defense blog post
- US-CERT suggested administrators disable anonymous write access