Recent figures put Microsoft IIS as the second most popular web server on the internet, second only to the Apache HTTP Server. It is therefore of no surprise that following the Apache site breach on 28th September ’09, it was now the turn of Microsoft’s IIS to be in the news.

On Tuesday 1st September 2009, Microsoft issued a security advisory for a serious code execution vulnerability within the File Transfer Protocol (FTP) service of IIS 5.0, 5.1 and 6.0. This advisory warned that a stack overflow vulnerability in the FTP service enables attackers to remotely execute malicious code on internet connected systems running the FTP service.

In practice, an attacker requires write access to the FTP service to cause a stack-based overrun, and to deliver a payload. Obviously, IIS setups that grant write access privileges to anonymous users are mostly at risk… with attackers not requiring authentication, no cracking of passwords is required… making the process as plain sailing and as easy as ABC!!

Needless to say, authorized users can also trigger the stack-based buffer overflow and attack a system using the same technique.

It transpires that the stack overflow is caused by creating a (long) specially-crafted directory name. This enables the execution of arbitrary code in the context of LocalSystem, the service under which the FTP service runs. Despite the fact that no active attacks seem to have been reported at time of writing, all code and instructions on how to run this exploit are freely available over the web. This exponentially increases the risk of an exploit occurring as more and more users gain insight on the nitty-gritty of this exploit technique!

Configurations at risk are the following:

IIS VersionPlatformRisk Level
5.0Windows 2000High
5.1Windows 2000, Windows XPHigh
6.0Windows 2000, Windows Server 2003     Reduced risk in view of built-in /GS protection that  automatically terminates IIS when some overflows are  detected

Windows Vista, Windows Server 2008 running IIS 7.0 are not affected by this issue.

Until a fully-tested security fix is released, it is recommended that IT Pros:

  • Disable anonymous write privileges on FTP servers. It is also recommended that the FTP service is turned off when not in use
  • Use NTFS Associating Access Control Lists (ACL) to block the unauthorized creation of new directories

For more information on this exploit visit:

Get your free 30-day GFI LanGuard trial

Get immediate results. Identify where you’re vulnerable with your first scan on your first day of a 30-day trial. Take the necessary steps to fix all issues.