Overview
The Microsoft IIS FTP Service contains a vulnerability that allows remote attackers to log in using domain accounts without providing a specific domain name.
Description
The Microsoft IIS FTP Service allows users to establish connections using either local accounts or Windows domain accounts. Connections made using a domain account require a username of the form "domain\&#xser" to distinguish them from local accounts. The FTP Service contains an access control vulnerability that causes the server to search all trusted domains for a matching domain account when the "domain" portion of the username contains a certain wildcard value. Once a matching domain account is found, the user must provide a correct password to gain access. This vulnerability requires the attacker to provide a correct password, so the most likely accounts to be targeted are those that contain a well-known username and default password. For example, if any of the domains trusted by the server contain an enabled Guest account with a default (null) password, the FTP Service will use that account to log the user in as "Domain\Guest". |
Impact
This vulnerability allows remote users to log in using a domain account without fully specifying the domain. This may result in either unauthorized file transfer access or information leakage. |
Solution
Apply a patch from your vendor |
Disable IIS FTP Service
|
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
Acknowledgements
This document was written by Jeffrey P. Lanza and is based on information from Microsoft.
Other Information
| CVE IDs: | CVE-2001-0335 |
| Severity Metric: | 10.13 |
| Date Public: | 2001-05-14 |
| Date First Published: | 2001-09-18 |
| Date Last Updated: | 2001-09-18 23:26 UTC |
| Document Revision: | 12 |