Overview
The Microsoft IIS FTP server contains a stack buffer overflow in the handling of directory names, which may allow a remote attacker to execute arbitrary code on a vulnerable system.
Description
IIS is a web server that comes with Microsoft Windows. IIS also includes FTP server functionality. The IIS FTP server fails to properly parse specially-crafted directory names. By issuing an FTP NLST (NAME LIST) command on a specially-named directory, an attacker may cause a stack buffer overflow. The attacker can create the specially-named directory if FTP is configured to allow write access using Anonymous account or another account that is available to the attacker. |
Impact
A remote attacker may be able to execute arbitrary code on a vulnerable server. For servers that allow anonymous file uploads, the attacker would typically be unauthenticated. |
Solution
We are currently unaware of a practical solution to this problem. Please consider the workarounds listed in Microsoft Security Advisory (975191), which include: |
Disable anonymous FTP write access Configuring IIS to disallow write access to anonymous FTP users will limit the ability of the attacker to create a directory that can trigger this vulnerability. |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 0 | AV:--/AC:--/Au:--/C:--/I:--/A:-- |
| Temporal | 0 | E:Not Defined (ND)/RL:Not Defined (ND)/RC:Not Defined (ND) |
| Environmental | 0 | CDP:Not Defined (ND)/TD:Not Defined (ND)/CR:Not Defined (ND)/IR:Not Defined (ND)/AR:Not Defined (ND) |
References
Acknowledgements
This vulnerability was publicly disclosed by Kingcope.
This document was written by Will Dormann.
Other Information
| CVE IDs: | None |
| Severity Metric: | 20.81 |
| Date Public: | 2009-08-31 |
| Date First Published: | 2009-08-31 |
| Date Last Updated: | 2009-09-02 12:47 UTC |
| Document Revision: | 24 |