Microsoft IIS 5.0/6.0 FTP Remote Stack-based Buffer Overflow

Posted by Trancer on Aug 31 2009

Microsoft Corporation Kingcope have done it again, fully disclosing a serious 0day vulnerability in a high profile Microsoft product – A remotely exploitable stack-based buffer overflow vulnerability in Microsoft IIS FTP server.
Vulnerable versions are Microsoft IIS 5.0 (Windows 2000) and IIS 6.0 (Windows 2003) but due to stack cookie protection (/GS), on IIS 6.0 this vulnerability is unexploitable for code execution, only for denial-of-service.
The original advisory by Kingcope can be found on Full-Disclosure and the exploit can also be found on milw0rm and exploit-database #9541.

Mati Aharoni (muts) posted on the BackTrack blog a better version of the exploit. His exploit use the password value to store the payload which allows to store a larger payload – Microsoft IIS FTP 5.0 Remote SYSTEM Exploit.

Also, Xavier Mertens posted an Nmap script to scan potentially vulnerable hosts. The script check if the remote host runs Microsoft ftpd, check if anonymous login are allowed and if the MKDIR command is enabled (all the parameters needed for exploitation) – Detecting Vulnerable IIS-FTP Hosts Using Nmap.

I’ll keep this post up to date with interesting resources and further details about this vulnerability.

Updates:

>> HD Moore added a coverage for this vulnerability the Metasploit SVN tree – microsoft_ftpd_nlst.rb.

>> Kingcope also posted a Denial-of-Service (Stack Exhaustion) exploit which affects IIS 5.0, 5.1 and 6.0 FTP server on milw0rm and exploit-database #9587.

>> Thierry Zoller wrote an overview of the vulnerability on G-SEC blog – IIS 5 & IIS 6 FTP vulnerability – information and tools.

>> Microsoft issued a security advisory (975191) for this vulnerability and posted an informative post on the SRD blog – New vulnerability in IIS5 and IIS6.

>> Microsoft patched this vulnerability – MS09-053.

Categories: Vulnerabilities

1 Comments | Comments RSS | TrackBack URL

One Response to “Microsoft IIS 5.0/6.0 FTP Remote Stack-based Buffer Overflow”

Week 36 in Review | Infosec Events says:

February 10, 2010 at 13:27

[...] Microsoft IIS 5.0/6.0 FTP Remote Stack-based Buffer Overflow – rec-sec.com [...]

Recognize-Security Welcome to the Machine August 2009

Microsoft IIS 5.0/6.0 FTP Remote Stack-based Buffer Overflow Posted by Trancer on Aug 31 2009 Kingcope have done it again, fully disclosing a serious 0day vulnerability in a high profile Microsoft product – A remotely exploitable stack-based buffer overflow vulnerability in Microsoft IIS FTP server. Vulnerable versions are Microsoft IIS 5.0 (Windows 2000) and IIS 6.0 (Windows 2003) but due to stack cookie protection (/GS), on IIS 6.0 this vulnerability is unexploitable for code execution, only for denial-of-service. The original advisory by Kingcope can be found on Full-Disclosure and the exploit can also be found on milw0rm and exploit-database #9541. Mati Aharoni (muts) posted on the BackTrack blog a better version of the exploit. His exploit use the password value to store the payload which allows to store a larger payload – Microsoft IIS FTP 5.0 Remote SYSTEM Exploit. Also, Xavier Mertens posted an Nmap script to scan potentially vulnerable hosts. The script check if the remote host runs Microsoft ftpd, check if anonymous login are allowed and if the MKDIR command is enabled (all the parameters needed for exploitation) – Detecting Vulnerable IIS-FTP Hosts Using Nmap. I’ll keep this post up to date with interesting resources and further details about this vulnerability. Updates: >> HD Moore added a coverage for this vulnerability the Metasploit SVN tree – microsoft_ftpd_nlst.rb. >> Kingcope also posted a Denial-of-Service (Stack Exhaustion) exploit which affects IIS 5.0, 5.1 and 6.0 FTP server on milw0rm and exploit-database #9587. >> Thierry Zoller wrote an overview of the vulnerability on G-SEC blog – IIS 5 & IIS 6 FTP vulnerability – information and tools. >> Microsoft issued a security advisory (975191) for this vulnerability and posted an informative post on the SRD blog – New vulnerability in IIS5 and IIS6. >> Microsoft patched this vulnerability – MS09-053. Categories: Vulnerabilities 1 Comments \| Comments RSS \| TrackBack URL One Response to “Microsoft IIS 5.0/6.0 FTP Remote Stack-based Buffer Overflow” Week 36 in Review \| Infosec Events says: February 10, 2010 at 13:27 [...] Microsoft IIS 5.0/6.0 FTP Remote Stack-based Buffer Overflow – rec-sec.com [...] Leave a Reply Click here to cancel reply. Name (required) Mail (will not be published) (required) Website	Categories Advisories Articles Exploitation Exploits LOLz Malware Metasploit Presentations Rec-Sec Security News Tools Vulnerabilities Web Application Security Archives September 2010 March 2010 January 2010 December 2009 November 2009 October 2009 September 2009 August 2009 July 2009 June 2009 May 2009 April 2009 March 2009 February 2009 December 2008 November 2008 October 2008 September 2008 August 2008 January 2008 June 2007 May 2007 April 2007 March 2007 February 2007 Pages About Links Aviv Raff BinaryVision BSDeamon Chris Evans DC9723 Didier Stevens Digital Whisper Exploit Database Exploit KB Extraexploit Julien Tinnes Michal Zalewski NiX IRC Network Nmap NullByte Pankaj Kohli Peter Van Eeckhoutte Piotr Bania rgod SkullSecurity Skypher Tavis Ormandy The Metasploit Project TryThis0ne Uninformed xorl eax, eax Yam Mesicka Meta RSS 2.0 ATOM 1.0 RDF 1.0 Links OPML OpenSearch
W3C Unicorn \| Valid XHTML \| Valid CSS \| RSS \| Comments RSS Copyright © 2007 - 2012 Recognize-Security. Some rights reserved. ~~Security~~ Hacking, However, is an art, not a science.

Recognize-Security

August 2009

Microsoft IIS 5.0/6.0 FTP Remote Stack-based Buffer Overflow

One Response to “Microsoft IIS 5.0/6.0 FTP Remote Stack-based Buffer Overflow”

Leave a Reply