search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Microsoft Internet Information Server (IIS) FTP server NLST stack buffer overflow

Vulnerability Note VU#276653

Original Release Date: 2009-08-31 | Last Revised: 2009-09-02


The Microsoft IIS FTP server contains a stack buffer overflow in the handling of directory names, which may allow a remote attacker to execute arbitrary code on a vulnerable system.


IIS is a web server that comes with Microsoft Windows. IIS also includes FTP server functionality. The IIS FTP server fails to properly parse specially-crafted directory names. By issuing an FTP NLST (NAME LIST) command on a specially-named directory, an attacker may cause a stack buffer overflow. The attacker can create the specially-named directory if FTP is configured to allow write access using Anonymous account or another account that is available to the attacker.


A remote attacker may be able to execute arbitrary code on a vulnerable server. For servers that allow anonymous file uploads, the attacker would typically be unauthenticated.


We are currently unaware of a practical solution to this problem. Please consider the workarounds listed in Microsoft Security Advisory (975191), which include:

Disable anonymous FTP write access

Configuring IIS to disallow write access to anonymous FTP users will limit the ability of the attacker to create a directory that can trigger this vulnerability.

Vendor Information


Microsoft Corporation Affected

Updated:  September 02, 2009



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

Please consider the workarounds listed in Microsoft Security Advisory (975191).

Vendor References


Please disable anonymous FTP write access to help mitigate this vulnerability.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVSS Metrics

Group Score Vector
Base 0 AV:--/AC:--/Au:--/C:--/I:--/A:--
Temporal 0 E:Not Defined (ND)/RL:Not Defined (ND)/RC:Not Defined (ND)
Environmental 0 CDP:Not Defined (ND)/TD:Not Defined (ND)/CR:Not Defined (ND)/IR:Not Defined (ND)/AR:Not Defined (ND)



This vulnerability was publicly disclosed by Kingcope.

This document was written by Will Dormann.

Other Information

CVE IDs: None
Severity Metric: 20.81
Date Public: 2009-08-31
Date First Published: 2009-08-31
Date Last Updated: 2009-09-02 12:47 UTC
Document Revision: 24

Sponsored by CISA.