Vulnerability Note VU#276653

Microsoft Internet Information Server (IIS) FTP server NLST stack buffer overflow

Original Release date: 31 Aug 2009 | Last revised: 02 Sep 2009


The Microsoft IIS FTP server contains a stack buffer overflow in the handling of directory names, which may allow a remote attacker to execute arbitrary code on a vulnerable system.


IIS is a web server that comes with Microsoft Windows. IIS also includes FTP server functionality. The IIS FTP server fails to properly parse specially-crafted directory names. By issuing an FTP NLST (NAME LIST) command on a specially-named directory, an attacker may cause a stack buffer overflow. The attacker can create the specially-named directory if FTP is configured to allow write access using Anonymous account or another account that is available to the attacker.


A remote attacker may be able to execute arbitrary code on a vulnerable server. For servers that allow anonymous file uploads, the attacker would typically be unauthenticated.


We are currently unaware of a practical solution to this problem. Please consider the workarounds listed in Microsoft Security Advisory (975191), which include:

Disable anonymous FTP write access

Configuring IIS to disallow write access to anonymous FTP users will limit the ability of the attacker to create a directory that can trigger this vulnerability.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Microsoft CorporationAffected-02 Sep 2009
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A



This vulnerability was publicly disclosed by Kingcope.

This document was written by Will Dormann.

Other Information

  • CVE IDs: Unknown
  • Date Public: 31 Aug 2009
  • Date First Published: 31 Aug 2009
  • Date Last Updated: 02 Sep 2009
  • Severity Metric: 20.81
  • Document Revision: 23


If you have feedback, comments, or additional information about this vulnerability, please send us email.