The Microsoft IIS FTP server contains a stack buffer overflow in the handling of directory names, which may allow a remote attacker to execute arbitrary code on a vulnerable system.
IIS is a web server that comes with Microsoft Windows. IIS also includes FTP server functionality. The IIS FTP server fails to properly parse specially-crafted directory names. By issuing an FTP NLST (NAME LIST) command on a specially-named directory, an attacker may cause a stack buffer overflow. The attacker can create the specially-named directory if FTP is configured to allow write access using Anonymous account or another account that is available to the attacker.
A remote attacker may be able to execute arbitrary code on a vulnerable server. For servers that allow anonymous file uploads, the attacker would typically be unauthenticated.
We are currently unaware of a practical solution to this problem. Please consider the workarounds listed in Microsoft Security Advisory (975191), which include:
Disable anonymous FTP write access
Configuring IIS to disallow write access to anonymous FTP users will limit the ability of the attacker to create a directory that can trigger this vulnerability.
|Temporal||0||E:Not Defined (ND)/RL:Not Defined (ND)/RC:Not Defined (ND)|
|Environmental||0||CDP:Not Defined (ND)/TD:Not Defined (ND)/CR:Not Defined (ND)/IR:Not Defined (ND)/AR:Not Defined (ND)|
This vulnerability was publicly disclosed by Kingcope.
This document was written by Will Dormann.
|Date First Published:||2009-08-31|
|Date Last Updated:||2009-09-02 12:47 UTC|