search menu icon-carat-right cmu-wordmark

CERT Coordination Center


Microsoft Internet Information Server (IIS) FTP server NLST stack buffer overflow

Vulnerability Note VU#276653

Original Release Date: 2009-08-31 | Last Revised: 2009-09-02

Overview

The Microsoft IIS FTP server contains a stack buffer overflow in the handling of directory names, which may allow a remote attacker to execute arbitrary code on a vulnerable system.

Description

IIS is a web server that comes with Microsoft Windows. IIS also includes FTP server functionality. The IIS FTP server fails to properly parse specially-crafted directory names. By issuing an FTP NLST (NAME LIST) command on a specially-named directory, an attacker may cause a stack buffer overflow. The attacker can create the specially-named directory if FTP is configured to allow write access using Anonymous account or another account that is available to the attacker.

Impact

A remote attacker may be able to execute arbitrary code on a vulnerable server. For servers that allow anonymous file uploads, the attacker would typically be unauthenticated.

Solution

We are currently unaware of a practical solution to this problem. Please consider the workarounds listed in Microsoft Security Advisory (975191), which include:

Disable anonymous FTP write access

Configuring IIS to disallow write access to anonymous FTP users will limit the ability of the attacker to create a directory that can trigger this vulnerability.

Vendor Information

276653
Expand all

Microsoft Corporation

Updated:  September 02, 2009

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Please consider the workarounds listed in Microsoft Security Advisory (975191).

Vendor References

http://www.microsoft.com/technet/security/advisory/975191.mspx

Addendum

Please disable anonymous FTP write access to help mitigate this vulnerability.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

This vulnerability was publicly disclosed by Kingcope.

This document was written by Will Dormann.

Other Information

CVE IDs: None
Severity Metric: 20.81
Date Public: 2009-08-31
Date First Published: 2009-08-31
Date Last Updated: 2009-09-02 12:47 UTC
Document Revision: 23

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.