Microsoft confirms IIS attacks - acknowledges new vulnerability disclosure

by Steve Ragan - Sep 4 2009, 11:30

There is new information from Microsoft this morning, concerning the IIS vulnerability disclosed on Tuesday. Microsoft has confirmed that they have seen limited attacks using the previously published exploit code, and that a newly published proof of concept widens the scope of the attack to include Denial of Service on IIS 7.0.

“Today we updated Security Advisory 975191 as we are now seeing limited attacks. Additionally, a new proof of concept published allowing for Denial of Service (DoS) attacks on Windows XP and Windows Server 2003 with read access to the File Transfer Protocol (FTP) service,” wrote Microsoft’s Alan Wallace on the MSRC Blog.

Earlier this week, Microsoft alerted the public and issued Security Advisory 975191, after proof of concept code was published online that proved IIS versions 5, 5.1, and 6.0 vulnerable to remote code execution or DoS conditions.

“Basically, it exploits a vulnerability where the server doesn't correctly parse directory names. The attacks makes use of the FTP NLST command which will cause a stack overflow to occur when the name of the directory contains certain characters," wrote Nigel Houghton, as he described the original IIS disclosure on the SourceFire Blog.

"The exploit itself uses the directory name w00t$port but this should not be relied upon for detection purposes, also the shellcode should not be used for detection either.”

The updated advisory adds IIS 7.0 to the vulnerable list, as well as the previously mentioned Windows XP and Server 2003. Windows Vista and Server 2008 are not vulnerable if they are using IIS 7, or 7.5 with FTP version 7.5. While the advisory has some mitigations and workarounds, Microsoft pointed out that they do not completely mitigate the threat of DoS.

Microsoft has said that they are currently working to develop an update to address the IIS vulnerabilities. At the same time, no mention was made of IIS in the Patch Tuesday advance notification yesterday.

On September 8, Microsoft has said that that there will be five updates all of them critical and all of them aimed at the Windows OS itself.

The updated Security Advisory is here.

The vulnerability disclosures are listed below.

IIS 5.0 FTP Server / Remote SYSTEM exploit
IIS 5.0 FTPd / Remote r00t exploit
IIS 5.0 FTP Server / Remote SYSTEM exploit
IIS 5.0/6.0 FTP SERVER DENIAL OF SERVICE ("Stack Exhaustion")

The Tech Herald: Microsoft investigating IIS vulnerability

The Tech Herald: Microsoft to offer five critical patches on Tuesday