Microsoft investigating IIS vulnerability
by Steve Ragan - Sep 2 2009, 16:30On Tuesday, Microsoft said they are continuing to examine the vulnerability in IIS disclosed on Monday, after proof-of-concept code was published online. To address the public disclosure and to keep customers informed, Microsoft published Security Advisory 975191, including mitigating factors and some workarounds.
“While we have seen detailed exploit code published on the Internet for this vulnerability, we are not currently aware of active attacks that use this exploit code,” a Microsoft spokesperson said.
“Upon learning of the vulnerability, Microsoft activated its Software Security Incident Response Process (SSIRP) and continues to investigate the issue. Microsoft is currently working to develop a security update for this issue to address this vulnerability and will release it once it has reached an appropriate level of quality for broad distribution.”
The vulnerability centers on IIS (Internet Information Services) versions 5, 5.1, and 6.0. Specifically, the vulnerable part of IIS is the FTP service. If exploited, the flaw could allow remote code execution on affected systems running the FTP service and connected to the Internet. Extended support for IIS 5.0 ends on July 13, 2010.
“Basically, it exploits a vulnerability where the server doesn't correctly parse directory names. The attacks makes use of the FTP NLST command which will cause a stack overflow to occur when the name of the directory contains certain characters. The exploit itself uses the directory name w00t$port but this should not be relied upon for detection purposes, also the shellcode should not be used for detection either,” wrote Nigel Houghton on the SourceFire Blog.
For a quick fix, the SourceFire Blog recommends some Snort rules that will catch the attack.
Microsoft recommends that administrators modify the NTFS file system to disallow directory creation by FTP users, as well as blocking write access to anonymous users. If it isn’t needed, one could also just disable the FTP service.
The FTP service is not installed by default on all supported editions of Windows XP or Windows Server 2003. However, Microsoft said, the FTP service is installed by default on all supported editions of Microsoft Windows 2000 and all supported editions of Windows Small Business Server 2003.
“IIS 6.0 is at reduced risk because it was compiled using the /GS compiler option. This does not remove the vulnerability but does make exploitation of the vulnerability more difficult,” added Microsoft’s advisory notes.
You can read Microsoft’s Security Advisory here.
Comment on this Story