Quicklinks: Home | Contact |

Subscribe to our RSS feed for regular updates

Renowed security researcher "Kingcope" published a recent zero day vulnerability (i.e no patch and unkown at the time of publication) affecting Microsoft IIS 5 and IIS 6. Functional exploit code exists for IIS 5 / 5.1 no functional code execution exploit code is known to exist for IIS 6.

Update: Kingcope released another exploit against IIS5/IIS6/IIS7 that performs a Denial of Service attack against IIS5/IIS6/IIS7 using unsecure globbing mechanism. This attacks works with standard user accounts (doesn't required write access). The second exploit is tracked under CVE-2009-2521

Updates :
  • Kingcope publishes a new attack against IIS5/IIS6/IIS7 - Denial of service only - CVE-2009-2521
  • Microsoft published KB975191 with more information
  • VDB IDS are : CVE-2009-3023 , VU#276653
  • To perform a DoS attack write access is not required - this is also the case for IIS6
  • Summary: Code execution possible on IIS5/5.1 if write access granted, DoS is possible on both IIS5 and IIS6. Note - there is a improbable condition that may allow code execution on IIS5/5.1 even if write access is not granted, the condition is that a directory is present that has certain characters in it. It's improbable but possible. Thanks to Guido Landi for the insight.
Fast facts IIS5/6 Code execution (CVE-2009-3023:
  • Affects IIS5 /5.1 and IIS6 - currently only a functional code execution exploit for IIS 5/Win2k exists, DoS attacks is possible against all versions.
  • The attacker must use an FTP account that is allowed to create directories (anon or known user) for the exploit to work
  • The FTP service is not enabled by default
  • Anonymous access is not enabled by default
Current vulnerability requirements (code execution):
  • IIS 5 (5.1) or IIS 6 installed and
  • FTP service enabled and
  • Code exec only requirement : NTFS write permissions given to anonymous or known users
    (IIS5 and IIS6 run on Windows XP, Windows 2000, Windows 2003)
    Current mitigations :
    • Disable FTP service on IIS5 and IIS6 if not required or
    • If FTP is required, disable create directory permissions (see KB975191) or disable write access all together (pic) Note: this will not protect against Denial of Service attacks



      1.
      Browse to the root directory of your FTP site. By default this is in %systemroot%\inetpub\ftproot.
      2.
      Right-click on the directory and select Properties.
      3.
      Click the Security tab and click Advanced.
      4.
      Click Change Permissions.
      5.
      Select the Users group and click Edit.
      6.
      Deselect Create Folders/Append Data.
    Comments :
    • Successfull  code execution might be possible without the need to be able to create directories (more research required). Note: For a successful  Denial of Service attack the creation of a directory is not required.

    • The reason there is no functional exploit against IIS6 (Windows 2003) is that the exploit mitigations that ship with Windows2003 make it harder to reliably exploit (if at all)

    • It's possible that the vulnerable part of the IIS code can be reached by other means, if other methods are known we will update this blog.
    Tools :
    • Nmap script to scan network for IIS FTP with write permissions (Credit: Xavier Mertens)
    • OpenVas is able to scan for this flaw
    Links :
    Posted by Thierry Zoller, Luxembourg

    2 comments:

    At 04 September, 2009 05:03 Anonymous said...

    Is this just a re-occurence of a bug reported for IIS3 + IIS4 back in 1999. Go look at MS99-003 at http://www.microsoft.com/technet/security/bulletin/MS99-003.mspx

    ..Petar

     
    At 09 September, 2009 00:44 Anonymous said...

    You can workaround it using WinFail2Ban, it allow to detect brute force attack to obtain valid credentials and then make a succesfull attack using latest vulnerability.

    It's FREE and OPENSOURCE http://winfail2ban.sourceforge.net/

     

    Post a Comment