Quicklinks: Home | Contact |

Subscribe to our RSS feed for regular updates

Renowed security researcher "Kingcope" published a recent zero day vulnerability (i.e no patch and unkown at the time of publication) affecting Microsoft IIS 5 and IIS 6. Functional exploit code exists for IIS 5 / 5.1 no functional code execution exploit code is known to exist for IIS 6.

Update: Kingcope released another exploit against IIS5/IIS6/IIS7 that performs a Denial of Service attack against IIS5/IIS6/IIS7 using unsecure globbing mechanism. This attacks works with standard user accounts (doesn't required write access). The second exploit is tracked under CVE-2009-2521

Updates :
  • Kingcope publishes a new attack against IIS5/IIS6/IIS7 - Denial of service only - CVE-2009-2521
  • Microsoft published KB975191 with more information
  • VDB IDS are : CVE-2009-3023 , VU#276653
  • To perform a DoS attack write access is not required - this is also the case for IIS6
  • Summary: Code execution possible on IIS5/5.1 if write access granted, DoS is possible on both IIS5 and IIS6. Note - there is a improbable condition that may allow code execution on IIS5/5.1 even if write access is not granted, the condition is that a directory is present that has certain characters in it. It's improbable but possible. Thanks to Guido Landi for the insight.
Fast facts IIS5/6 Code execution (CVE-2009-3023:
  • Affects IIS5 /5.1 and IIS6 - currently only a functional code execution exploit for IIS 5/Win2k exists, DoS attacks is possible against all versions.
  • The attacker must use an FTP account that is allowed to create directories (anon or known user) for the exploit to work
  • The FTP service is not enabled by default
  • Anonymous access is not enabled by default
Current vulnerability requirements (code execution):
  • IIS 5 (5.1) or IIS 6 installed and
  • FTP service enabled and
  • Code exec only requirement : NTFS write permissions given to anonymous or known users
    (IIS5 and IIS6 run on Windows XP, Windows 2000, Windows 2003)
    Current mitigations :
    • Disable FTP service on IIS5 and IIS6 if not required or
    • If FTP is required, disable create directory permissions (see KB975191) or disable write access all together (pic) Note: this will not protect against Denial of Service attacks

      Browse to the root directory of your FTP site. By default this is in %systemroot%\inetpub\ftproot.
      Right-click on the directory and select Properties.
      Click the Security tab and click Advanced.
      Click Change Permissions.
      Select the Users group and click Edit.
      Deselect Create Folders/Append Data.
    Comments :
    • Successfull  code execution might be possible without the need to be able to create directories (more research required). Note: For a successful  Denial of Service attack the creation of a directory is not required.

    • The reason there is no functional exploit against IIS6 (Windows 2003) is that the exploit mitigations that ship with Windows2003 make it harder to reliably exploit (if at all)

    • It's possible that the vulnerable part of the IIS code can be reached by other means, if other methods are known we will update this blog.
    Tools :
    • Nmap script to scan network for IIS FTP with write permissions (Credit: Xavier Mertens)
    • OpenVas is able to scan for this flaw
    Links :
    Posted by Thierry Zoller, Luxembourg