Renowed security researcher "Kingcope" published a recent zero day vulnerability (i.e no patch and unkown at the time of publication) affecting Microsoft IIS 5 and IIS 6. Functional exploit code exists for IIS 5 / 5.1 no functional code execution exploit code is known to exist for IIS 6.
Update: Kingcope released another exploit against IIS5/IIS6/IIS7 that performs a Denial of Service attack against IIS5/IIS6/IIS7 using unsecure globbing mechanism. This attacks works with standard user accounts (doesn't required write access). The second exploit is tracked under CVE-2009-2521
Update: Kingcope released another exploit against IIS5/IIS6/IIS7 that performs a Denial of Service attack against IIS5/IIS6/IIS7 using unsecure globbing mechanism. This attacks works with standard user accounts (doesn't required write access). The second exploit is tracked under CVE-2009-2521
Updates :
- Kingcope publishes a new attack against IIS5/IIS6/IIS7 - Denial of service only - CVE-2009-2521
- Microsoft published KB975191 with more information
- VDB IDS are : CVE-2009-3023 , VU#276653
- To perform a DoS attack write access is not required - this is also the case for IIS6
- Summary: Code execution possible on IIS5/5.1 if write access granted, DoS is possible on both IIS5 and IIS6. Note - there is a improbable condition that may allow code execution on IIS5/5.1 even if write access is not granted, the condition is that a directory is present that has certain characters in it. It's improbable but possible. Thanks to Guido Landi for the insight.
- Affects IIS5 /5.1 and IIS6 - currently only a functional code execution exploit for IIS 5/Win2k exists, DoS attacks is possible against all versions.
- The attacker must use an FTP account that is allowed to create directories (anon or known user) for the exploit to work
- The FTP service is not enabled by default
- Anonymous access is not enabled by default
- IIS 5 (5.1) or IIS 6 installed and
- FTP service enabled and
- Code exec only requirement : NTFS write permissions given to anonymous or known users
(IIS5 and IIS6 run on Windows XP, Windows 2000, Windows 2003)
- Disable FTP service on IIS5 and IIS6 if not required or
- If FTP is required, disable create directory permissions (see KB975191) or disable write access all together (pic) Note: this will not protect against Denial of Service attacks
1.Browse to the root directory of your FTP site. By default this is in %systemroot%\inetpub\ftproot.2.Right-click on the directory and select Properties.3.Click the Security tab and click Advanced.4.Click Change Permissions.5.Select the Users group and click Edit.6.Deselect Create Folders/Append Data.
Comments :
- Successfull code execution might be possible without the need to be able to create directories (more research required). Note: For a successful Denial of Service attack the creation of a directory is not required.
- The reason there is no functional exploit against IIS6 (Windows 2003) is that the exploit mitigations that ship with Windows2003 make it harder to reliably exploit (if at all)
- It's possible that the vulnerable part of the IIS code can be reached by other means, if other methods are known we will update this blog.
Tools :
- Nmap script to scan network for IIS FTP with write permissions (Credit: Xavier Mertens)
- OpenVas is able to scan for this flaw
Links :
- US-CERT - http://www.kb.cert.org/vuls/id/276653
- Microsoft - http://www.microsoft.com/technet/security/advisory/975191.mspx
- Exploit code - http://milw0rm.com/exploits/9541
- SNORT signature update - http://www.snort.org/vrt/docs/ruleset_changelogs/changes-2009-09-01.html
Posted by Thierry Zoller, Luxembourg
2 comments:
- At 04 September, 2009 05:03 Anonymous said...
-
Is this just a re-occurence of a bug reported for IIS3 + IIS4 back in 1999. Go look at MS99-003 at http://www.microsoft.com/technet/security/bulletin/MS99-003.mspx
..Petar - At 09 September, 2009 00:44 Anonymous said...
-
You can workaround it using WinFail2Ban, it allow to detect brute force attack to obtain valid credentials and then make a succesfull attack using latest vulnerability.
It's FREE and OPENSOURCE http://winfail2ban.sourceforge.net/
Posts
