MA-191.092009: MyCERT Alert - Critical Vulnerability in Microsoft Internet Information Server (IIS) FTP Server 1.0 Introduction A critical vulnerability has been identified in Microsoft Internet Information Server (IIS) FTP server. The Microsoft IIS FTP server contains a stack buffer overflow in the handling of directory names, which may allow a remote attacker to execute arbitrary code on a vulnerable system. MyCERT is aware that a '0-day' exploit is being available in the wild and actively being used by the attacker. 2.0 Impact By exploiting this vulnerability, an attacker could execute arbitrary code on vulnerable installations of Microsoft Internet Information Server FTP. For servers that allow anonymous file uploads, the attacker would typically be unauthenticated. 3.0 Affected Products Microsoft Windows operating systems and components listed below are vulnerable to this vulnerability: - Microsoft Windows 2000 Service Pack 4
- Microsoft Internet Information Services 5.0
- Windows XP Service Pack 2 and Windows XP Service Pack 3
- Microsoft Internet Information Services 5.1
- Windows XP Service x64 Edition Service Pack 2
- Microsoft Internet Information Services 6.0
- Windows Server 2003 Service Pack 2
- Microsoft Internet Information Services 6.0
- Windows Server 2003 x64 Edition Service Pack 2
- Microsoft Internet Information Services 6.0
- Windows Server 2003 with SP2 for Itanium-based Systems
- Microsoft Internet Information Services 6.0
4.0 Recommendation At the time of this writing, Microsoft has not released any patches to address this vulnerability. However, users are recommended to: - Modify NTFS file system permissions to disallow directory creation by FTP users
An administrator can modify NTFS file system permissions on the root directories of FTP sites hosted on a server to disallow creation of directories by FTP users. This modification still allows FTP users to upload files to existing directories. As administrator, perform the following steps to remove directory creation privileges from the Users group. If you have a configured FTP user or custom group to manage your FTP users, replace the Users group in Step 5 below with these custom identities.
- Browse to the root directory of your FTP site. By default this is in %systemroot%\inetpub\ftproot.
- Right-click on the directory and select Properties.
- Click the Security tab and click Advanced.
- Click Change Permissions.
- Select the Users group and click Edit.
- Deselect Create Folders/Append Data.
Impact of Workaround: FTP users will not be able to create directories through the FTP service. FTP users will still be able to upload files to existing directories through the FTP service.
- Do not allow FTP write access to untrusted anonymous users
Anonymous users are not granted FTP write access by default. If anonymous write access has been granted on an FTP server, the administrator can modify IIS permissions to prevent anonymous write access. Untrusted users cannot exploit the vulnerability without FTP write access. To modify IIS permissions to prevent FTP write access to anonymous users, perform the following steps:
- Launch IIS Manager.
- Right click Default FTP Site and point to Properties.
- Click the Home Directory tab.
- Ensure that Write is deselected.
Impact of Workaround: Users will not be able to transfer files using FTP, but can do so using WebDAV.
Disable the FTP service
Note See http://support.microsoft.com/kb/975191 to use the automated Microsoft Fix it solution to apply this workaround.
Impact of Workaround: FTP service will be disabled.
Generally, MyCERT advises the users of this software to be updated with the latest security announcements by the vendor. MyCERT can be reached through the following channels: E-mail : mycert@mycert.org.my
Phone : +603 89926969 or 1-300-88-2999 (monitored during business hours)
Fax : +603 89453442
Handphone : +60 19 2665850 (24x7 call incident reporting)
SMS : +60 19 2813801 (24x7 SMS reporting)
Business Hours : Mon - Fri 08:30 -17:30 MYT
Web: http://www.mycert.org.my 5.0 References |
