FTP service of Microsoft IIS 5 and 6 vulnerable to attacks - Update 2
An exploit which allegedly enables attackers to obtain system privileges on a Microsoft server via its FTP service has appeared on the Full Disclosure mailing list. According to its author, "Kingcope", the vulnerability affects the FTP service of Microsoft's Internet Information Services 5 server suite, and apparently even affects version 6, which has "Stack Cookie Protection". No patch for the vulnerability is available so far.
The source code of the exploit was published as a PDF file. First reports by independent security experts have confirmed that it is functional. The exploit contains shell code which is tailored for Windows 2000 and uses an anonymous FTP log-in to connect to the server under attack. It creates two directories on this server, via the MKD command. The actual attack appears to be triggered by the NLST (name list) command for displaying the content of a directory. Since the exploit's exact operating principles are as yet unknown, the only apparent way of reliably protecting vulnerable systems is to grant FTP access to trusted users only.
Update - The exploit is apparently real; the makers of the Backtrack security distribution experimented with the exploit and created an enhanced version that opens a listening port on a fully patched Windows 2000 system running IIS 5. They demonstrate that enhanced version in a video.
A script for Nmap has been developed by Belgian security expert Xavier Mertens to detect vulnerable systems; the script scans for Microsoft ftpd servers with anonymous access which allow the MKDIR command to be executed.
However, a working exploit for IIS6 has yet to be found. Microsoft has not yet commented on the issue.
Update 2 - Microsoft have confirmed to heise Security, The H's associates in Germany, that there is a problem and that they are working on the issue. The company says that there are no signs that the vulnerability has been used to attack customers. US-CERT has released an vulnerability note and advises administrators to disable write access for anonymous FTP users to limit the ability of an attacker to trigger the vulnerability.