Microsoft warns of vulnerability in Internet Information Services
Microsoft has issued a security advisory which warns of a critical bug in the FTP server service in Internet Information Services (IIS). An exploit demonstrating the vulnerability was published two day ago by a hacker going by the pseudonym Kingcope. Microsoft hopes to release an update to fix the bug as soon as possible, but has not been able to set a date for doing so.
According to Microsoft, IIS versions 5.0, 5.1 and 6.0 for Windows 2000, XP and Server 2003 are affected. IIS 7, for use under Vista and Server 2008, is not vulnerable. For the vulnerability to be exploitable, administrators must have activated write access for guest users. The vulnerability is harder to exploit in version 6, as this version is compiled using the /GS compiler option, which activates stack cookies. Stack cookies are placed on the stack between parameters and checked regularly. If an attacker overwrites a cookie, for example by exploiting a buffer overflow, the program is terminated. This results in a program crash, but prevents intrusion.
Microsoft's suggested workaround is interesting – setting access rights to the NTFS file system in the root directory of the FTP server such that FTP users are no longer able to create directories is apparently sufficient to avert the danger. The published exploit first creates a directory with a specific name and then triggers the bug using the NLST (name listing) command. Alternatively, administrators can, as previously mentioned, just block write access for untrusted FTP users.
- Vulnerability in Internet Information Services FTP Service Could Allow for Remote Code Execution Security advisory from Microsoft.
- FTP service of Microsoft IIS 5 and 6 vulnerable to attacks, a report from The H.