Microsoft Internet Information Services (IIS) FTP buffer overflow (FTP_IIS_Wildcard_Overflow)

About this signature or vulnerability

IBM Security Server Protection for Windows, Proventia Network IDS, Proventia-G 1.1 and earlier, Proventia Network MFS, RealSecure Server Sensor, RealSecure Network, Proventia Network IPS, Proventia Desktop, Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology:

This signature detects an attempt during an FTP session to use a specially-crafted command containing a wildcard that may lead to a buffer overflow in IIS FTP servers.


Default risk level

High risk vulnerability  High

Sensors that have this signature

IBM Security Server Protection for Windows: 1.0.914.2440, IBM Security Server Protection for Windows: 2.0.300.2440, IBM Security Server Protection for Windows: 2.1.14.2440, Proventia Network IDS: XPU 29.100, Proventia-G 1.1 and earlier: XPU 29.100, Proventia Network MFS: XPU 29.100, RealSecure Server Sensor: XPU 29.100, RealSecure Network: XPU 29.100, Proventia Network IPS: XPU 29.100, Proventia Desktop: 2440, Virtual Server Protection for Vmware: 1.0, Proventia Server IPS for Linux technology: 29.100

Systems affected

Microsoft IIS: 6.0, Microsoft Windows 2000: SP4, Microsoft Windows XP: SP2, Microsoft Windows Server 2003: SP2, Microsoft Windows Server 2003: SP2 Itanium, Microsoft Windows Server 2003: SP2 x64, Microsoft Internet Information Server: 5.0, Microsoft Internet Information Server: 5.1, Microsoft Windows XP: SP3

Type

Unauthorized Access Attempt

Vulnerability description

Microsoft Internet Information Services (IIS) is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the FTP server. By sending a specially-crafted FTP NLST command containing a wildcard that references a subdirectory, a remote authenticated attacker could overflow a buffer and execute arbitrary code on the system or cause the FTP service to stop accepting requests.

How to remove this vulnerability

Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS09-053. See References.

References

milw0rm.com [2009-08-31]
Microsoft IIS 5.0/6.0 FTP Server Remote Stack Overflow Exploit
http://milw0rm.com/exploits/9541

Microsoft IIS Web site
The Official Microsoft IIS Site
http://www.iis.net/

milw0rm.com [2009-09-01]
Microsoft IIS 5.0 FTP Server Remote Stack Overflow Exploit (win2k sp4)
http://milw0rm.com/exploits/9559

IBM Internet Security Systems Protection Alert
Microsoft Internet Information Services FTP Remote Code Execution
http://www.iss.net/threats/345.html

Microsoft Security Bulletin MS09-053
Vulnerabilities in FTP Service for Internet Information Services Could Allow Remote Code Execution (975254)
http://www.microsoft.com/technet/security/bulletin/ms09-053.mspx

Offensive Security Exploit Database [07-03-2011]
Microsoft IIS FTP Server <= 7.0 Stack Exhaustion DoS [MS09-053]
http://www.exploit-db.com/exploits/17476/

ISS X-Force
Microsoft Internet Information Services (IIS) FTP buffer overflow
http://www.iss.net/security_center/static/52915.php

CVE
CVE-2009-3023
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3023