Microsoft IIS Vulnerability Gets Hit By Attacks

Microsoft says a zero-day vulnerability in its Internet Information Services web server is now the subject of limited attacks, with exploit code in public circulation.

The warning, about a vulnerability in the FTP service in IIS, follows the release of new exploit code that can be used to create a DoS (denial of service) condition on Windows XP and Windows Server 2003 without requiring Write access. Also, a new proof of concept allowing a DoS has been disclosed that affects FTP 6, which shipped with Windows Vista and Windows Server 2008.

Microsoft first issued an advisory on the bug on 1 September, a day after exploit code for the vulnerability was posted on Milw0rm. In addition to a DoS, if the bug is successfully exploited it can allow remotely authenticated users to execute arbitrary code via a crafted NLST command that uses wildcards.

“An attacker with access to FTP Service could use this vulnerability to cause a stack-based overrun that could allow execution of arbitrary code in the context of the LocalSystem account on systems running IIS 5.0, or denial of service on affected systems running IIS 5.0, IIS 5.1, IIS 6.0 or IIS 7.0,” Microsoft warned. “In configurations of FTP Service where anonymous authentication is allowed, the attacker need not be authenticated for exploitation to occur.”

Microsoft said on 31 August that a patch for the vulnerability is on the way. In the meantime, information on mitigations and workarounds has been made available. Microsoft advised administrators to modify NTFS (NT File System) permissions to disallow directory creation by FTP users and to disallow FTP write access to untrusted anonymous users. Users can also upgrade to FTP Service 7.5.

A fix for the vulnerability is not expected to be included in the Sept. 8 Patch Tuesday release.