Possible 0-day in IIS5 and IIS6 FTP (updated x3)

A zero day for IIS5 & 6 was posted today to the Full Disclosure mailinglist. Yes, we are talking shellcode. This seems to be real.

According to Thierry Zoller, it doesn't work reliably for IIS6 but it's not impossible (source: twitter) and confirmed by this comment on the mailinglist. But it will crash the service on Windows2003 as such. Seems an issue in the MKDIR command.

US CERT is advising:

US-CERT encourages administrators to disable anonymous write access to the FTP server to help mitigate the vulnerability, although a proper impact analysis should be performed prior to taking defensive measures.

So the impact seems limited to servers that allow anonymous (write) access. Unless you don't trust authenticated users or fear they can be easily compromised. Stay tuned for updates.

UPDATE: Thanks to a NMAP script from Xavier, you can now scan you environment for vulnerable servers.
UPDATE 2: If you need a snort signature for the milw0rm IIS-FTP
exploit. Emergent threats released signature tarballs and a history is available in CVS:
UPDATE 3: Developers of the Backtrack played with the exploit and created an enhanced version that opens a listening port on a fully patched Windows 2000 system running IIS 5. They made a video.

No comments: