Possible 0-day in IIS5 and IIS6 FTP (updated x3)

A zero day for IIS5 & 6 was posted today to the Full Disclosure mailinglist. Yes, we are talking shellcode. This seems to be real.

According to Thierry Zoller, it doesn't work reliably for IIS6 but it's not impossible (source: twitter) and confirmed by this comment on the mailinglist. But it will crash the service on Windows2003 as such. Seems an issue in the MKDIR command.

US CERT is advising:

US-CERT encourages administrators to disable anonymous write access to the FTP server to help mitigate the vulnerability, although a proper impact analysis should be performed prior to taking defensive measures.

So the impact seems limited to servers that allow anonymous (write) access. Unless you don't trust authenticated users or fear they can be easily compromised. Stay tuned for updates.

UPDATE: Thanks to a NMAP script from Xavier, you can now scan you environment for vulnerable servers.
UPDATE 2: If you need a snort signature for the milw0rm IIS-FTP
exploit. Emergent threats released signature tarballs and a history is available in CVS:
http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_IISFTP
Wiki: http://doc.emergingthreats.net/bin/view/Main/2009828
UPDATE 3: Developers of the Backtrack played with the exploit and created an enhanced version that opens a listening port on a fully patched Windows 2000 system running IIS 5. They made a video.

HAR2009: where to get the presentation videos

Well, HAR2009 was a blast. It was fun meeting a lot of other people, doing some workshops and some soldering. I missed some of the talks I wanted to see but luckily there were recordings of the presentations. They are about 24GB and you can find them at:

• dotsrc.org HTTP
• dotsrc.org FTP
• BlinkenArea HTTP (slow)

These are raw, unedited videos. Some edited videos are available on http://rehash.nl/ by streaming. But I prefer to have my videos offline.

Collection of Defcon 17 articles, videos, pictures and podcasts

This is a list of articles and other fun stuff that people were tweeting about in the last week. This list is of course not exhaustive but a nice place to start reviewing the things that happened at the conference.

Articles:

• Announcing the Warzone Project (uncommonsensesecurity.com)
• DefCon Updates (A Day in the Life of an Information Security Investigator )
• Defcon: New Hack Hijacks Application Updates Via WiFi (Darkreading)
• Researchers offer tools for eavesdropping and video hijacking (CNet.com)
• Korean 'journalists' booted from Defcon (computerworld.com)
• Fake ATM doesn't last long at hacker meet (Computerworld)
• Electronic High-Security Locks Easily Defeated at DefCon (Wired.com)
• Fake ATM, skimmers found in Las Vegas hotels (Zero Day)
• ATM scam at DEFCON clearly the work of ironic criminals (engadget.com)
• The Best (and Worst) Hacks of Defcon Computer Security Conference 2009 (fastcompany.com)
• Hacker demos persistent Mac keyboard attack (Zero day)
• Hack-Proofing The Hackers (forbes.com)
• DEFCON 17 Badge Hackers (infosecevents.net)
• Defcon air traffic control hacker: Excuse me while I change your aircraft’s flight plan (deals.venturebeat.com)
• Our Favorite XSS Filters and how to Attack them (sirdarckcat.blogspot.com)
• Feds at DefCon Alarmed After RFIDs Scanned (wired.com)
• Opinion: Irresponsibility runs amok at Black Hat, Defcon (computerworld.com)
  
• Ax0n's DefCon 17 Wrap-Up (www.h-i-r.net)
• Defcon talk: 0-day, gh0stnet and the Adobe JBIG2Decode disclosure debalce – Steven Adair (cupfighter.net)
• Blackhat USA 2009: Reverse Engineering by Crayon (offensivecomputing.net)
• Black Hat: Social Networks Reveal, Betray, Help Users (informationweek.com)

Video:

• SSL rebinding video (stub.bz)
• #defcon podcast meetup (youtube)
• Hacking The Defcon 2009 Badge (youtube)
• Metasploit Oracle videos (vimeo.com)
• Hacker Charlie Miller on how he compromised the iPhone (venturebeat.com)
  

Podcast:

• Defcon Microcast 1 – Johnny Long, Hackers for Charity (Network security)
  
• Defcon Microcast 2 – Dark Tangent (Network security)
• Defcon Microcast 3 – Saturday Wrapup (Network security)

Pictures:

• http://www.defconpics.org/

Related posts:

• Get the #DEFCON 17 CD Archive (updated x2)
• Day 2: A collection of #Blackhat articles: keeping remote track of the event
• BlackHat slides available and first blogposts
• How to follow Blackhat/Defcon without being there
• Preparing your laptop (or iPhone) for a security/hacker conference

(Photo under creative commons from ggee's photostream)

Get the #DEFCON 17 CD Archive (updated x2)

The Defcon 17 CD Archive is up. Get it at https://media.defcon.org/dc-17/DEFCON-17-CD.rar

Update: The following file triggered some Antivirus engines

"Extras/bin/crackmes/manifest.exe". (in Sean Taylor's Extras.zip) - Detects as TR/Crypt.ZPACK.Gen

But it was confirmed by the Defcon team that it contained no trojan. Better be safe then sorry.

Related posts:

• Day 2: A collection of #Blackhat articles: keeping remote track of the event
• BlackHat USA2009 slides available and first blogposts
• How to follow Blackhat/Defcon without being there
• Preparing your laptop (or iPhone) for a security/hacker conference