Microsoft XP/Vista System IIS Vulnerability Temporary Solution

Today I saw a new 0day exploit code —— Microsoft IIS 5.0/6.0 FTP Server Remote Stack Overflow Exploit in milw0rm. This code was released by kcope yesterday. According to him, this code is only valid for Microsoft Windows 2000 operating system 10 years ago. This operating system uses the old version of IIS 5.0 server software. But security experts say that the success of this type of attack requires hackers to create a directory on this server. But it is confirmed that other versions of IIS software are also at risk, and Microsoft's newer operating system has the ability to mitigate this risk.

Microsoft said on Monday that it has investigated reports of flawed versions of Internet Information Services (IIS) products that are circulating externally, allegedly allowing the attacker to take control of the entire system.

In a statement, a Microsoft representative said the company is investigating the vulnerability of the FTP protocol that may appear in IIS 5 and IIS 6, and taking steps to protect its customers, but first needs Confirm that this question is true.

According to IDG news service, this vulnerability only affects the old version of IIS, and it will only be threatened if it is opened under FTP conditions. Microsoft's FTP service has so far had no loopholes.

Once the investigation is completed, the vulnerability is true and Microsoft will be able to quickly release the patch on Patch Tuesday (Tuesday Patch Day) next week.

Vulnerability Description

Microsoft IIS's FTP server has a buffer overflow vulnerability when resolving directory names. Remote attackers submit requests by submitting an FTP NLST (NAME LIST) command containing a specially named directory. To trigger a stack-based buffer overflow, an attacker can execute arbitrary instructions with application privileges, and an attacker can use the attack code to install unlicensed software on the server.

This vulnerability exists in File Transfer Protocol (FTP) software used by IIS to transfer large files over the Internet. Therefore, an attacker must enable the FTP protocol to be attacked.

There are already exploits that exploit this vulnerability. Because an attacker needs FTP to configure anonymous account write permissions or have other legitimate account information to create a specially named directory, you can temporarily disable anonymous FTP write access. To mitigate the impact of the vulnerability on users.

Affected Software

Microsoft IIS 6.0 Microsoft IIS 5.0

Attack Code

Microsoft IIS 5.0/6.0 FTP Server Remote Stack Overflow Exploit (win2k)< Br>

Microsoft IIS 5.0 FTP Server Remote Stack Overflow Exploit (win2k sp4)

Temporary Solution

1. Disable the write permission of the FTP server, prohibit the directory from creating files and directories. . 2. Because the exploit requires an anonymous user or obtain an FTP account, it is recommended that all anonymous FTP servers temporarily open the account verification policy. 3. In a more rigorous environment, it is recommended to set an authorized IP to connect to the FTP server.