There is exploit code circulating for a newly discovered vulnerability in the FTP service of Microsoft IIS, a flaw which could enable an attacker to run his own code on a remote server. The flaw mainly affects older versions of IIS, Microsoft’s Web server product, but the existence of a working exploit and the popularity of IIS make the vulnerability a serious concern.
Microsoft security officials said they are investigating the issue. The exploit code for the IIS flaw was posted to the Milw0rm site on Monday, and US-CERT published an advisory on the vulnerability later in the day, recommending that administrators disable anonymous write access to vulnerable servers. However, allowing anonymous users to write to an FTP server isn’t recommended in any case. IIS 5 and 6 are vulnerable to the attack.
“The IIS FTP server fails to properly parse specially-crafted directory names. By issuing an FTP NLST (NAME LIST) command on a specially-named directory, an attacker may cause a stack buffer overflow. The attacker can create the specially-named directory if FTP is configured to allow write access using Anonymous account or another account that is available to the attacker,” US-CERT said in its advisory.
Microsoft said that it was not aware of any attacks ongoing against IIS servers using the new vulnerability, but with the exploit code on the loose now, that may change quickly. Microsoft’s next patch release is due Sept. 8, but there’s no indication as to whether the company will have a fix ready that quickly.